proxmox access with curl and TFA

[Domenico]

anyone knows how to get a valid ticket with curl using TFA?

I usually use this:
curl -f -s -S -k --data-urlencode "username=USERNAME" --data-urlencode "password=PASSWORD" "https://172.16.199.12:8006/api2/json/access/ticket"|jq '.data.ticket'

but how do I get a valid one when user has TFA?

 

[Folke]

Hey,
instead of going the multiple trip route of obtaining a valid ticket, you could switch to using API keys and limit their capabilities to exactly what your script needs [0].
If you have to stick with obtaining a valid ticket, you have to take the ticket field from the response your initial request and send another request to the ticket endpoint with the previously obtained ticket as tfa-challenge, the username as username and the totp token as password formated as totp:123456

[0] https://pve.proxmox.com/wiki/Proxmox_VE_API#API_Tokens

 

[Domenico]

Hi Folke,
I've tried to rewrite it as you say, but it's not working:

curl -f -s -S -k --data-urlencode "username=USERNAME" --data-urlencode "password=PASSWORD" "https://172.16.199.12:8006/api2/json/access/ticket"|jq '.data.ticket' > cookie

then

curl --silent --insecure --data "username=USERNAME&password=totp:TOTPSK" --cookie "tfa-challenge=$(<cookie)" https://pve:8006/api2/json/access/ticket

but it result in:
{"data":null}

 

[Domenico]

anyone can help here?

my goal is to adapt the script /usr/share/doc/pve-manager/examples/spice-example-sh in order to use oauth token......

 

[Domenico]

Hi Folke,
I can't get it working, can you post an example of the "curl" command I should write?

 

[Folke]

# notice the -r in the jq command to prevent the result from being enclosed in quotation marks and escaped
curl -f -s -S -k --data-urlencode "username=root@pam" --data-urlencode "password=$PASSWORD" "https://cl1:8006/api2/json/access/ticket"|jq -r '.data.ticket' > cookie
# Don't know where you got that tfa-challenge should be a cookie, but it definitely shouldn't
curl --silent --insecure --data-urlencode "username=root@pam" --data-urlencode "password=totp:$(oathtool -b --totp "$TOTP_SECRET")" --data-urlencode "tfa-challenge=$(<cookie)" https://cl1:8006/api2/json/access/ticket

Generally, you can look at what your browser does to log you in by pressing F12 and look at the requests to the ticket endpoint in the networking tab (on Firefox).

 

[Domenico]

Thank you Folke, you really save my day!