Hi everyone, It's my first post, so I'm not sure I was supposed to post it here, but anyways, it could help
So I tried to add new features to my proxmox recently, especially 2FA
It works like a charm, I could use my Google authenticator for login, very cool !
But finally i decided to remove it, because i'm working in team, and they don't have access for now to the Google 2FA, since we haven't talked about it
What's the problem then ?
When I log out proxmox, I can't login anymore...
For the record :
- on my proxmox, it seems that /etc/pve/domains.cfg doesn't exist, in my proxmox version
- I did disable it by unchecking the box "Modify a TFA entry's description".
Thus I could just enable it later when with would have talked about it with the team.
- I did check in /etc/pve/user.cfg if in my user (root) , TOP option was deactived line user:root@pam:1:0::::::: x!oath for TOTP or x!u2f if 2FA.
As you can see, it was effectively deactivated.
So if for any reason you need to delete this option, you can process as followed :
- SSH into your node, you should be able to connect even with 2FA
If you restarted your node, and now you can't connect anymore with SSH, try to connect to the cluster if you do have one from another node.
-Create a new user, with admin role and in the same realm :
create a new user :
adduser admin
Add this user to the realm :
pveum useradd admin@pam
You can change password, or the former cmd will anyway ask you for :
pveum passwd admin@pam
give admin access to this user :
pveum aclmod / -user admin@pam -roles Administrator
So now you have a new user admin which doesn't requiers a 2FA for GUI
Connect into your proxmox, then go to "Users"
what you can see is a value "X" in Key IDs
You want to delete it in order to deactivated 2FA
I don't know why, for any reason this is not clean since I unchecked 2FA before logout, but this is the problem.
Now you can go to Two factor, click on your User@pam and now you can successfully uncheck it
or even remove it
Logout, and try to login back with your root@pam or whatsoever
If you encounter some error when you want to remove it with your new account :
you really need to login the proper node with the admin user account or root
So please, don't try anything from another node cause it won't works.
Plus, you need to use either the proper user (the one with 2FA, which you can access now you deactivated 2FA)
or the root user. (administrator role)
If you are unlucky :
-You don't have a cluster, with another node to access your locked node
- You can't access with SSH to your cluster
I'm not sure this workaround would help you.
May this topic help someone ( I have to present my infrastructure for Monday for my final exam for school ) because it is so stressful you can't access to your all infra, this is a critical problem we need to take care of, and prevent people for making stupid mistakes like i did.
I hope I made myself clear, if you need anything please ask to me , I would be happy to help
Special thanks to @Tonton_Jo 's help
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PS : you can check my PVE version here
root@Annecy:~# pveversion -v
proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve)
pve-manager: 7.2-3 (running version: 7.2-3/c743d6c1)
pve-kernel-5.15: 7.2-3
pve-kernel-helper: 7.2-3
pve-kernel-5.13: 7.1-9
pve-kernel-5.11: 7.0-10
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
ceph-fuse: 15.2.14-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-8
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-6
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.2-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u1
proxmox-backup-client: 2.1.8-1
proxmox-backup-file-restore: 2.1.8-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-10
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-1
pve-qemu-kvm: 6.2.0-6
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-2
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
So I tried to add new features to my proxmox recently, especially 2FA
It works like a charm, I could use my Google authenticator for login, very cool !
But finally i decided to remove it, because i'm working in team, and they don't have access for now to the Google 2FA, since we haven't talked about it
What's the problem then ?
When I log out proxmox, I can't login anymore...
For the record :
- on my proxmox, it seems that /etc/pve/domains.cfg doesn't exist, in my proxmox version
- I did disable it by unchecking the box "Modify a TFA entry's description".
Thus I could just enable it later when with would have talked about it with the team.
- I did check in /etc/pve/user.cfg if in my user (root) , TOP option was deactived line user:root@pam:1:0::::::: x!oath for TOTP or x!u2f if 2FA.
As you can see, it was effectively deactivated.
So if for any reason you need to delete this option, you can process as followed :
- SSH into your node, you should be able to connect even with 2FA
If you restarted your node, and now you can't connect anymore with SSH, try to connect to the cluster if you do have one from another node.
-Create a new user, with admin role and in the same realm :
create a new user :
adduser admin
Add this user to the realm :
pveum useradd admin@pam
You can change password, or the former cmd will anyway ask you for :
pveum passwd admin@pam
give admin access to this user :
pveum aclmod / -user admin@pam -roles Administrator
So now you have a new user admin which doesn't requiers a 2FA for GUI
Connect into your proxmox, then go to "Users"
what you can see is a value "X" in Key IDs
You want to delete it in order to deactivated 2FA
I don't know why, for any reason this is not clean since I unchecked 2FA before logout, but this is the problem.
Now you can go to Two factor, click on your User@pam and now you can successfully uncheck it
or even remove it
Logout, and try to login back with your root@pam or whatsoever
If you encounter some error when you want to remove it with your new account :
you really need to login the proper node with the admin user account or root
So please, don't try anything from another node cause it won't works.
Plus, you need to use either the proper user (the one with 2FA, which you can access now you deactivated 2FA)
or the root user. (administrator role)
If you are unlucky :
-You don't have a cluster, with another node to access your locked node
- You can't access with SSH to your cluster
I'm not sure this workaround would help you.
May this topic help someone ( I have to present my infrastructure for Monday for my final exam for school ) because it is so stressful you can't access to your all infra, this is a critical problem we need to take care of, and prevent people for making stupid mistakes like i did.
I hope I made myself clear, if you need anything please ask to me , I would be happy to help
Special thanks to @Tonton_Jo 's help
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
PS : you can check my PVE version here
root@Annecy:~# pveversion -v
proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve)
pve-manager: 7.2-3 (running version: 7.2-3/c743d6c1)
pve-kernel-5.15: 7.2-3
pve-kernel-helper: 7.2-3
pve-kernel-5.13: 7.1-9
pve-kernel-5.11: 7.0-10
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
ceph-fuse: 15.2.14-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-8
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-6
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.2-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u1
proxmox-backup-client: 2.1.8-1
proxmox-backup-file-restore: 2.1.8-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-10
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-1
pve-qemu-kvm: 6.2.0-6
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-2
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1
Attachments
Last edited:
