my $pve_auth_key_cache = {};
-my $ticket_lifetime = 3600*2; # 2 hours
-# TODO: set to 24h for PVE 6.0
-my $authkey_lifetime = 3600*0; # rotation disabled
+my $ticket_lifetime = 3600 * 2; # 2 hours
+my $authkey_lifetime = 3600 * 24; # rotate every 24 hours
Crypt::OpenSSL::RSA->import_random_seed();
or die "user '$username' not found\n";
my $keys = $user->{keys};
- return if !$keys;
my $domain_cfg = cfs_read_file('domains.cfg');
my $realm_cfg = $domain_cfg->{ids}->{$realm};
$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
if $realm_tfa;
+ if (!$keys) {
+ return if !$realm_tfa;
+ die "missing required 2nd keys\n";
+ }
+
# new style config starts with an 'x' and optionally contains a !<type> suffix
- if ($keys != /^x(?:!.*)?$/) {
+ if ($keys !~ /^x(?:!.*)?$/) {
# old style config, find the type via the realm
return if !$realm_tfa;
return ($realm_tfa->{type}, {