Enable KeyCape bootstrap MFA mode

This commit is contained in:
2026-05-25 00:16:05 +02:00
parent 4cc22bec9e
commit 5af876eb8c
4 changed files with 17 additions and 7 deletions

View File

@@ -192,6 +192,15 @@ commit `56d279a` now uses HTTP Basic auth for the upstream token exchange, the
image `main-56d279a` was direct-imported into Railiance k3s, and the live
deployment runs that tag.
**2026-05-24:** Fixed the follow-up `mfa check error`. Live privacyIDEA
validation succeeds in the `coulomb` realm, while KeyCape had been configured
for `netkingdom` and was also trying to pre-list tokens with an expired or
invalid privacyIDEA admin JWT. KeyCape commit `937cb39` adds bootstrap mode
`privacyidea.requireForAll`, which requires OTP for every authenticated user
without depending on token-list admin credentials. The live `keycape-config`
now uses `realm: coulomb` and `requireForAll: true`, and Railiance runs image
`main-937cb39`.
**2026-05-24:** Stepped back from ad hoc secret rollout and added the
custodian age-key bootstrap model to the control surface. The UI now records
the custodian public age recipient, a derived fingerprint, and a non-secret