A
aladdin
Guest
I was looking for a method to allow another user to log in to proxmox so it avoid me to type root password when I want to monitor my VMs.
I didn't found any "official" solution to do that so I managed to create a user that can only access proxmox, he can't login to the server with ssh or so.
this is my solution described step by step:
first you have to create a user and assign it to root group (GID 0) and disable it's shell !
on a Fedora system you need to type :
on a Debian system type :
then type :
and give it a strong password
at this stage you can try to connect to the proxmox web interface using aveAdmin as login.
the "-s /sbin/nologin" and "-s /bin/false" options will disable user shell so it can't open a console or a ssh session, but we can make it more secure.
to do so : open your ssh configuration file (/etc/ssh/sshd_config) and look for a line beginning with : DenyUsers user1 user2 user3
if you find this line, add pveAdmin at the end
if not add it to the end of sshd_config
then restart your ssh service
you have now a specific user for proxmox administration.
note 1 : one security good practice is to never log in to any system using the root account !
eaven if you use secure connections (ssl, ssh...etc) it's best to use a specific user.
note 2 : the solution above is still not perfect since the created user is a member of "root" group ! I used this because pve tools need it to execute, I think i'll be better if pve uses a spécific other than root.
I'm still looking for a best solution.
I didn't found any "official" solution to do that so I managed to create a user that can only access proxmox, he can't login to the server with ssh or so.
this is my solution described step by step:
first you have to create a user and assign it to root group (GID 0) and disable it's shell !
on a Fedora system you need to type :
PHP:
usermod -s /sbin/nologin -G root pveAdmin
PHP:
usermod -s /bin/false -G root pveAdmin
PHP:
passwd pveAdminat this stage you can try to connect to the proxmox web interface using aveAdmin as login.
the "-s /sbin/nologin" and "-s /bin/false" options will disable user shell so it can't open a console or a ssh session, but we can make it more secure.
to do so : open your ssh configuration file (/etc/ssh/sshd_config) and look for a line beginning with : DenyUsers user1 user2 user3
if you find this line, add pveAdmin at the end
PHP:
DenyUsers user1 user2 user3 pveAdmin
PHP:
DenyUsers pveAdmin
PHP:
/etc/init.d/ssh restartnote 1 : one security good practice is to never log in to any system using the root account !
eaven if you use secure connections (ssl, ssh...etc) it's best to use a specific user.
note 2 : the solution above is still not perfect since the created user is a member of "root" group ! I used this because pve tools need it to execute, I think i'll be better if pve uses a spécific other than root.
I'm still looking for a best solution.