generated from coulomb/repo-seed
Enable KeyCape bootstrap MFA mode
This commit is contained in:
@@ -192,6 +192,15 @@ commit `56d279a` now uses HTTP Basic auth for the upstream token exchange, the
|
||||
image `main-56d279a` was direct-imported into Railiance k3s, and the live
|
||||
deployment runs that tag.
|
||||
|
||||
**2026-05-24:** Fixed the follow-up `mfa check error`. Live privacyIDEA
|
||||
validation succeeds in the `coulomb` realm, while KeyCape had been configured
|
||||
for `netkingdom` and was also trying to pre-list tokens with an expired or
|
||||
invalid privacyIDEA admin JWT. KeyCape commit `937cb39` adds bootstrap mode
|
||||
`privacyidea.requireForAll`, which requires OTP for every authenticated user
|
||||
without depending on token-list admin credentials. The live `keycape-config`
|
||||
now uses `realm: coulomb` and `requireForAll: true`, and Railiance runs image
|
||||
`main-937cb39`.
|
||||
|
||||
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
|
||||
custodian age-key bootstrap model to the control surface. The UI now records
|
||||
the custodian public age recipient, a derived fingerprint, and a non-secret
|
||||
|
||||
Reference in New Issue
Block a user