Locked out proxmox GUI Because of TOTP (2FA) (SOLVED)


New Member
May 27, 2022
Hi everyone, It's my first post, so I'm not sure I was supposed to post it here, but anyways, it could help

So I tried to add new features to my proxmox recently, especially 2FA
It works like a charm, I could use my Google authenticator for login, very cool !

But finally i decided to remove it, because i'm working in team, and they don't have access for now to the Google 2FA, since we haven't talked about it

What's the problem then ?

When I log out proxmox, I can't login anymore...


For the record :
- on my proxmox, it seems that /etc/pve/domains.cfg doesn't exist, in my proxmox version
- I did disable it by unchecking the box "Modify a TFA entry's description".
Thus I could just enable it later when with would have talked about it with the team.

- I did check in /etc/pve/user.cfg if in my user (root) , TOP option was deactived line user:root@pam:1:0::::::: x!oath for TOTP or x!u2f if 2FA.

As you can see, it was effectively deactivated.

So if for any reason you need to delete this option, you can process as followed :

- SSH into your node, you should be able to connect even with 2FA
If you restarted your node, and now you can't connect anymore with SSH, try to connect to the cluster if you do have one from another node.

-Create a new user, with admin role and in the same realm :

create a new user :
adduser admin

Add this user to the realm :
pveum useradd admin@pam

You can change password, or the former cmd will anyway ask you for :
pveum passwd admin@pam

give admin access to this user :
pveum aclmod / -user admin@pam -roles Administrator

So now you have a new user admin which doesn't requiers a 2FA for GUI
Connect into your proxmox, then go to "Users"
what you can see is a value "X" in Key IDs
You want to delete it in order to deactivated 2FA


I don't know why, for any reason this is not clean since I unchecked 2FA before logout, but this is the problem.

Now you can go to Two factor, click on your User@pam and now you can successfully uncheck it
or even remove it

Logout, and try to login back with your root@pam or whatsoever

If you encounter some error when you want to remove it with your new account :
you really need to login the proper node with the admin user account or root
So please, don't try anything from another node cause it won't works.
Plus, you need to use either the proper user (the one with 2FA, which you can access now you deactivated 2FA)
or the root user. (administrator role)

If you are unlucky :

-You don't have a cluster, with another node to access your locked node
- You can't access with SSH to your cluster

I'm not sure this workaround would help you.
May this topic help someone ( I have to present my infrastructure for Monday for my final exam for school ) because it is so stressful you can't access to your all infra, this is a critical problem we need to take care of, and prevent people for making stupid mistakes like i did.

I hope I made myself clear, if you need anything please ask to me , I would be happy to help

Special thanks to @Tonton_Jo 's help
PS : you can check my PVE version here
root@Annecy:~# pveversion -v
proxmox-ve: 7.2-1 (running kernel: 5.15.35-1-pve)
pve-manager: 7.2-3 (running version: 7.2-3/c743d6c1)
pve-kernel-5.15: 7.2-3
pve-kernel-helper: 7.2-3
pve-kernel-5.13: 7.1-9
pve-kernel-5.11: 7.0-10
pve-kernel-5.15.35-1-pve: 5.15.35-3
pve-kernel-5.13.19-6-pve: 5.13.19-15
pve-kernel-5.11.22-7-pve: 5.11.22-12
pve-kernel-5.11.22-4-pve: 5.11.22-9
ceph-fuse: 15.2.14-pve1
corosync: 3.1.5-pve2
criu: 3.15-1+pve-1
glusterfs-client: 9.2-1
ifupdown2: 3.1.0-1+pmx3
ksm-control-daemon: 1.4-1
libjs-extjs: 7.0.0-1
libknet1: 1.22-pve2
libproxmox-acme-perl: 1.4.2
libproxmox-backup-qemu0: 1.2.0-1
libpve-access-control: 7.1-8
libpve-apiclient-perl: 3.2-1
libpve-common-perl: 7.1-6
libpve-guest-common-perl: 4.1-2
libpve-http-server-perl: 4.1-1
libpve-storage-perl: 7.2-2
libspice-server1: 0.14.3-2.1
lvm2: 2.03.11-2.1
lxc-pve: 4.0.12-1
lxcfs: 4.0.12-pve1
novnc-pve: 1.3.0-3
openvswitch-switch: 2.15.0+ds1-2+deb11u1
proxmox-backup-client: 2.1.8-1
proxmox-backup-file-restore: 2.1.8-1
proxmox-mini-journalreader: 1.3-1
proxmox-widget-toolkit: 3.4-10
pve-cluster: 7.2-1
pve-container: 4.2-1
pve-docs: 7.2-2
pve-edk2-firmware: 3.20210831-2
pve-firewall: 4.2-5
pve-firmware: 3.4-2
pve-ha-manager: 3.3-4
pve-i18n: 2.7-1
pve-qemu-kvm: 6.2.0-6
pve-xtermjs: 4.16.0-1
qemu-server: 7.2-2
smartmontools: 7.2-pve3
spiceterm: 3.2-2
swtpm: 0.7.1~bpo11+1
vncterm: 1.7-1
zfsutils-linux: 2.1.4-pve1


  • 1653680280493.png
    159.3 KB · Views: 25
  • 1653681831244.png
    196.5 KB · Views: 18
  • 1653682095639.png
    100.6 KB · Views: 26
Last edited:
Entered this exact same problem - enabled TOTP, then removed it, now I cant login.
I followed this, but it doesn't work for me (pve version 8.0.2). I create the new user (via SSH, I can still login there) that doesn't have 2FA but I still can't login to UI.

Update: editing /etc/pve/domains.cfg solved the problem for me. There I commented out the line with "tfa type=oath" in pam: pam section.

I guess I left this turn before removed 2FA from root account. Whoops.
Problem solved.
Last edited:


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!