[SOLVED] Remove OTP Authentication via SSH

Alvks

New Member
Jun 1, 2019
20
1
1
31
I tried following the last section here: https://pve.proxmox.com/wiki/OATH(TOTP)_Authentication#Disabling_OATH_2FA_authentication

Unfortunately, the /etc/pve/domains.cfg file does NOT even exist on my server. How can I disable this via SSH? I lost my phone that had the Google Authenticator app keys.

EDIT: This has been solved with the help of Vladimir Bulgaru. We ended up creating a new admin user via SSH, used that account to log into the web interface (no 2FA needed since it was only enabled on root), then turned off 2FA on root.
 
Last edited:
  • Like
Reactions: PJBear
Should be there, though.
Are you sure you're logged into Proxmox and not a guest VM?
The file with TFA looks like this:
Code:
pve: pve
        comment Proxmox VE authentication server

pam: pam
        comment Linux PAM standard authentication
        default 1
        tfa type=oath
You need to have it like this:
Code:
pve: pve
        comment Proxmox VE authentication server

pam: pam
        comment Linux PAM standard authentication
        default 1
If you are certain that you're connected to Proxmox and the directory is not empty by checking:
Code:
ls -l /etc/pve
then you can create the file and edit it:
Code:
touch /etc/pve/domains.cfg && nano /etc/pve/domains.cfg
by copying the content from above and saving. You may need to reboot the OS after.
 
Should be there, though.
Are you sure you're logged into Proxmox and not a guest VM?
The file with TFA looks like this:
Code:
pve: pve
        comment Proxmox VE authentication server

pam: pam
        comment Linux PAM standard authentication
        default 1
        tfa type=oath
You need to have it like this:
Code:
pve: pve
        comment Proxmox VE authentication server

pam: pam
        comment Linux PAM standard authentication
        default 1
If you are certain that you're connected to Proxmox and the directory is not empty by checking:
Code:
ls -l /etc/pve
then you can create the file and edit it:
Code:
touch /etc/pve/domains.cfg && nano /etc/pve/domains.cfg
by copying the content from above and saving. You may need to reboot the OS after.

Nope, I am 100% on my Proxmox server. I cannot post what the output of ls -la is because this forum prevents new user spam lol....

I rebooted, opened my Proxmox web interface, and still get asked for an OTP code.
 
I tried following the last section here: https://pve.proxmox.com/wiki/OATH(TOTP)_Authentication#Disabling_OATH_2FA_authentication

Unfortunately, the /etc/pve/domains.cfg file does NOT even exist on my server. How can I disable this via SSH? I lost my phone that had the Google Authenticator app keys.

EDIT: This has been solved with the help of Vladimir Bulgaru. We ended up creating a new admin user via SSH, used that account to log into the web interface (no 2FA needed since it was only enabled on root), then turned off 2FA on root.
I am having the exact same issue no Domains.cfg - I am definately on the Proxmox machine - how did you addadd a new admin?
 
I have a question about this topic. I'm testing disabling TOTP 2FA via root@pve (root login boot console) in case TOTP somehow goes wrong. This is on a free test machine. And I didn't find this file "/etc/pve/domains.cfg" where this line " tfa type=oath" should be deleted, is there someone who could spare me a moment or write a way to do the deactivation? Thank you
This is my "ls"
1725432142991.png
 
Last edited:
I had the same problem, the /etc/pve/domains.cfg file did not exist, so i searched for all the *.cfg files in the system and found one with a promissing name /etc/pve/priv/tfa.cfg
I commented the content and it worked

please note that the problem originated from a manual change of the server's ip and i forgot to update the dns, you can check if the dns is correct first, and only try this if it doesnt work
 
Last edited: