[SOLVED] Lost access to web admin after disabling 2FA / TOTP

F

feidakila

New Member
Jul 21, 2021
5
0
1
53
Hi,

I enabled 2FA in web admin panel for root user and worked as expected. But now I've disabled 2FA (unchecked TOTP Enable option in user options) and cannot access the web admin, the endpoint API call returns a 401 error.

I can still access through SSH.

I've restarted the server, and also tried with a new window in incognito/private mode but didn't work.

1627549417560.png

1627549434875.png

Anyway to solve this issue?

Bash: 
cat /etc/pve/user.cfg
user:root@pam:0:0:::tremming@protonmail.com::x!oath:


Details:

1627549867849.png
 
Last edited:
Hi,
feidakila said:
But now I've disabled 2FA (unchecked TOTP Enable option in user options) and cannot access the web admin, the endpoint API call returns a 401 error.
Click to expand...
What do you mean with "unchecked"? As there's no checkbox that would delete TFA. Did you mean you used the "delete" button when editing TFA? (just to be sure we know what you did).

FWIW, I used the delete button for test and real accounts quite often to resetup something other TFA variant, so it'd be a bit weird if it was causing this in your situation.

feidakila said:
user:root@pam:0:0:::censored@protonmail.com::x!oath:
Click to expand...
It seems it is still configured, as the x!oath magic marker is still there.

As workaround you can delete that marker, but do not delete any : colons that separate the fields.
 
Last edited:
  • Like
Reactions: feidakila
t.lamprecht said:
Hi,

What do you mean with "unchecked"? As there's no checkbox that would delete TFA. Did you mean you used the "delete" button when editing TFA? (just to be sure we know what you did).

FWIW, I used the delete button for test and real accounts quite often to resetup something other TFA variant, so it'd be a bit weird if it was causing this in your situation.


It seems it is still configured, as the x!oath magic marker is still there.

As workaround you can delete that marker, but do not delete any : colons that separate the fields.
Click to expand...
Cannot show you the option because I don't have access, but on the users lists there's an TOTP column, you double click on it, and a modal opens, there's an "enable" checkbox there, I just unchecked the checkbox.

Now it's not asking for the OTP code but does not login.
 
Last edited:
feidakila said:
Cannot show you the option because I don't have access, but on the users lists there's an TOTP column, you double click on it, and a modal opens, there's an "enable" checkbox there, I just unchecked the checkbox.

Now it's not asking for the OTP code but does not login.
Click to expand...
Changed and saved the file, reloaded the web admin, still cannot login. Reboting doesn't affect either.
 
Last edited:
feidakila said:
Cannot show you the option because I don't have access, but on the users lists there's an TOTP column, you double click on it, and a modal opens, there's an "enable" checkbox there, I just unchecked the checkbox.
Click to expand...
Yeah now it's all clear. You did not disable TFA, but you edited the user and by unchecking the enabled checkbox you disabled the user as a whole. TFA needs to be cleared by using the explicit "TFA" button.

Edit user.cfg again and change the first 0 (counted from left to right) to 1, i.e., something like:
user:root@pam:1:0:::censored@protonmail.com:::
to enable it again.

Could be good to special case disabling the user one is logged in and show a more bright warning/prompt for that one..
 
Last edited:
  • Like
Reactions: clipz98 and feidakila
Thanks!

Oh, my fault, I disabled the user then. I double clicked on the TFA field and thought that was configuring the TFA with this modal

1627551755601.png

So, to disable the TFA I should just click the TFA button on the top and then press Delete button on the modal?

1627551519149.png


1627551454700.png
 
Last edited:
feidakila said:
Oh, my fault, I disabled the user then. I double clicked on the TFA field and thought that was configuring the TFA with this modal
Click to expand...
The edit dialogues are normally not column-specific, but rather for the whole row. So here it just opens the "Edit User" one.
I faintly remember of discussing adding a button/way to go to TFA stuff there, but we did not want to duplicate that to often in the web-interface (and FWIW, it is also always available in the "user menu" at the top right of the web-interface).

feidakila said:
So, to disable the TFA I should just click the TFA button on the top and then press Delete button on the modal?
Click to expand...
yes, select the user you want to modify TFA for, then click TFA then delete or re-generate or whatever you wanted to do with TFA.
 
  • Like
Reactions: feidakila
t.lamprecht said:
Yeah now it's all clear. You did not disable TFA, but you edited the user and by unchecking the enabled checkbox you disabled the user as a whole. TFA needs to be cleared by using the explicit "TFA" button.

Edit user.cfg again and change the first 0 (counted from left to right) to 1, i.e., something like:
user:root@pam:1:0:::censored@protonmail.com:::
to enable it again.

Could be good to special case disabling the user one is logged in and show a more bright warning/prompt for that one..
Click to expand...
Hello I know this solved but I am facing the same issue.

what should I change in the file

/etc/pve/user.cfg

user:root@pam:1:0:::test@example.com.sa::x:
 
bluedog said:
what worked for me was removing the trailing x. leave colon but remove x
Click to expand...
I'd not recommend editing those files manually, that can end up badly fast.
Rather use the pveum user tfa delete <userid> (with <userid> being for example root@pam) command.

That command exists since Proxmox VE 6.2.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom