From 243262f1853e94bd02d0614a1ae76442ec1e85e9 Mon Sep 17 00:00:00 2001 From: Thomas Lamprecht Date: Tue, 21 May 2019 21:29:59 +0200 Subject: [PATCH] fix #2079: activate authkey rotation every 24 hours This activates the authkey rotation added in commits 1800a71a79c7cf49108e22781d2f34be87b1efd through f7282aee6b2ae36b7cfc2331e33e49a818b914fd Signed-off-by: Thomas Lamprecht --- PVE/AccessControl.pm | 5 ++--- debian/postinst | 23 +++++++++++------------ 2 files changed, 13 insertions(+), 15 deletions(-) diff --git a/PVE/AccessControl.pm b/PVE/AccessControl.pm index 512fcd2..5de060d 100644 --- a/PVE/AccessControl.pm +++ b/PVE/AccessControl.pm @@ -47,9 +47,8 @@ my $pve_auth_key_files = { my $pve_auth_key_cache = {}; -my $ticket_lifetime = 3600*2; # 2 hours -# TODO: set to 24h for PVE 6.0 -my $authkey_lifetime = 3600*0; # rotation disabled +my $ticket_lifetime = 3600 * 2; # 2 hours +my $authkey_lifetime = 3600 * 24; # rotate every 24 hours Crypt::OpenSSL::RSA->import_random_seed(); diff --git a/debian/postinst b/debian/postinst index 62dbfbc..ed30455 100755 --- a/debian/postinst +++ b/debian/postinst @@ -6,18 +6,17 @@ set -e case "$1" in configure) - # TODO: enable for PVE 6.0 -# if test -n "$2"; then -# -# # TODO: remove once PVE 7.0 is released -# if dpkg --compare-versions "$2" 'lt' '6.0-1'; then -# if test ! -e /etc/pve/authkey.pub.old; then -# # reset key age to prevent immediate invalidation of all current tickets -# touch -d "-2 hours" /etc/pve/authkey.pub || true -# fi -# fi -# -# fi + if test -n "$2"; then + + # TODO: remove once PVE 7.0 is released + if dpkg --compare-versions "$2" 'lt' '6.0-0+1'; then + if test ! -e /etc/pve/authkey.pub.old; then + # reset key age to prevent immediate invalidation of all current tickets + touch -d "-2 hours" /etc/pve/authkey.pub || true + fi + fi + + fi ;; esac -- 2.39.2