Restrict root Login to WebUI in Proxmox VE 8

[ekrekeler]

In the Proxmox VE 8 release notes, there is a change listed under the Access Control section:

When authenticating via PAM, pass the PAM_RHOST item. With this, it is possible to manually configure PAM such that certain users (for example root@pam) can only log in from certain hosts.

I assume this is meant to be used for restricting users able to login to the WebUI using Linux PAM. I haven't gotten around to testing this, but can anyone confirm it can be used in this capacity?

For example, if I wanted to restrict logins for the root@pam user to allow only clients in the local network 192.168.0.0/24, what configuration changes are needed to accomplish this?

 

[Moayad]

Hi,

Yes, you can achieve that by editing the `/etc/default/pveproxy` file as mentioned in our official document guide [0].

[0] https://pve.proxmox.com/pve-docs/pve-admin-guide.html#pveproxy_host_acls

 

[ekrekeler]

Hi @Moayad,

Thanks for your reply but this doesn't answer my question.

I want to restrict logins for the root@pam user (or all PAM users) to local networks, while allowing users in other realms such as OpenID type to login from anywhere. I thought that's what passing PAM_RHOST on authentication is supposed to accomplish.

Denying IPs in /etc/default/pveproxy just blocks HTTP/S requests to the WebUI before I can even authenticate.

 

[NojuHD]

Hi @ekrekeler,

where you able to solve your Problem?

If not follow this Thread: https://forum.proxmox.com/threads/webui-pam-zugang-einschränken-webui-restrict-pam-root-login.128217 The thread is in German i hope that's not a problem.

The solution mentioned only works with PVE >=8.0, PMG >=8.0 and PBS >=3.0.

 

[ekrekeler]

Hi @NojuHD,

No I haven't found a solution yet, the scripts in the above thread look perfect for this! I'll give it a try, thank you for sharing.