Disabling OTP renders login to WebGUI unusable

[jsabater]

Hey everone!

So I had 2FA enabled for my root@pam user and wanted to add a new node to an existing cluster. Last time I had to do that (a couple of minor versions ago, if I recall correctly) I had to remove 2FA, then re-create it after the node was added and set up.

So I am now on Proxmox 7.3-6 and decided to check the options at Datacenter: Permissions: Two Factor. To my surprise, I found an Enabled, which I decided to use.

Unfortunately, this lead to me still being asked for a 2FA code when trying to add the node. Logging out and logging back in showed a user interface that had been rendered unusable because it did not show any text box to input the requested code. I am sorry but I forgot to take a screenshot. I solved it by logging in via SSH and shooting the /etc/pve/priv/tfa.cfg in the head (wasn't in the mood to fiddle with the JSON inside it, to be honest).

So I decided to post here to see whether I was doing something wrong before filing a bug report in the bug tracker.

Thanks in advance.

 

[jsabater]

For future reference, I went through the process again and this is a screenshot of what is being shown when trying to log in if TFA is not enabled (because you created a OTP but then unchecked the Enabled mark):



To restore the previous status I followed these steps:

1. Moved /etc/pve/priv/tfa.cfg to /etc/pve/priv/tfa.cfg.bak, then logged back in (without the need to input a OTP).
2. When I was logged in, I moved /etc/pve/priv/tfa.cfg.bak back to /etc/pve/priv/tfa.cfg.
3. Refreshed the Datacenter: Two Factor screen, edited the root@pam TOPT record and ticked the Enabled checkbox.
4. Logged out and logged back in, and 2FA was working again.

I keep thinking that this must be a bug, so I have reported it to the bug tracker.