Remove TFA Authentication via SSH

[kenomyster]

Very similar to a previously closed thread, I recently upgraded from V5 to V6.1.
Everything went perfectly and I was able to login to the system as root.
Unfortunately, while looking around I noticed the option for TFA and enabled it from within the GUI.
Now I am locked out.
I can SSH into the server with root, but I cannot find the /etc/pve/domains.cfg file as it does not exist on my server.
Is there a way to disable TFA via SSH when the file does not exist?
Any help would be appreciated.

 

[kenomyster]

So, an update.
Interestingly, I was out for an hour and when I came back I was no longer locked out and I was actually logged in?
Without exiting, I immediately removed TFA for the root account, logged out, logged back in and tested access following that action.
All is working fine now.
So the issue has resolved itself.
Somehow.

 

[jjdoran]

Hi Kenomyster,

Just had something similar myself. Have been able to log into server fine over last few weeks on 6.1.
Its a new server install. No issues with 2FA on web interface before.
Have been shutting down server nightly as its a new build and not ready yet.
Can login as root, but the 2FA is now not working.
Have tried time syncing the google client, no luck.
Then tried to login to other machines, same.
Reboot of the phone containing the google auth client seemed to fix the issue.

Weird.

HTH you or someone else.

 

[t.lamprecht]

What type of TFA was used? "U2F" or TOTP (the time based one)?

That domains.cfg gets lost but nothing else sounds, well, weird...

Anyway, thanks to this thread I added a pveum user tfa delete <userid>@<realm> CLI command, so the deletion should be a bit easier for a situtaion where one got locked out due TFA, being it due to losing the second factor or something else.

https://git.proxmox.com/?p=pve-acce...3;hp=8f4a522f4fda8aadb91b8569542c3ea7afa50896

It will be available with the libpve-access-control-perl in version 6.1-1 or newer.

Note, if the realm has enabled TFA it means it is enforced, i.e., a user must have TFA setup to be able to login, so you may need to disable that realm setting on top of that.
pveum realm modify <realm> --delete tfa

 

[vasquezmi]

I have the same issue however the node was removed from the cluster while TFA was still enabled and now when trying to run pveum to delete the tfa key it tries to acquire cfs lock fails and the user cannot be updated. Any thoughts?

 

[t.lamprecht]

I have the same issue however the node was removed from the cluster while TFA was still enabled and now when trying to run pveum to delete the tfa key it tries to acquire cfs lock fails and the user cannot be updated. Any thoughts?

Sorry for the late reply, in case it still is a problem it would be good to know more info first before giving definitive recommendations. In general, it seems the cluster removal was not fully finished, and thus the node has no quorum anymore.

In this case it can often be a valid workaround to temporarily reduce the expected cluster votes to one by using the CLI command pvecm expected 1 and then remove TFA.
Then you probably want to look into fixing the "bad" cluster configuration, e.g. by deleting /etc/pve/corosync.conf and /etc/corosync/* and then reboot, at least if this node should be a single note again.

For the next time I'd recommend opening a new thread for your clustering problems, as once that would have been fixed, the command from this thread would have worked.