my $pve_auth_key_cache = {};
-my $ticket_lifetime = 3600*2; # 2 hours
-# TODO: set to 24h for PVE 6.0
-my $authkey_lifetime = 3600*0; # rotation disabled
+my $ticket_lifetime = 3600 * 2; # 2 hours
+my $authkey_lifetime = 3600 * 24; # rotate every 24 hours
Crypt::OpenSSL::RSA->import_random_seed();
return if check_authkey();
my $old = get_pubkey();
+ my $new = Crypt::OpenSSL::RSA->generate_key(2048);
if ($old) {
eval {
die "Failed to store old auth key: $@\n" if $@;
}
- my $new = Crypt::OpenSSL::RSA->generate_key(2048);
eval {
my $pem = $new->get_public_key_x509_string();
PVE::Tools::file_set_contents($pve_auth_key_files->{pub}, $pem);
return undef if !$rsa_pub;
my ($min, $max) = $get_ticket_age_range->($now, $rsa_mtime, $old);
- return undef if !$min;
+ return undef if !defined($min);
return PVE::Ticket::verify_rsa_ticket(
$rsa_pub, 'PVE', $ticket, undef, $min, $max, 1);
$tfa->{data} = $data;
cfs_write_file('priv/tfa.cfg', $tfa_cfg);
- $user->{keys} = 'x';
+ $user->{keys} = "x!$type";
} else {
delete $tfa_cfg->{users}->{$userid};
cfs_write_file('priv/tfa.cfg', $tfa_cfg);
or die "user '$username' not found\n";
my $keys = $user->{keys};
- return if !$keys;
my $domain_cfg = cfs_read_file('domains.cfg');
my $realm_cfg = $domain_cfg->{ids}->{$realm};
$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
if $realm_tfa;
- if ($keys ne 'x') {
+ if (!$keys) {
+ return if !$realm_tfa;
+ die "missing required 2nd keys\n";
+ }
+
+ # new style config starts with an 'x' and optionally contains a !<type> suffix
+ if ($keys !~ /^x(?:!.*)?$/) {
# old style config, find the type via the realm
return if !$realm_tfa;
return ($realm_tfa->{type}, {