Proxmox VE Authentication Server - Unable to change passwords

[mcherold93]

Hello,
I have a question: Is it intented, that a VE user itself and me as Admin, are unable to change passwords?

To give some users access to Proxmox, I am using the VE Authentication realm.
I am also logging in as a VE user with administrator privileges in order to manage Proxmox.
I create a new user, but after that I am not able to change their password.
In order to change the users password, I have to delete the whole user and recreate the user.
Even the user itself cannot change its own password via the menu:

After clicking on "Password" this window opens:

I enter the new password twice, click on OK and then I receive this:
Parameter verification fialed. (400)
confirmation-password: password is required to modify user

The user itselfs receives the same message by the way.
If I login as root via PAM I can change everything.
Is this a normal behavior?

pveversion output:

proxmox-ve: 8.2.0 (running kernel: 6.8.12-1-pve)
pve-manager: 8.2.4 (running version: 8.2.4/faa83925c9641325)
proxmox-kernel-helper: 8.1.0
proxmox-kernel-6.8: 6.8.12-1
proxmox-kernel-6.8.12-1-pve-signed: 6.8.12-1
proxmox-kernel-6.8.8-4-pve-signed: 6.8.8-4
ceph-fuse: 16.2.11+ds-2
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx9
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-4
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.5.1
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.3
libpve-access-control: 8.1.4
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.7
libpve-cluster-perl: 8.0.7
libpve-common-perl: 8.2.2
libpve-guest-common-perl: 5.1.4
libpve-http-server-perl: 5.1.0
libpve-network-perl: 0.9.8
libpve-rs-perl: 0.8.9
libpve-storage-perl: 8.2.3
libqb0: 1.0.5-1
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.4.0-3
proxmox-backup-client: 3.2.7-1
proxmox-backup-file-restore: 3.2.7-1
proxmox-firewall: 0.5.0
proxmox-kernel-helper: 8.1.0
proxmox-mail-forward: 0.2.3
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.6
proxmox-widget-toolkit: 4.2.3
pve-cluster: 8.0.7
pve-container: 5.1.12
pve-docs: 8.2.3
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.1
pve-firewall: 5.0.7
pve-firmware: 3.13-1
pve-ha-manager: 4.0.5
pve-i18n: 3.2.2
pve-qemu-kvm: 9.0.2-2
pve-xtermjs: 5.3.0-3
qemu-server: 8.2.4
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.4-pve1

 

[sw-omit]

There seems to be something wrong with your GUI, as when I check on my system, as both an (non-root) admin-user and the user itself (even one without ANY permissions) I have 3 options, namely the "old" password request (from the user, or in case of the admin, the admin's current password) and two times the new password.
Only the root (should) have it without the current password as far as I know.
Already tried things like clearing cache, different browsers, perhaps even the mobile app[1]. things like that?



[1] https://pve.proxmox.com/wiki/Proxmox_VE_Mobile

 

[mcherold93]

Interesting, I have to admit, there are some plugins active in my firefox, that could cause something like this.
So I used a fresh install of Google Chrome (no plugins or anything installed) and tried it again from my office computer at work, but with the same result.
I tried different Nodes, also from customers (same proxmox versions like mine) with the same result, the field is missing.

 

[sw-omit]

I am on PVE 8.2.2 (Enterprise) with my systems, so it might be a recent bug.
From what version are you coming? My installation is recent, just migrated over from ESX, so I installed it as 8.1 using the Proxmox ISO (so no debian2Proxmox or 7to8 upgrades or the like)

my pveversion -v looks like this:

proxmox-ve: 8.2.0 (running kernel: 6.8.8-2-pve)
pve-manager: 8.2.2 (running version: 8.2.2/9355359cd7afbae4)
proxmox-kernel-helper: 8.1.0
proxmox-kernel-6.8: 6.8.8-2
proxmox-kernel-6.8.8-2-pve-signed: 6.8.8-2
proxmox-kernel-6.8.4-3-pve-signed: 6.8.4-3
proxmox-kernel-6.8.4-2-pve-signed: 6.8.4-2
proxmox-kernel-6.5.13-5-pve-signed: 6.5.13-5
proxmox-kernel-6.5: 6.5.13-5
proxmox-kernel-6.5.11-8-pve-signed: 6.5.11-8
ceph-fuse: 17.2.7-pve2
corosync: 3.1.7-pve3
criu: 3.17.1-2
glusterfs-client: 10.3-5
ifupdown2: 3.2.0-1+pmx8
ksm-control-daemon: 1.5-1
libjs-extjs: 7.0.0-4
libknet1: 1.28-pve1
libproxmox-acme-perl: 1.5.1
libproxmox-backup-qemu0: 1.4.1
libproxmox-rs-perl: 0.3.3
libpve-access-control: 8.1.4
libpve-apiclient-perl: 3.3.2
libpve-cluster-api-perl: 8.0.6
libpve-cluster-perl: 8.0.6
libpve-common-perl: 8.2.1
libpve-guest-common-perl: 5.1.2
libpve-http-server-perl: 5.1.0
libpve-network-perl: 0.9.8
libpve-rs-perl: 0.8.8
libpve-storage-perl: 8.2.1
libspice-server1: 0.15.1-1
lvm2: 2.03.16-2
lxc-pve: 6.0.0-1
lxcfs: 6.0.0-pve2
novnc-pve: 1.4.0-3
proxmox-backup-client: 3.2.3-1
proxmox-backup-file-restore: 3.2.3-1
proxmox-kernel-helper: 8.1.0
proxmox-mail-forward: 0.2.3
proxmox-mini-journalreader: 1.4.0
proxmox-offline-mirror-helper: 0.6.6
proxmox-widget-toolkit: 4.2.3
pve-cluster: 8.0.6
pve-container: 5.1.10
pve-docs: 8.2.2
pve-edk2-firmware: 4.2023.08-4
pve-esxi-import-tools: 0.7.1
pve-firewall: 5.0.7
pve-firmware: 3.12-1
pve-ha-manager: 4.0.4
pve-i18n: 3.2.2
pve-qemu-kvm: 8.1.5-6
pve-xtermjs: 5.3.0-3
qemu-server: 8.2.1
smartmontools: 7.3-pve1
spiceterm: 3.3.0
swtpm: 0.8.0+pve1
vncterm: 1.8.0
zfsutils-linux: 2.2.4-pve1

Looking through that list, you seem to all have a higher version then mine, with the exception of ceph-fuse, but I doubt that would be the cause of the issues.

EDIT: Maybe a silly thought btw, have you tried it in dark mode? Shouldn't matter, but you never know (changeable in the top-right menu 2 below password, Color Theme)

 

[sw-omit]

More serious other thought too btw, have you checked in the browser-console (F12, console) if there are any errors/warnings?
And what happens if you shift-tab from the "Password" box, do you go to the confirm box or "something else" (where you might be able to blind-type your old password)

Also in that same F12 menu, under the Inspector, if you click the "select" icon next to it and then select the password-popup, what does it then show? For me it shows this then (check mostly what's between the two selected lines in the bottom section here)

 

[mcherold93]

I forgot to mention: I do not use the Enterprise Repo, but the No-Subscription Repo.
Perhaps this is the reason for the slight differences in our versions.
I also installed the Node over the proxmox ISO, but a long time ago, started with Version 6 if I remember correct and always updatet according to the provided Tutorial by Proxmox.
But if I remember correct, I don't had a problem with changing passwords, even by users themselves, in January or February, everything worked fine back then.

If I open the Inspector, I don't see the "Your Current Password" field, there are only 2 text fields and the hidden object, like in your screenshot.

 

[sw-omit]

Yeah, the no-subscription repo is usually a bit newer then the enterprise repo (and I still need to run the latest patches as well), which is why I found it weird that 1 package is older instead, that's why I noted it, but I again doubt that package would cause the issue.

I think we'll probably have to wait for a dev to chime in on this on either where the html/php/other files for this (part of) the website are so we can check/repair them manually, or on what is going on and how to fix it in general.

 

[sw-omit]

Oh, one more thing I found:
Looking through the changelog, looks like this requirement of the password to change from a non-root account was part of the 8.2 update, so only a recent-ish change (which might be why not many people have reported it yet):
https://pve.proxmox.com/wiki/Roadmap#Proxmox_VE_8.2

Access control​

• Require non-root users to enter their current password on password change.
  • This is to hedge against a scenario where an attacker has local or even physical access to a computer where a user is logged in.