libpve-access-control (8.1.0) bookworm; urgency=medium * api: user: limit the legacy user-keys option to the depreacated values that could be set in the first limited TFA system, like e.g., 'x!yubico' or base32 encoded secrets. * oidc: enforce generic URI regex for the ACR value to align with OIDC specifications and with Proxmox Backup Server, which was recently changed to actually be less strict. * LDAP sync: improve validation of synced attributes, closely limit the mapped attributes names and their values to avoid glitches through odd LDIF entries. * api: user: limit maximum length for first & last name to 1024 characters, email to 254 characters (the maximum actually useable in practice) and comment properties to 2048 characters. This avoid that a few single users bloat the user.cfg to much by mistake, reducing the total amount of users and ACLs that can be set up. Note that only users with User.Modify and realm syncs (setup by admins) can change these in the first place, so this is mostly to avoid mishaps and just to be sure. -- Proxmox Support Team Thu, 08 Feb 2024 17:50:59 +0100 libpve-access-control (8.0.7) bookworm; urgency=medium * fix #1148: allow up to three levels of pool nesting * pools: record parent/subpool information -- Proxmox Support Team Mon, 20 Nov 2023 12:24:13 +0100 libpve-access-control (8.0.6) bookworm; urgency=medium * perms: fix wrong /pools entry in default set of ACL paths * acl: add missing SDN ACL paths to allowed list -- Proxmox Support Team Fri, 17 Nov 2023 08:27:11 +0100 libpve-access-control (8.0.5) bookworm; urgency=medium * fix an issue where setting ldap passwords would refuse to work unless at least one additional property was changed as well * add 'check-connection' parameter to create and update endpoints for ldap based realms -- Proxmox Support Team Fri, 11 Aug 2023 13:35:23 +0200 libpve-access-control (8.0.4) bookworm; urgency=medium * Lookup of second factors is no longer tied to the 'keys' field in the user.cfg. This fixes an issue where certain LDAP/AD sync job settings could disable user-configured 2nd factors. * Existing-but-disabled TFA factors can no longer circumvent realm-mandated TFA. -- Proxmox Support Team Thu, 20 Jul 2023 10:59:21 +0200 libpve-access-control (8.0.3) bookworm; urgency=medium * pveum: list tfa: recovery keys have no descriptions * pveum: list tfa: sort by user ID * drop assert_new_tfa_config_available for Proxmox VE 8, as the new format is understood since pve-manager 7.0-15, and users must upgrade to Proxmox VE 7.4 before upgrading to Proxmox VE 8 in addition to that. -- Proxmox Support Team Wed, 21 Jun 2023 19:45:29 +0200 libpve-access-control (8.0.2) bookworm; urgency=medium * api: users: sort groups to avoid "flapping" text * api: tfa: don't block tokens from viewing and list TFA entries, both are safe to do for anybody with enough permissions to view a user. * api: tfa: add missing links for child-routes -- Proxmox Support Team Wed, 21 Jun 2023 18:13:54 +0200 libpve-access-control (8.0.1) bookworm; urgency=medium * tfa: cope with native versions in cluster version check -- Proxmox Support Team Fri, 09 Jun 2023 16:12:01 +0200 libpve-access-control (8.0.0) bookworm; urgency=medium * api: roles: forbid creating new roles starting with "PVE" namespace -- Proxmox Support Team Fri, 09 Jun 2023 10:14:28 +0200 libpve-access-control (8.0.0~3) bookworm; urgency=medium * rpcenv: api permission heuristic: query Sys.Modify for root ACL-path * access control: add /sdn/zones/// ACL object path * add helper for checking bridge access * add new SDN.Use privilege in PVESDNUser role, allowing one to specify which user are allowed to use a bridge (or vnet, if SDN is installed) * add privileges and paths for cluster resource mapping -- Proxmox Support Team Wed, 07 Jun 2023 19:06:54 +0200 libpve-access-control (8.0.0~2) bookworm; urgency=medium * api: user index: only include existing tfa lock flags * add realm-sync plugin for jobs and CRUD api for realm-sync-jobs * roles: only include Permissions.Modify in Administrator built-in role. As, depending on the ACL object path, this privilege might allow one to change their own permissions, which was making the distinction between Admin and PVEAdmin irrelevant. * acls: restrict less-privileged ACL modifications. Through allocate permissions in pools, storages and virtual guests one can do some ACL modifications without having the Permissions.Modify privilege, lock those better down to ensure that one can only hand out only the subset of their own privileges, never more. Note that this is mostly future proofing, as the ACL object paths one could give out more permissions where already limiting the scope. -- Proxmox Support Team Wed, 07 Jun 2023 11:34:30 +0200 libpve-access-control (8.0.0~1) bookworm; urgency=medium * bump pve-rs dependency to 0.8.3 * drop old verify_tfa api call (POST /access/tfa) * drop support for old login API: - 'new-format' is now considured to be 1 and ignored by the API * pam auth: set PAM_RHOST to allow pam configs to log/restrict/... by remote address * cli: add 'pveum tfa list' * cli: add 'pveum tfa unlock' * enable lockout of TFA: - too many TOTP attempts will lock out of TOTP - using a recovery key will unlock TOTP - too many TFA attempts will lock a user's TFA auth for an hour * api: add /access/users//unlock-tfa to unlock a user's TFA authentication if it was locked by too many wrong 2nd factor login attempts * api: /access/tfa and /access/users now include the tfa lockout status -- Proxmox Support Team Mon, 05 Jun 2023 14:52:29 +0200 libpve-access-control (7.99.0) bookworm; urgency=medium * initial re-build for Proxmox VE 8.x series * switch to native versioning -- Proxmox Support Team Sun, 21 May 2023 10:34:19 +0200 libpve-access-control (7.4-3) bullseye; urgency=medium * use new 2nd factor verification from pve-rs -- Proxmox Support Team Tue, 16 May 2023 13:31:28 +0200 libpve-access-control (7.4-2) bullseye; urgency=medium * fix #4609: fix regression where a valid DN in the ldap/ad realm config wasn't accepted anymore -- Proxmox Support Team Thu, 23 Mar 2023 15:44:21 +0100 libpve-access-control (7.4-1) bullseye; urgency=medium * realm sync: refactor scope/remove-vanished into a standard option * ldap: Allow quoted values for DN attribute values -- Proxmox Support Team Mon, 20 Mar 2023 17:16:11 +0100 libpve-access-control (7.3-2) bullseye; urgency=medium * fix #4518: dramatically improve ACL computation performance * userid format: clarify that this is the full name@realm in description -- Proxmox Support Team Mon, 06 Mar 2023 11:40:11 +0100 libpve-access-control (7.3-1) bullseye; urgency=medium * realm: sync: allow explicit 'none' for 'remove-vanished' option -- Proxmox Support Team Fri, 16 Dec 2022 13:11:04 +0100 libpve-access-control (7.2-5) bullseye; urgency=medium * api: realm sync: avoid separate log line for "remove-vanished" opt * auth ldap/ad: compare group member dn case-insensitively * two factor auth: only lock tfa config for recovery keys * privs: add Sys.Incoming for guarding cross-cluster data streams like guest migrations and storage migrations -- Proxmox Support Team Thu, 17 Nov 2022 13:09:17 +0100 libpve-access-control (7.2-4) bullseye; urgency=medium * fix #4074: increase API OpenID code size limit to 2048 * auth key: protect against rare chance of a double rotation in clusters, leaving the potential that some set of nodes have the earlier key cached, that then got rotated out due to the race, resulting in a possible other set of nodes having the newer key cached. This is a split view of the auth key and may resulting in spurious failures if API requests are made to a different node than the ticket was generated on. In addition to that, the "keep validity of old tickets if signed in the last two hours before rotation" logic was disabled too in such a case, making such tickets invalid too early. Note that both are cases where Proxmox VE was too strict, so while this had no security implications it can be a nuisance, especially for environments that use the API through an automated or scripted way -- Proxmox Support Team Thu, 14 Jul 2022 08:36:51 +0200 libpve-access-control (7.2-3) bullseye; urgency=medium * api: token: use userid-group as API perm check to avoid being overly strict through a misguided use of user id for non-root users. * perm check: forbid undefined/empty ACL path for future proofing of against above issue -- Proxmox Support Team Mon, 20 Jun 2022 15:51:14 +0200 libpve-access-control (7.2-2) bullseye; urgency=medium * permissions: merge propagation flag for multiple roles on a path that share privilege in a deterministic way, to avoid that it gets lost depending on perl's random sort, which would result in returing less privileges than an auth-id actually had. * permissions: avoid that token and user privilege intersection is to strict for user permissions that have propagation disabled. -- Proxmox Support Team Fri, 03 Jun 2022 14:02:30 +0200 libpve-access-control (7.2-1) bullseye; urgency=medium * user check: fix expiration/enable order -- Proxmox Support Team Tue, 31 May 2022 13:43:37 +0200 libpve-access-control (7.1-8) bullseye; urgency=medium * fix #3668: realm-sync: replace 'full' & 'purge' with 'remove- vanished' -- Proxmox Support Team Thu, 28 Apr 2022 17:02:46 +0200 libpve-access-control (7.1-7) bullseye; urgency=medium * userid-group check: distinguish create and update * api: get user: declare token schema -- Proxmox Support Team Mon, 21 Mar 2022 16:15:23 +0100 libpve-access-control (7.1-6) bullseye; urgency=medium * fix #3768: warn on bad u2f or webauthn settings * tfa: when modifying others, verify the current user's password * tfa list: account for admin permissions * fix realm sync permissions * fix token permission display bug * include SDN permissions in permission tree -- Proxmox Support Team Fri, 21 Jan 2022 14:20:42 +0100 libpve-access-control (7.1-5) bullseye; urgency=medium * openid: fix username-claim fallback -- Proxmox Support Team Thu, 25 Nov 2021 07:57:38 +0100 libpve-access-control (7.1-4) bullseye; urgency=medium * set current origin in the webauthn config if no fixed origin was configured, to support webauthn via subdomains -- Proxmox Support Team Mon, 22 Nov 2021 14:04:06 +0100 libpve-access-control (7.1-3) bullseye; urgency=medium * openid: allow arbitrary username-claims * openid: support configuring the prompt, scopes and ACR values -- Proxmox Support Team Fri, 19 Nov 2021 08:11:52 +0100 libpve-access-control (7.1-2) bullseye; urgency=medium * catch incompatible tfa entries with a nice error -- Proxmox Support Team Wed, 17 Nov 2021 13:44:45 +0100 libpve-access-control (7.1-1) bullseye; urgency=medium * tfa: map HTTP 404 error in get_tfa_entry correctly -- Proxmox Support Team Mon, 15 Nov 2021 15:33:22 +0100 libpve-access-control (7.0-7) bullseye; urgency=medium * fix #3513: pass configured proxy to OpenID * use rust based parser for TFA config * use PBS-like auth api call flow, * merge old user.cfg keys to tfa config when adding entries * implement version checks for new tfa config writer to ensure all cluster nodes are ready to avoid login issues * tickets: add tunnel ticket -- Proxmox Support Team Thu, 11 Nov 2021 18:17:49 +0100 libpve-access-control (7.0-6) bullseye; urgency=medium * fix regression in user deletion when realm does not enforce TFA -- Proxmox Support Team Thu, 21 Oct 2021 12:28:52 +0200 libpve-access-control (7.0-5) bullseye; urgency=medium * acl: check path: add /sdn/vnets/* path * fix #2302: allow deletion of users when realm enforces TFA * api: delete user: disable user first to avoid surprise on error during the various cleanup action required for user deletion (e.g., TFA, ACL, group) -- Proxmox Support Team Mon, 27 Sep 2021 15:50:47 +0200 libpve-access-control (7.0-4) bullseye; urgency=medium * realm: add OpenID configuration * api: implement OpenID related endpoints * implement opt-in OpenID autocreate user feature * api: user: add 'realm-type' to user list response -- Proxmox Support Team Fri, 02 Jul 2021 13:45:46 +0200 libpve-access-control (7.0-3) bullseye; urgency=medium * api: acl: add missing `/access/realm/`, `/access/group/` and `/sdn/zones/` to allowed ACL paths -- Proxmox Support Team Mon, 21 Jun 2021 10:31:19 +0200 libpve-access-control (7.0-2) bullseye; urgency=medium * fix #3402: add Pool.Audit privilege - custom roles containing Pool.Allocate must be updated to include the new privilege. -- Proxmox Support Team Tue, 1 Jun 2021 11:28:38 +0200 libpve-access-control (7.0-1) bullseye; urgency=medium * re-build for Debian 11 Bullseye based releases -- Proxmox Support Team Sun, 09 May 2021 18:18:23 +0200 libpve-access-control (6.4-1) pve; urgency=medium * fix #1670: change PAM service name to project specific name * fix #1500: permission path syntax check for access control * pveum: add resource pool CLI commands -- Proxmox Support Team Sat, 24 Apr 2021 19:48:21 +0200 libpve-access-control (6.1-3) pve; urgency=medium * partially fix #2825: authkey: rotate if it was generated in the future * fix #2947: add an option to LDAP or AD realm to switch user lookup to case insensitive -- Proxmox Support Team Tue, 29 Sep 2020 08:54:13 +0200 libpve-access-control (6.1-2) pve; urgency=medium * also check SDN permission path when computing coarse permissions heuristic for UIs * add SDN Permissions.Modify * add VM.Config.Cloudinit -- Proxmox Support Team Tue, 30 Jun 2020 13:06:56 +0200 libpve-access-control (6.1-1) pve; urgency=medium * pveum: add tfa delete subcommand for deleting user-TFA * LDAP: don't complain about missing credentials on realm removal * LDAP: skip anonymous bind when client certificate and key is configured -- Proxmox Support Team Fri, 08 May 2020 17:47:41 +0200 libpve-access-control (6.0-7) pve; urgency=medium * fix #2575: die when trying to edit built-in roles * add realm sub commands to pveum CLI tool * api: domains: add user group sync API endpoint * allow one to sync and import users and groups from LDAP/AD based realms * realm: add default-sync-options to config for more convenient sync configuration * api: token create: return also full token id for convenience -- Proxmox Support Team Sat, 25 Apr 2020 19:35:17 +0200 libpve-access-control (6.0-6) pve; urgency=medium * API: add group members to group index * implement API token support and management * pveum: add 'pveum user token add/update/remove/list' * pveum: add permissions sub-commands * API: add 'permissions' API endpoint * user.cfg: skip inexisting roles when parsing ACLs -- Proxmox Support Team Wed, 29 Jan 2020 10:17:27 +0100 libpve-access-control (6.0-5) pve; urgency=medium * pveum: add list command for users, groups, ACLs and roles * add initial permissions for experimental SDN integration -- Proxmox Support Team Tue, 26 Nov 2019 17:56:37 +0100 libpve-access-control (6.0-4) pve; urgency=medium * ticket: use clinfo to get cluster name * ldaps: add sslversion configuration property to support TLS 1.1 to 1.3 as SSL version -- Proxmox Support Team Mon, 18 Nov 2019 11:55:11 +0100 libpve-access-control (6.0-3) pve; urgency=medium * fix #2433: increase possible TFA secret length * parse user configuration: correctly parse group names in ACLs, for users which begin their name with an @ * sort user.cfg entries alphabetically -- Proxmox Support Team Tue, 29 Oct 2019 08:52:23 +0100 # Older entries have been removed from this changelog. # To read the complete changelog use `apt changelog libpve-access-control`.