Disabling OTP renders login to WebGUI unusable

jsabater

Member
Oct 25, 2021
102
7
23
48
Palma, Mallorca, Spain
Hey everone!

So I had 2FA enabled for my root@pam user and wanted to add a new node to an existing cluster. Last time I had to do that (a couple of minor versions ago, if I recall correctly) I had to remove 2FA, then re-create it after the node was added and set up.

So I am now on Proxmox 7.3-6 and decided to check the options at Datacenter: Permissions: Two Factor. To my surprise, I found an Enabled, which I decided to use.

Unfortunately, this lead to me still being asked for a 2FA code when trying to add the node. Logging out and logging back in showed a user interface that had been rendered unusable because it did not show any text box to input the requested code. I am sorry but I forgot to take a screenshot. I solved it by logging in via SSH and shooting the /etc/pve/priv/tfa.cfg in the head (wasn't in the mood to fiddle with the JSON inside it, to be honest).

So I decided to post here to see whether I was doing something wrong before filing a bug report in the bug tracker.

Thanks in advance.
 
For future reference, I went through the process again and this is a screenshot of what is being shown when trying to log in if TFA is not enabled (because you created a OTP but then unchecked the Enabled mark):

Second login factor required - Proxmox.png

To restore the previous status I followed these steps:
  1. Moved /etc/pve/priv/tfa.cfg to /etc/pve/priv/tfa.cfg.bak, then logged back in (without the need to input a OTP).
  2. When I was logged in, I moved /etc/pve/priv/tfa.cfg.bak back to /etc/pve/priv/tfa.cfg.
  3. Refreshed the Datacenter: Two Factor screen, edited the root@pam TOPT record and ticked the Enabled checkbox.
  4. Logged out and logged back in, and 2FA was working again.
I keep thinking that this must be a bug, so I have reported it to the bug tracker.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!