About Root Account Permissions and Deactivation

M

monbi

New Member
Sep 11, 2024
2
0
1
Hello,

I would like to avoid using the root account in Proxmox due to security concerns. Therefore, I created a new account and granted it sudo privileges.

  1. Is it acceptable to change the root account's name and still use it?
  2. I commented out the %sudo group in the sudoers file and configured it so that only specific accounts can use sudo. Does Proxmox require the sudo group to be specified in order to use the sudo command?
  3. I have disabled the root password in the terminal environment and also disabled root access via the web interface. If I have granted the same permissions to a specific account, does that account have the same level of access as root?
Thank you.
 
Basically this could be solved more easily in your case. Before I give my answer I have one more question, do the users have to use a CMD on the proxmoxshell at all, or would the web interface be enough?
 
fireon said:
Basically this could be solved more easily in your case. Before I give my answer I have one more question, do the users have to use a CMD on the proxmoxshell at all, or would the web interface be enough?
Click to expand...
I use both the web UI and the terminal environment. Currently, I have disabled the root account in the web UI.

However, I’ve heard that disabling the root account in the terminal environment might prevent the use of certain functionalities. Is that correct?

For security reasons, I would like to either rename the root account and continue using it, create a user with the same privileges as root, or grant sudo privileges while preventing access to the root shell. Is there a way to achieve this?
 
Please leave the root account as it is. With things like this, you can very quickly render the system unusable.

That's how I do it:​

  • ON your Client machine create an SSH-Key and upload it to your Proxmox VE host
  • Set an special secure password for your root Account -> i use Bitwarden to store these passwords
  • Create an 2Factor via the web interface for your root Account
  • Disable SSH Login on the Proxmox VE host with password completely
Change the option in the /etc/ssh/sshd_config:

Code: 
- PermitRootLogin yes
+ PermitRootLogin prohibit-password

- PasswordAuthentication yes
+ PasswordAuthentication no

And restart the SSH server with systemctl restart sshd

For other users they don't need CMD access, you can use the internal user management to create users with special group access for the webUI and the Proxmox VE Authentication Server realm.

I also never work with the root user. I only access my PVE via CMD using SSH with a key.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back