How can you block shell access to a Proxmox node?

[victorhooi]

We run a small Proxmox cluster for lab/testing.

Users have access to the Web UI, to create/spin up new VMs, and check on the status of the cluster.

Is there some permission/ACL we can use to block direct shell access to the Proxmox node?

(We are looking to roll out Teleport, or something similar and would want any users who have shell access to go through that).

 

[t.lamprecht]

Hi,

Is there some permission/ACL we can use to block direct shell access to the Proxmox node?

The shell is normally only direct accessible if one is logged in as root@pam else it shows a host login prompt and one would need to know the credentials to be able to login.
That said, a user doesn't may access even the login prompt if they do not have the Sys.Console privilege on the respective /nodes/{node} path. So please check the permissions you gave those users, you may want to reduce them or use another role (you can also create custom ones).
https://pve.proxmox.com/pve-docs/chapter-pveum.html#pveum_permission_management
https://pve.proxmox.com/pve-docs/api-viewer/index.html#/nodes/{node}/termproxy