Two Factor Authentication For Proxmox
- Thread starter Dr.ooz
- Start date
what exactly is not clear about the documentation (https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_two_factor_authentication) ?
you add the keys to the users, and enable TFA for the realm (it's probably a good idea to use a test realm first to verify everything is working, otherwise you might lock yourself out).. if you want to use yubico's OTP variant, check their docs for how to setup the authentication server.
If you can give me the steps It would really help cuz I'm not that experienced with these stuff.
@Dr.ooz
#
# Enable Multi Factor Authentication
#
# SSH to pve server and switch to root
sudo -s
# Type Oath Key Generator command to create random Key ID
oathkeygen
# Example:
4E77B4GFT8MB2YOM
# At the GUI User Management Add this Key ID to user in question
Edit the user and add the Key ID in the Key IDs field
# Pick your Smart Phone, download Startling 2FA
There is no bar to scan, you need to add the generated key manually
# Note: About 2FA Starling
I highly recommend you use "Starling 2FA" App on your phone instead of Google Authenticator, since you can backup 2FA accounts to the cloud and access them on multiple devices which is not possible with Google Authenticator. Starling 2FA available across iPhone and Android and you can use it instead of GAuth across all your internet accounts if they do provide MFA. I've been using it for years and it's so good. I once forgot my phone and I was able to access my accounts from my iPad. Since they all synced to the cloud no worries to lose the phone. Besides, all 2FA accounts are encrypted using my password.
# Finally, once the Key ID added to the user in Question, added to your Phone Starling 2FA, go to Permissions > Authentication > select pve realm > edit and enable OATH TFA method, select the check box where it says Default, and press Okay to save. Don't logout yet, open another browser to test it first.
Note: It is highly Recommended to add new Key ID for root user as well and enable OATH TFA for PAM realm as well.
#
# Enable Multi Factor Authentication
#
# SSH to pve server and switch to root
sudo -s
# Type Oath Key Generator command to create random Key ID
oathkeygen
# Example:
4E77B4GFT8MB2YOM
# At the GUI User Management Add this Key ID to user in question
Edit the user and add the Key ID in the Key IDs field
# Pick your Smart Phone, download Startling 2FA
There is no bar to scan, you need to add the generated key manually
# Note: About 2FA Starling
I highly recommend you use "Starling 2FA" App on your phone instead of Google Authenticator, since you can backup 2FA accounts to the cloud and access them on multiple devices which is not possible with Google Authenticator. Starling 2FA available across iPhone and Android and you can use it instead of GAuth across all your internet accounts if they do provide MFA. I've been using it for years and it's so good. I once forgot my phone and I was able to access my accounts from my iPad. Since they all synced to the cloud no worries to lose the phone. Besides, all 2FA accounts are encrypted using my password.
# Finally, once the Key ID added to the user in Question, added to your Phone Starling 2FA, go to Permissions > Authentication > select pve realm > edit and enable OATH TFA method, select the check box where it says Default, and press Okay to save. Don't logout yet, open another browser to test it first.
Note: It is highly Recommended to add new Key ID for root user as well and enable OATH TFA for PAM realm as well.
I've written a detailed guide to setup 2FA with Proxmox:
https://pve.proxmox.com/wiki/OATH(TOTP)_Authentication
https://pve.proxmox.com/wiki/OATH(TOTP)_Authentication