fix #2079: activate authkey rotation every 24 hours

This activates the authkey rotation added in commits
1800a71a79c7cf49108e22781d2f34be87b1efd through
f7282aee6b2ae36b7cfc2331e33e49a818b914fd

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 512fcd2dddcd8844a5edf18cedb5d56411512739..5de060dfced07b7d370ee451e5388a7de68bbe99 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -47,9 +47,8 @@ my $pve_auth_key_files = {
 
 my $pve_auth_key_cache = {};
 
-my $ticket_lifetime = 3600*2; # 2 hours
-# TODO: set to 24h for PVE 6.0
-my $authkey_lifetime = 3600*0; # rotation disabled
+my $ticket_lifetime = 3600 * 2; # 2 hours
+my $authkey_lifetime = 3600 * 24; # rotate every 24 hours
 
 Crypt::OpenSSL::RSA->import_random_seed();
 

diff --git a/debian/postinst b/debian/postinst
index 62dbfbc09d58b28a00cacefb0eedcb97dae4b7bd..ed30455737420290d6c33650dc29dce639920658 100755 (executable)
--- a/debian/postinst
+++ b/debian/postinst
@@ -6,18 +6,17 @@ set -e
 
 case "$1" in
   configure)
-        # TODO: enable for PVE 6.0
-#    if test -n "$2"; then
-#
-#        # TODO: remove once PVE 7.0 is released
-#        if dpkg --compare-versions "$2" 'lt' '6.0-1'; then
-#            if test ! -e /etc/pve/authkey.pub.old; then
-#                # reset key age to prevent immediate invalidation of all current tickets
-#                touch -d "-2 hours" /etc/pve/authkey.pub || true
-#            fi
-#       fi
-#
-#    fi
+    if test -n "$2"; then
+
+        # TODO: remove once PVE 7.0 is released
+        if dpkg --compare-versions "$2" 'lt' '6.0-0+1'; then
+            if test ! -e /etc/pve/authkey.pub.old; then
+                # reset key age to prevent immediate invalidation of all current tickets
+                touch -d "-2 hours" /etc/pve/authkey.pub || true
+            fi
+       fi
+
+    fi
     ;;
 
 esac