my $pve_auth_key_cache = {};
-my $ticket_lifetime = 3600*2; # 2 hours
-# TODO: set to 24h for PVE 6.0
-my $authkey_lifetime = 3600*0; # rotation disabled
+my $ticket_lifetime = 3600 * 2; # 2 hours
+my $authkey_lifetime = 3600 * 24; # rotate every 24 hours
Crypt::OpenSSL::RSA->import_random_seed();
return if check_authkey();
my $old = get_pubkey();
+ my $new = Crypt::OpenSSL::RSA->generate_key(2048);
if ($old) {
eval {
my $pem = $old->get_public_key_x509_string();
+ # mtime is used for caching and ticket age range calculation
PVE::Tools::file_set_contents($pve_auth_key_files->{pubold}, $pem);
};
die "Failed to store old auth key: $@\n" if $@;
}
- my $new = Crypt::OpenSSL::RSA->generate_key(2048);
eval {
my $pem = $new->get_public_key_x509_string();
+ # mtime is used for caching and ticket age range calculation,
+ # should be close to that of pubold above
PVE::Tools::file_set_contents($pve_auth_key_files->{pub}, $pem);
};
if ($@) {
}
my $csrf_prevention_secret;
+my $csrf_prevention_secret_legacy;
my $get_csrfr_secret = sub {
if (!$csrf_prevention_secret) {
my $input = PVE::Tools::file_get_contents($pve_www_key_fn);
- $csrf_prevention_secret = Digest::SHA::sha1_base64($input);
+ $csrf_prevention_secret = Digest::SHA::hmac_sha256_base64($input);
+ $csrf_prevention_secret_legacy = Digest::SHA::sha1_base64($input);
}
return $csrf_prevention_secret;
};
sub verify_csrf_prevention_token {
my ($username, $token, $noerr) = @_;
- my $secret = &$get_csrfr_secret();
+ my $secret = $get_csrfr_secret->();
+
+ # FIXME: remove with PVE 7 and/or refactor all into PVE::Ticket ?
+ if ($token =~ m/^([A-Z0-9]{8}):(\S+)$/) {
+ my $sig = $2;
+ if (length($sig) == 27) {
+ # the legacy secret got populated by above get_csrfr_secret call
+ $secret = $csrf_prevention_secret_legacy;
+ }
+ }
return PVE::Ticket::verify_csrf_prevention_token(
$secret, $username, $token, -300, $ticket_lifetime, $noerr);
return undef if !$rsa_pub;
my ($min, $max) = $get_ticket_age_range->($now, $rsa_mtime, $old);
- return undef if !$min;
+ return undef if !defined($min);
return PVE::Ticket::verify_rsa_ticket(
$rsa_pub, 'PVE', $ticket, undef, $min, $max, 1);
}
foreach my $ug (split_list($uglist)) {
- if ($ug =~ m/^@(\S+)$/) {
- my $group = $1;
+ my ($group) = $ug =~ m/^@(\S+)$/;
+
+ if ($group && verify_groupname($group, 1)) {
if ($cfg->{groups}->{$group}) { # group exists
$cfg->{acl}->{$path}->{groups}->{$group}->{$role} = $propagate;
} else {
$tfa->{data} = $data;
cfs_write_file('priv/tfa.cfg', $tfa_cfg);
- $user->{keys} = 'x';
+ $user->{keys} = "x!$type";
} else {
delete $tfa_cfg->{users}->{$userid};
cfs_write_file('priv/tfa.cfg', $tfa_cfg);
or die "user '$username' not found\n";
my $keys = $user->{keys};
- return if !$keys;
my $domain_cfg = cfs_read_file('domains.cfg');
my $realm_cfg = $domain_cfg->{ids}->{$realm};
$realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
if $realm_tfa;
- if ($keys ne 'x') {
+ if (!$keys) {
+ return if !$realm_tfa;
+ die "missing required 2nd keys\n";
+ }
+
+ # new style config starts with an 'x' and optionally contains a !<type> suffix
+ if ($keys !~ /^x(?:!.*)?$/) {
# old style config, find the type via the realm
return if !$realm_tfa;
return ($realm_tfa->{type}, {