Restrict root Login to WebUI in Proxmox VE 8

ekrekeler

New Member
Jul 2, 2023
4
3
3
In the Proxmox VE 8 release notes, there is a change listed under the Access Control section:
When authenticating via PAM, pass the PAM_RHOST item. With this, it is possible to manually configure PAM such that certain users (for example root@pam) can only log in from certain hosts.

I assume this is meant to be used for restricting users able to login to the WebUI using Linux PAM. I haven't gotten around to testing this, but can anyone confirm it can be used in this capacity?

For example, if I wanted to restrict logins for the root@pam user to allow only clients in the local network 192.168.0.0/24, what configuration changes are needed to accomplish this?
 
  • Like
Reactions: msangi
Hi @Moayad,

Thanks for your reply but this doesn't answer my question.

I want to restrict logins for the root@pam user (or all PAM users) to local networks, while allowing users in other realms such as OpenID type to login from anywhere. I thought that's what passing PAM_RHOST on authentication is supposed to accomplish.

Denying IPs in /etc/default/pveproxy just blocks HTTP/S requests to the WebUI before I can even authenticate.
 
  • Like
Reactions: chanders
Hi @NojuHD,

No I haven't found a solution yet, the scripts in the above thread look perfect for this! I'll give it a try, thank you for sharing.
 
  • Like
Reactions: NojuHD

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!