Can't login to webgui when totp is enabled
- Thread starter me.mr
- Start date
I continue to have this issue with the latest updates (on enterprise).
Edit:
Adding on to this, I am able to pass the challenge to add a TOTP, but once it is added, the user is unable to login through the webgui until it is removed.
Login failed:
authentication failure (401)
Please try again
Edit:
Adding on to this, I am able to pass the challenge to add a TOTP, but once it is added, the user is unable to login through the webgui until it is removed.
Login failed:
authentication failure (401)
Please try again
Last edited:
I have the same issue here, however, I'm able to access it via SSH, and if I remove the TOTP config for my user using CLI, it works.
Is there a bug, is somebody working on it ?
Is there a bug, is somebody working on it ?
I have no idea what the current problem is, but I want to post a generic reminder for basic knowledge: the most fundamental problem with TOTP is that the clocks may drift apart. Only a few seconds are acceptable; the interval between renewals is 30 seconds (usually).
Thank you for this and it is very good knowledge to have. In my situation I am able to add the TOTP as an option, which means I am answering back the challenge code correctly, which I think rules out the system clock being an issue.
I can confirm 2FA seems broken (atleast for me, too). The TOTP popup never shows when atleast one account has TOTP enabled. When removing the user from the /etc/pve/priv/tfa.cfg, or the file itself, the user can log back in. When re-enabling TOTP the problem persists.
full log:
It seems related to webauth, which I dont use but somehow the code still seems to get triggered so, in that case this would definitly be a bug. webauth should not be triggered when it's not being used.
- The system is fully up to date, there are no updates available.
- I've disabled Bitwarden for Firefox although I've never experienced the bug mentioned.
- I've used Chrome to check if this is a Firefox issue, I get the same "Login failure, authentication failure (401) Please try again"
- It doesn't matter which realm I use,
- I did a "apt install --reinstall pve-manager proxmox-widget-toolkit libjs-extjs" just to be sure (this machine has no subscription) and restarted pve-proxy.
- I connect to this machine directly on its IP using port 8006.
- When I check "timedatectl status" it says it's working perfectly and I can confirm this, the time is synced correctly to the second.
full log:
It seems related to webauth, which I dont use but somehow the code still seems to get triggered so, in that case this would definitly be a bug. webauth should not be triggered when it's not being used.
Ok so a (in my case) workaround:
- in datacenter -> options -> webauth settings, added a FQDN which I made up on the spot
- on my Linux hosts in /etc/hosts I added 10.0.0.240 and after that the made up FQDN (like "10.0.0.240 meteor.sol.com")
- on my only windows host under windows\system32\drivers\etc\hosts did the same
and now it works again (when visiting meteor.sol.com, not the IP).
It's strange that on version 8 this didn't seem to matter.
- in datacenter -> options -> webauth settings, added a FQDN which I made up on the spot
- on my Linux hosts in /etc/hosts I added 10.0.0.240 and after that the made up FQDN (like "10.0.0.240 meteor.sol.com")
- on my only windows host under windows\system32\drivers\etc\hosts did the same
and now it works again (when visiting meteor.sol.com, not the IP).
It's strange that on version 8 this didn't seem to matter.
Last edited:
Ok so I removed
from the file /etc/pve/datacenter.cfg
Now 2FA works again.
See also this post: https://forum.proxmox.com/threads/cant-login-on-webinterface-401.171291/post-798451
webauthn: ...from the file /etc/pve/datacenter.cfg
Now 2FA works again.
See also this post: https://forum.proxmox.com/threads/cant-login-on-webinterface-401.171291/post-798451