]> git.proxmox.com Git - pve-access-control.git/blobdiff - PVE/AccessControl.pm
projects / pve-access-control.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
tfa: realm required TFA should lock out users without TFA
[pve-access-control.git] / PVE / AccessControl.pm
diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 06c649d2e4ddaa2ed006bdedf5d31f88053ccea4..512fcd2dddcd8844a5edf18cedb5d56411512739 100644 (file)
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1453,7 +1453,6 @@ sub user_get_tfa {
        or die "user '$username' not found\n";
 
     my $keys = $user->{keys};
-    return if !$keys;
 
     my $domain_cfg = cfs_read_file('domains.cfg');
     my $realm_cfg = $domain_cfg->{ids}->{$realm};
@@ -1463,6 +1462,11 @@ sub user_get_tfa {
     $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
        if $realm_tfa;
 
+    if (!$keys) {
+       return if !$realm_tfa;
+       die "missing required 2nd keys\n";
+    }
+
     # new style config starts with an 'x' and optionally contains a !<type> suffix
     if ($keys !~ /^x(?:!.*)?$/) {
        # old style config, find the type via the realm
Access control framework