shell access for oidc user

[leon1234]

Hi,
I logged in via open id connect and want to access the shell of my node. It asks me for the login but it seems that my username and password are wrong. If I log in as root user it does not ask me for login. How can I access the shell as the open id connect user? The user has all permissions for the group and role.

EDIT: also username@realm + password does not work

 

[zodiac]

You mean the "Shell" tab for the actual host, instead of the console of the container or VM? If so, that is a "/bin/login" process that asks you for your local password unless you already connected to the UI with the local root credentials. I don't think there is any PAM trickery to use other authentication methods, although that could certainly be added.

I find it annoying, as it regularly logs you out, and doesn't reattach to an existing session. This probably makes a lot of sense, if you deploy in a larger organization, where you can't trust all of the users. But it gets old quickly, if you have a very small group of admins that can access the Proxmox UI.

These days, I just patch PVE to use "/usr/bin/dtach" and to disable the password request. Works well for my use case, but it could be absolutely braindead stupid and insecure for other environments. Review your own threat-profile before applying this change. Please note that you need to reapply it, any time that the PVE manager is updated, and then you also need to run "systemctl restart pvedaemon.service"

--- Nodes.pm.orig    2024-09-14 09:42:29.993099987 -0700
+++ Nodes.pm    2024-09-14 09:44:45.720215992 -0700
@@ -977,7 +977,7 @@
 
 my \$shell_cmd_map = {
     'login' => {
-       cmd => [ '/bin/login', '-f', 'root' ],
+       cmd => [ '/usr/bin/dtach', '-A', '/var/run/dtach/vzctlrootshell', '-r', 'winch', '-E', '-z', '/bin/login', '-f', 'root' ],
     },
     'upgrade' => {
        cmd => [ '/usr/bin/pveupgrade', '--shell' ],
@@ -1000,11 +1000,11 @@
                push @\$cmd, split(\"\\0\", \$args);
            }
        } else {
-           \$cmd = [ '/bin/login', '-f', 'root' ];
+           \$cmd = [ '/usr/bin/dtach', '-A', '/var/run/dtach/vzctlrootshell', '-r', 'winch', '-E', '-z', '/bin/login', '-f', 'root' ];
        }
     } else {
        # non-root must always login for now, we do not have a superuser role!
-       \$cmd = [ '/bin/login' ];
+       \$cmd = [ '/usr/bin/dtach', '-A', '/var/run/dtach/vzctlrootshell', '-r', 'winch', '-E', '-z', '/bin/login', '-f', 'root' ];
     }
     return \$cmd;
 }

For a somewhat less hacky solution, I would use an OIDC-aware reverse proxy to access the PVE user interface. It can do all of the authentication and then provide the results to PVE. You could then patch the PVE manager to trust this information and automatically grant elevated permissions. I don't think it's super difficult to implement, but it certainly requires some amount of testing. And since it's something that needs to integrate with third-party components, I can see why the Proxmox developers are reluctant to spend a lot of time and effort on this feature.