confused by TFA config

Oct 2, 2022
38
3
8
Hi i am a little bit confused about the TFA config.

I have a 3 nodes PVE cluster where on every node the root user has a different password.

When I try to enable TOTP, even via user config I always landing on the Datacenter / Permissions / Two Factor config page.

If I then create a TOTP for node 1 and save it, also the root user for node 2 and node 3 are demanding the TFA.

I was expecting that either the root user is somehow synced between the nodes (but this is not the case, I cannot login with credentials from node 1 root into node 2 or node 3) or that the TFA can be configured per user on a specific node.

What is the best practice here?
 
  • Like
Reactions: atrain
I have a similar issue and would also be interested in finding out the best practice for handling TFA on a cluster.

In my scenario, I had TFA enabled on the node1(where cluster was created) I then joined node2(no TFA enabled) to the cluster previously created on node1.

To log in to node1 I used the node1 root password + the TFA code (originally set up on node1), to log into node2 I used the node2 root password + the TFA code (originally set up on node1).

Is this the correct behavior?
 
yes the tfa options are cluster wide (as are all non @pam users) the only 'node-specific' thing about users is the password + existance of pam users (because the password checking is not done by us but by the system)
all @pve users for example are the same on the cluster
 
  • Like
Reactions: atrain
yes the tfa options are cluster wide (as are all non @pam users) the only 'node-specific' thing about users is the password + existance of pam users (because the password checking is not done by us but by the system)
all @pve users for example are the same on the cluster
Fantastic @dcsapak, this is very helpful information!
 
Just to be clear: cluster synched user with TFA works with pve users but does not work with pam user? Because I have on each node in my cluster a pam user with different password. But when I add tea for the pam user on the first node I am not able to create tfa for the same pam user on the second node but the tfa from first user does not work for user on second node.
 
Just to be clear: cluster synched user with TFA works with pve users but does not work with pam user? Because I have on each node in my cluster a pam user with different password. But when I add tea for the pam user on the first node I am not able to create tfa for the same pam user on the second node but the tfa from first user does not work for user on second node.
If I am not mistaken, the TFA settings are cluster wide. PAM users are node-specific, meaning the root@pam accounts on each server will authenticate the password to the individual node that they were originally set up under, but when you are prompted for the TOTP code, you will use the TOPT or TFA method that was setup for the cluster.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!