Node elevated CLI using Proxmox VE Authentication Server, can't see how

BloodyIron

Renowned Member
Jan 14, 2013
315
28
93
it.lanified.com
I'm trying to figure out how to use accounts managed by the Proxmox VE Authentication Server in such a way that I can get CLI access (elevated/sudo/whatever) to the nodes in the cluster. Whether it's all nodes, limited notes, or whatever.

I can't find anyone talking about this so far, and the documentation doesn't seem to cover this.

So far whenever I go to the CLI for a node after logging into a PVE Auth Server account that is granted role "Administrator" it prompts for login and rejects the PVE Auth Server creds when I try to re-enter them.

To me this seems like the PAM on each node isn't really set up to honour PVE Auth Server functionality, but that's speculation as I cannot find anything saying "yes" or "no" to this being a thing. But honestly this really should be a capability as the PVE Auth Server (and maybe even other auth methods like LDAP/whatever) really should have the mechanism to get CLI access like this (at least when sufficient access is granted).

So... does anyone know how to do this? Or if this is "not a thing" yet or what?
 
Hi,

The "Proxmox VE Authentication Server" Realm is a relatively simple mechanism, which only works for interaction via the API/GUI.

If you need users to have shell access, there is PAM after all - which is a very flexibel authentication mechanism due to plugins and the like. That's what PAM is there for.

Also, shell access implies a local user account (or at least, authenicated using PAM) on that machine - again, which is handled via PAM. (Also, local user account - which e.g. in clusters means that every machine needs to have that local user account set up.)

and maybe even other auth methods like LDAP/whatever
If you want to use e.g. LDAP, you can also authenticate users via PAM using LDAP.

It's all explained more in detail in our admin guide: Authentication Realms
 
Well the LDAP aspect is more asking ahead on the topic, not something for immediately today.

That being said, I really was hoping that the PVE Cluster environment would manage PAM on behalf of the admins for extending PAM to work with Proxmox VE Authentication Server by default. And if others like LDAP/whatever, get enabled and configured, that PAM also gets automatically extended for those aspects.

I did read through the docs a bunch before posting, and reading the section you link to again, really doesn't sufficiently outline how exactly the alt methods should be additionally configured (PAM in this case) to enable PVE Node CLI capabilities. Not sure if I'm missing the section that's relevant for that which _explicitly_ outlines the details and steps need to be taken, but it isn't mentioned in either the PVE Auth Server or LDAP section for PAM extension/configuration.

Am I to take it then that the PVE Cluster management environment does _not_ do any PAM extension conveniences, and in-turn, does not enable PVE Node CLI permissions "Out of The Box" for anything but "local authentication"?

If that is the case (that it is not present), is that on the roadmap? (I didn't see it when I looked last at the roadmap)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!