[SOLVED] Lost access to web admin after disabling 2FA / TOTP

feidakila

New Member
Jul 21, 2021
5
0
1
53
Hi,

I enabled 2FA in web admin panel for root user and worked as expected. But now I've disabled 2FA (unchecked TOTP Enable option in user options) and cannot access the web admin, the endpoint API call returns a 401 error.

I can still access through SSH.

I've restarted the server, and also tried with a new window in incognito/private mode but didn't work.

1627549417560.png

1627549434875.png

Anyway to solve this issue?

Bash:
cat /etc/pve/user.cfg
user:root@pam:0:0:::tremming@protonmail.com::x!oath:


Details:

1627549867849.png
 
Last edited:
Hi,
But now I've disabled 2FA (unchecked TOTP Enable option in user options) and cannot access the web admin, the endpoint API call returns a 401 error.
What do you mean with "unchecked"? As there's no checkbox that would delete TFA. Did you mean you used the "delete" button when editing TFA? (just to be sure we know what you did).

FWIW, I used the delete button for test and real accounts quite often to resetup something other TFA variant, so it'd be a bit weird if it was causing this in your situation.

user:root@pam:0:0:::censored@protonmail.com::x!oath:
It seems it is still configured, as the x!oath magic marker is still there.

As workaround you can delete that marker, but do not delete any : colons that separate the fields.
 
Last edited:
  • Like
Reactions: feidakila
Hi,

What do you mean with "unchecked"? As there's no checkbox that would delete TFA. Did you mean you used the "delete" button when editing TFA? (just to be sure we know what you did).

FWIW, I used the delete button for test and real accounts quite often to resetup something other TFA variant, so it'd be a bit weird if it was causing this in your situation.


It seems it is still configured, as the x!oath magic marker is still there.

As workaround you can delete that marker, but do not delete any : colons that separate the fields.
Cannot show you the option because I don't have access, but on the users lists there's an TOTP column, you double click on it, and a modal opens, there's an "enable" checkbox there, I just unchecked the checkbox.

Now it's not asking for the OTP code but does not login.
 
Last edited:
Cannot show you the option because I don't have access, but on the users lists there's an TOTP column, you double click on it, and a modal opens, there's an "enable" checkbox there, I just unchecked the checkbox.

Now it's not asking for the OTP code but does not login.
Changed and saved the file, reloaded the web admin, still cannot login. Reboting doesn't affect either.
 
Last edited:
Cannot show you the option because I don't have access, but on the users lists there's an TOTP column, you double click on it, and a modal opens, there's an "enable" checkbox there, I just unchecked the checkbox.
Yeah now it's all clear. You did not disable TFA, but you edited the user and by unchecking the enabled checkbox you disabled the user as a whole. TFA needs to be cleared by using the explicit "TFA" button.

Edit user.cfg again and change the first 0 (counted from left to right) to 1, i.e., something like:
user:root@pam:1:0:::censored@protonmail.com:::
to enable it again.

Could be good to special case disabling the user one is logged in and show a more bright warning/prompt for that one..
 
Last edited:
Thanks!

Oh, my fault, I disabled the user then. I double clicked on the TFA field and thought that was configuring the TFA with this modal

1627551755601.png

So, to disable the TFA I should just click the TFA button on the top and then press Delete button on the modal?

1627551519149.png


1627551454700.png
 
Last edited:
Oh, my fault, I disabled the user then. I double clicked on the TFA field and thought that was configuring the TFA with this modal
The edit dialogues are normally not column-specific, but rather for the whole row. So here it just opens the "Edit User" one.
I faintly remember of discussing adding a button/way to go to TFA stuff there, but we did not want to duplicate that to often in the web-interface (and FWIW, it is also always available in the "user menu" at the top right of the web-interface).

So, to disable the TFA I should just click the TFA button on the top and then press Delete button on the modal?
yes, select the user you want to modify TFA for, then click TFA then delete or re-generate or whatever you wanted to do with TFA.
 
  • Like
Reactions: feidakila
Yeah now it's all clear. You did not disable TFA, but you edited the user and by unchecking the enabled checkbox you disabled the user as a whole. TFA needs to be cleared by using the explicit "TFA" button.

Edit user.cfg again and change the first 0 (counted from left to right) to 1, i.e., something like:
user:root@pam:1:0:::censored@protonmail.com:::
to enable it again.

Could be good to special case disabling the user one is logged in and show a more bright warning/prompt for that one..
Hello I know this solved but I am facing the same issue.

what should I change in the file

/etc/pve/user.cfg

user:root@pam:1:0:::test@example.com.sa::x:
 
what worked for me was removing the trailing x. leave colon but remove x
I'd not recommend editing those files manually, that can end up badly fast.
Rather use the pveum user tfa delete <userid> (with <userid> being for example root@pam) command.

That command exists since Proxmox VE 6.2.
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!