Locked out proxmox GUI Because of TOTP (2FA) (SOLVED)

titidlh

New Member
May 27, 2022
2
4
3
Hi everyone, It's my first post, so I'm not sure I was supposed to post it here, but anyways, it could help

So I tried to add new features to my proxmox recently, especially 2FA
It works like a charm, I could use my Google authenticator for login, very cool !

But finally i decided to remove it, because i'm working in team, and they don't have access for now to the Google 2FA, since we haven't talked about it

What's the problem then ?

When I log out proxmox, I can't login anymore...

1653681734002.png



For the record :
- on my proxmox, it seems that /etc/pve/domains.cfg doesn't exist, in my proxmox version
- I did disable it by unchecking the box "Modify a TFA entry's description".
1653680312878.png
Thus I could just enable it later when with would have talked about it with the team.

- I did check in /etc/pve/user.cfg if in my user (root) , TOP option was deactived line user:root@pam:1:0::::::: x!oath for TOTP or x!u2f if 2FA.

As you can see, it was effectively deactivated.
1653680291144.png

So if for any reason you need to delete this option, you can process as followed :

- SSH into your node, you should be able to connect even with 2FA
If you restarted your node, and now you can't connect anymore with SSH, try to connect to the cluster if you do have one from another node.

-Create a new user, with admin role and in the same realm :

create a new user :
adduser admin

Add this user to the realm :
pveum useradd admin@pam

You can change password, or the former cmd will anyway ask you for :
pveum passwd admin@pam

give admin access to this user :
pveum aclmod / -user admin@pam -roles Administrator

So now you have a new user admin which doesn't requiers a 2FA for GUI
Connect into your proxmox, then go to "Users"
what you can see is a value "X" in Key IDs
You want to delete it in order to deactivated 2FA

1653681858128.png

I don't know why, for any reason this is not clean since I unchecked 2FA before logout, but this is the problem.

Now you can go to Two factor, click on your User@pam and now you can successfully uncheck it
or even remove it
1653682120984.png

Logout, and try to login back with your root@pam or whatsoever


If you encounter some error when you want to remove it with your new account :
1653682760099.png
you really need to login the proper node with the admin user account or root
So please, don't try anything from another node cause it won't works.
Plus, you need to use either the proper user (the one with 2FA, which you can access now you deactivated 2FA)
or the root user. (administrator role)


If you are unlucky :

-You don't have a cluster, with another node to access your locked node
- You can't access with SSH to your cluster

I'm not sure this workaround would help you.
May this topic help someone ( I have to present my infrastructure for Monday for my final exam for school ) because it is so stressful you can't access to your all infra, this is a critical problem we need to take care of, and prevent people for making stupid mistakes like i did.

I hope I made myself clear, if you need anything please ask to me , I would be happy to help

Special thanks to @Tonton_Jo 's help
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PS : you can check my PVE version here
root@Annecy:~# pveversion -v
proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve)
pve-manager: 7.2-3 (running version: 7.2-3/c743d6c1)
pve-kernel-5.15: 7.2-3
pve-kernel-helper: 7.2-3
pve-kernel-5.13: 7.1-9
pve-kernel-5.11: 7.0-10
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
ceph-fuse: 15.2.14-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-8
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-6
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.2-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u1
proxmox-backup-client: 2.1.8-1
proxmox-backup-file-restore: 2.1.8-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-10
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-1
pve-qemu-kvm: 6.2.0-6
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-2
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
 

Attachments

  • 1653680280493.png
    1653680280493.png
    159.3 KB · Views: 25
  • 1653681831244.png
    1653681831244.png
    196.5 KB · Views: 18
  • 1653682095639.png
    1653682095639.png
    100.6 KB · Views: 26
Last edited:
Entered this exact same problem - enabled TOTP, then removed it, now I cant login.
I followed this, but it doesn't work for me (pve version 8.0.2). I create the new user (via SSH, I can still login there) that doesn't have 2FA but I still can't login to UI.

Update: editing /etc/pve/domains.cfg solved the problem for me. There I commented out the line with "tfa type=oath" in pam: pam section.

I guess I left this turn before removed 2FA from root account. Whoops.
Problem solved.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!