Add user/group account with ssh access and root privileges

[Gonzalo]

Following
https://pve.proxmox.com/wiki/User_Management#Linux_PAM_standard_authentication
and
https://pve.proxmox.com/wiki/User_Management#Administrator_Group
I am able to create an user with full admin privileges through web interface.

However, when I ssh into nodes of the cluster, I can not execute commands like "qm" for unlocking a VM.

I would need the users from the admin group to be able to execute this "superuser commands" without giving them the root user credentials.

Thanks a lot.
Gonzalo.

 

[wbumiller]

Sudo can be configured to allow a subset of commands for groups/users.

 

[Gonzalo]

How should I configure such solution? Could you give me some example?

 

[Gonzalo]

I've managed to do it. Here you have the commands I have used.

useradd gonzalo
passwd gonzalo
groupadd special
usermod -a -G special gonzalo

nano /etc/sudoers.d/pvecommands

## Cmnd alias specification
Cmnd_Alias PVE_COMMANDS = /usr/sbin/qm
#
## Members of the special group may gain some privileges
%special ALL=(ALL) NOPASSWD: PVE_COMMANDS​

Finally, you have to register the user in the web interface too.

If you have a cluster, you have to register on all nodes the user through the command line.

 

[LnxBil]

Good example is also the zfs sudo configuration file. It includes also parameters to the commands, so you can restrict it further.

 

[AlexanderMomchilov]

If you want to use root commands, you'll probably also want to install `sudo` (`apt install sudo -y`), and add your user to the `sudo` group.

In a root shell:

usermod -aG sudo Alex

# You can undo this with:
# deluser Alex sudo

You will need to re-log-in with your user for the changes to take effect.

You can confirm with:

$ id
# uid=1000(Alex) gid=1000(Alex) groups=1000(Alex),27(sudo),1001(admin)
#                                                 ^^^^^^^^

This works because `%sudo ALL=(ALL:ALL) ALL` is already in `/etc/sudoers`, but it doesn't immediately take effect on existing login session.

Many Proxmox-specific programs are found in `/usr/sbin`, so make sure to add that to your path:

# In your ~/.zshrc, or equivalent

export PATH="/usr/sbin:$PATH"

 

[LnxBil]

Keep in mind that with sudo, you will not have good tab completion in your shell for pve commands. This will only work for root:

test@proxmox-test:~$ sudo qm list <tab> -bash: compgen: warning: -C option may not work as you expect
ipcc_send_rec[1] failed: Unknown error -1
ipcc_send_rec[2] failed: Unknown error -1
ipcc_send_rec[3] failed: Unknown error -1
Unable to load access control list: Unknown error -1
.-bash: compgen: warning: -C option may not work as you expect
ipcc_send_rec[1] failed: Unknown error -1
ipcc_send_rec[2] failed: Unknown error -1
ipcc_send_rec[3] failed: Unknown error -1
Unable to load access control list: Unknown error -1

 

[AlexanderMomchilov]

Interesting. Is there any way to resolve that?

 

[LnxBil]

Interesting. Is there any way to resolve that?

Besides the obivous: don't use sudo, no. You can also try to restrict shell usage and do everything via API/GUI with a non-priviledged user. qm and pct are fine in a single-system, yet total useless in a clustered environment. You need a good pve cli client for that.

 

[AlexanderMomchilov]

Aw well, thanks for mentioning this restriction. Most users should probably just be using the default `root` user.

Perhaps I'm just being too puritanical by cargo-culting the "don't use root" dogma haha