X-Git-Url: https://git.proxmox.com/?p=pve-access-control.git;a=blobdiff_plain;f=PVE%2FAccessControl.pm;fp=PVE%2FAccessControl.pm;h=512fcd2dddcd8844a5edf18cedb5d56411512739;hp=06c649d2e4ddaa2ed006bdedf5d31f88053ccea4;hb=6063b65b9b2662bea68a3381806efd14525badc5;hpb=0a956b943ad3c3156ba87fde79f918898fa4c66a;ds=sidebyside

diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm
index 06c649d..512fcd2 100644
--- a/PVE/AccessControl.pm
+++ b/PVE/AccessControl.pm
@@ -1453,7 +1453,6 @@ sub user_get_tfa {
 	or die "user '$username' not found\n";
 
     my $keys = $user->{keys};
-    return if !$keys;
 
     my $domain_cfg = cfs_read_file('domains.cfg');
     my $realm_cfg = $domain_cfg->{ids}->{$realm};
@@ -1463,6 +1462,11 @@ sub user_get_tfa {
     $realm_tfa = PVE::Auth::Plugin::parse_tfa_config($realm_tfa)
 	if $realm_tfa;
 
+    if (!$keys) {
+	return if !$realm_tfa;
+	die "missing required 2nd keys\n";
+    }
+
     # new style config starts with an 'x' and optionally contains a !<type> suffix
     if ($keys !~ /^x(?:!.*)?$/) {
 	# old style config, find the type via the realm