[SOLVED] Disable gui login but enable API login

C

cr4ckDe

Member
Oct 15, 2022
16
0
6
Hello,

I have an API user with different API tokens and with different permissions. f.ex.
apiuser@pve!git -> Only allowed to fetch vm informations
apiuser@pve!poweruser -> Administrator

The apiuser needs the administrator role for the poweruser. I would like to disable the password login via the gui for the apiuser, since it won't be used anyway and the tokens should be the only way for the apiuser to login. Is there a way to accomplish that?


Is my approach correct or is there a better way to solve this problem?
 
Hi,

couldn't you just separate the privileges of the API token? Then you wouldn't have any rights even if that user does a login via GUI.

Edit: Does not work
 
Last edited:
Azunai333 said:
couldn't you just separate the privileges of the API token? Then you wouldn't have any rights even if that user does a login via GUI.
Click to expand...

that's not what privilege separation means.. it means that the token doesn't automatically get the privileges of the user, not that the user can have less privileges than the token.

@OP: I don't think it's possible to disable a user without also disabling its tokens.. but you could make it effectively impossible to login
- set a random password
- enable TFA and throw away the secret
 
  • Like
Reactions: cr4ckDe and Azunai333
Hello Fabian,

thank you for your answer. I had the same idea, but I though there would be a better way.

I will set it up like you suggested.
 
You must log in or register to reply here.
Top Bottom