2FA TOTP and Proxmox cluster

S

scelles

New Member
Sep 16, 2024
8
0
1
Hello,

I enabled 2FA with TOTP (with 2FAS) on a Proxmox cluster and noticed a very strange behavior.

(When I created Proxmox cluster I disabled 2FA and enable 2FA after cluster creation)

When my cluster is complete (my 2 nodes... it's just a small homelab) I can log in with root@pam, its password and 2FA code.
But when one of my node is unavailable I can't log with 2FA on a node. login/password is fine but 2FA code is not considered as good

I don't understand what is going on.

As an intermediate solution I disabled 2FA... but that not a solution.

Kind regards
 
Sorry but I "broke" my first experimental Proxmox cluster so I won't be able to try this. Anyway if the first cluster node was out of order I won't have been able to log.
 
  • Like
Reactions: scelles
Thanks @mariol. Is enabling TFA on each node separately (ie before creating the cluster) and after that create the cluster a better option to avoid this kind of problem?
 
scelles said:
Thanks @mariol. Is enabling TFA on each node separately (ie before creating the cluster) and after that create the cluster a better option to avoid this kind of problem?
Click to expand...
This cannot be avoided, as the TFA is stored in pmxcfs. If the cluster does not always have quorum (is running), a better solution might be to separate the nodes, so that you have two separate pmxcfs and always have access to everything.

Location: /etc/pve/priv/tfa.cfg

Edit: As workaround you can add a qdevice to your cluster [1]

[1] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#_qdevice_technical_overview
 
Last edited:
  • Like
Reactions: scelles
You must log in or register to reply here.
Top Bottom