PAM user with PVE roles

[Mirmanium]

Hello community

I want to create a PAM user with limited rights in my 1 node PVE host to only allow specific actions as I have on my user in GUI.

I did the following:

• GUI part: Create new group, new role with selected rights (VM.audit, Sys.Audit, VM.PowerMgmt) and new Pam user in this group.

To make it "loginable" I had to create the Pam user login as root through SSH.

• PVE Host (ssh) - from https://pve.proxmox.com/wiki/User_Management#pveum_users:
  
  useradd heinz
  passwd heinz
  groupadd watchman
  usermod -a -G watchman heinz

Now I can log in over GUI and ssh.

My question here is: Is there a way to replicate roles I have selected for GUI PAM user to my new linux user so then I can limit actions this user can do once login SSH?

Thank you,

 

[fabian]

no, that is not possible. you can disable SSH access though, or simply not add the user as PAM user but as PVE user.

 

[Mirmanium]

Thanks @fabian for you comment. The thing is I was looking for having a SSH user with exactly these limited roles so the alternative is to use the root ssh user then.
Thank you,

 

[Mirmanium]

BTW, I just end up using proxmox API directly. It gives more flexibility in terms of limited rights per user.