[TUTORIAL] How can I enable TFA for a user via script?

[eMarcus]

Hi,
Because we often add whole LDAP groups to our Proxmox cluster and we enforce TFA for LDAP realms, I tried to script the TFA enablement for all users of a group.

• I can create a new key using oathkeygen
• I can add that key to a user with pveum user modify <user@realm> --keys <key>
• I can even create a QRCode with qrencode and send it to the user with mail
• But the user does not show up in the GUI "Two Factor" menu list and he can't login.

I guess there is another step missing (pveum user tfa unlock) does not work (no such user).

any ideas what the missing link could be?

Thanks and a nice weekend,
Marcus.

 

[fba]

Hi,

• I can add that key to a user with pveum user modify <user@realm> --keys <key>

This is for yubico key only (s. https://pve.proxmox.com/pve-docs/pveum.1.html):

pveum user modify
--keys [0-9a-zA-Z!=]{0,4096}
Keys for two factor auth (yubico).

Use an api call like this instead:

pvesh create /access/tfa/<userid>@<realm> \
  --type totp \
  --description "Added-via-CLI" \
  --totp "otpauth://totp/Proxmox:<userid>@<realm>?secret=<YOUR_BASE32_SECRET>&issuer=Proxmox" \
  --value <CURRENT_6_DIGIT_CODE>