[SOLVED] Unable to login to my web UI (TFA)

[FaisalALi92]

Hello Everyone,
I was trying to disable my 2FA and there was a check box to enable and I checked it off.

when I tried to log in again it still asks me for the TOTP code But I am unable to write anything.


So I am locked out of the Web UI but I still have my SSH connection working.

I found a similar issue to mine but the solution did not work for me.

https://forum.proxmox.com/threads/l...n-after-disabling-2fa-totp.93581/#post-485549

Thank you

 

[oguz]

hi,

So I am locked out of the Web UI but I still have my SSH connection working.

I found a similar issue to mine but the solution did not work for me.

you can remove the 2nd factor if you have a shell as root@pam on the server.

rm /etc/pve/priv/tfa.cfg will delete the TFA config of all users from the system.
if you just want to do it for a single user you can edit the file and remove the line for the user.

 

[FaisalALi92]

Thanks, I hate it when I spend hours trying to solve an issue only for the solution to be very simple.

 

[oguz]

Thanks, I hate it when I spend hours trying to solve an issue only for the solution to be very simple.

no worries, glad i could help

please mark the thread as [SOLVED] for others as well ^^

 

[Forssux]

hi,


you can remove the 2nd factor if you have a shell as root@pam on the server.

rm /etc/pve/priv/tfa.cfg will delete the TFA config of all users from the system.
if you just want to do it for a single user you can edit the file and remove the line for the user.

hi I just tried this for root@pve but it didn't work..
permission for that file are read only any advice?

 

[oguz]

hi I just tried this for root@pve but it didn't work..
permission for that file are read only any advice?

there's no root@pve, do you mean root@pam?

permissions for that file are not read-only if you're deleting/editing as the root user.
can you describe your issue?

 

[Forssux]

Hi thanks for answering..

I'm accessing the server Dell R520 via iDrac and after a reboot I'm greeted with a login screen.
It definitively says root@pve after login.
I had to reinstall Proxmox 7.2 on a new SSD because of upgrades gone wrong. I have no Idea if they can be turned back.
I read after searching that var/lib/pve-cluster/config.db contained the configuration of the system.
I copied it over to the new system.
I wanted to remove the 2FA because I couldn't get into the webpage and I blame it on 2FA.
So I can login directly to the server with CLI but not on the webpage.

 

[oguz]

It definitively says root@pve after login.

that's probably because you logged in as root and your machine is called pve, thus the shell prompt shows root@pve
that's not the actual username, system users are created in PAM realm, if you check the output of pveum user list you will see a list of your users and can verify that it's called root@pam.

I had to reinstall Proxmox 7.2 on a new SSD because of upgrades gone wrong. I have no Idea if they can be turned back.
I read after searching that var/lib/pve-cluster/config.db contained the configuration of the system.
I copied it over to the new system.

okay.

I wanted to remove the 2FA because I couldn't get into the webpage and I blame it on 2FA.
So I can login directly to the server with CLI but not on the webpage.

which user are you logging in with?
try logging in as root to your web gui

make sure the "Realm" is "Linux PAM standard authentication"

from what you've described, if you have 2FA enabled for the root@pam user you will get a prompt for authentication code.

to remove the 2FA for that user, check the file /etc/pve/priv/tfa.cfg, find the line with the username (root@pam) and remove it. save the file and try logging in again.

if that does not work please describe where you're getting stuck.
hope this helps!

 

[Forssux]

You're extremely fast...
So the web login is just like you're screenshot even the realm is correct.
But when I hit Login it just stays there. and I thought it was the fault of 2FA.
The 2 SSD are now attached to the server and so I was able to do mount /dev/pve-OLD-30B4D533/root /mnt/root to copy over the config.db

I think the error comes from the certificates which are also in the config.db and of course different for the new and old system.
I can't acces the system because I'm at work but will look into it in 4 houres

 

[oguz]

So the web login is just like you're screenshot even the realm is correct.
But when I hit Login it just stays there. and I thought it was the fault of 2FA.

that sounds like another issue unrelated to 2FA, maybe the config.db wasn't copied over correctly, or you forgot to restart the services after copying it? rebooting the node should also do it.

I think the error comes from the certificates which are also in the config.db and of course different for the new and old system.

to reset the certificates run pvecm updatecerts --force on the new node (after the services have restarted)

 

[Forssux]

I did a:
systemctl stop pve-cluster
cp /mnt/old/config.db /var/lib/pve-cluster/
systemctl start pve-cluster
pvecm updatecerts --force
rebooted

I can't login to the webpage or remove the 2FA. Why is this?

 

[oguz]

I did a:
systemctl stop pve-cluster
cp /mnt/old/config.db /var/lib/pve-cluster/
systemctl start pve-cluster
pvecm updatecerts --force
rebooted

I can't login to the webpage or remove the 2FA. Why is this?

what do you see in journalctl ? are there any apparent error messages?

are the pve services working? systemctl | grep pve

can't login to the webpage or remove the 2FA. Why is this?

does it hang like before?

 

[Forssux]

what do you see in journalctl ? are there any apparent error messages?

are the pve services working? systemctl | grep pve


does it hang like before?

It doesn't really hang it says Failed to login please try again.
I did a:
service pve-cluster stop pmxcfs -l

This let me login with the webpage.

root@pve:~# pvecm status
Cluster information
-------------------
Name: home
Config Version: 1
Transport: knet
Secure auth: on

Spoiler: pvecm status error

Cannot initialize CMAP service
root@pve:~# pvecm expected 1
Cannot initialize CMAP service
root@pve:~# journalctl -b -u corosync
-- Journal begins at Mon 2022-08-01 22:45:25 CEST, ends at Tue 2022-08-02 09:26:32 CEST. --
aug 01 23:51:00 pve systemd[1]: Starting Corosync Cluster Engine...
aug 01 23:51:00 pve corosync[3144]: [MAIN ] Corosync Cluster Engine 3.1.5 starting up
aug 01 23:51:00 pve corosync[3144]: [MAIN ] Corosync built-in features: dbus monitoring watchdog systemd xmlconf vqsim nozzle snmp pie relro bindnow
aug 01 23:51:00 pve corosync[3144]: [MAIN ] Could not open /etc/corosync/authkey: No such file or directory
aug 01 23:51:00 pve corosync[3144]: [MAIN ] Corosync Cluster Engine exiting with status 8 at main.c:1417.
aug 01 23:51:00 pve systemd[1]: corosync.service: Main process exited, code=exited, status=8/n/a
aug 01 23:51:00 pve systemd[1]: corosync.service: Failed with result 'exit-code'.
aug 01 23:51:00 pve systemd[1]: Failed to start Corosync Cluster Engine.
root@pve:~#

Spoiler: systemctl |grep pve

root@pve:~# systemctl | grep pve
etc-pve.mount loaded active mounted /etc/pve
pve-cluster.service loaded activating start start The Proxmox VE cluster filesystem
pve-container@100.service loaded active running PVE LXC Container: 100
pve-container@101.service loaded active running PVE LXC Container: 101
● pve-container@104.service loaded failed failed PVE LXC Container: 104
● pve-container@109.service loaded failed failed PVE LXC Container: 109
● pve-container@110.service loaded failed failed PVE LXC Container: 110
pve-container@111.service loaded active running PVE LXC Container: 111
pve-container@116.service loaded active running PVE LXC Container: 116
pve-firewall.service loaded active running Proxmox VE firewall
pve-guests.service loaded active exited PVE guests
pve-ha-crm.service loaded active running PVE Cluster HA Resource Manager Daemon
pve-ha-lrm.service loaded active running PVE Local HA Resource Manager Daemon
pve-lxc-syscalld.service loaded active running Proxmox VE LXC Syscall Daemon
pvebanner.service loaded active exited Proxmox VE Login Banner
pvedaemon.service loaded active running PVE API Daemon
pvefw-logger.service loaded active running Proxmox VE firewall logger
pvenetcommit.service loaded active exited Commit Proxmox VE network changes
pveproxy.service loaded active running PVE API Proxy Server
pvescheduler.service loaded active running Proxmox VE scheduler
pvestatd.service loaded active running PVE Status Daemon
system-pve\x2dcontainer.slice loaded active active PVE LXC Container Slice
dev-pve-swap.swap loaded active active /dev/pve/swap
pve-storage.target loaded active active PVE Storage Target
pve-daily-update.timer loaded active waiting Daily PVE download activities
root@pve:~#

 

[oguz]

It doesn't really hang it says Failed to login please try again.
I did a:
service pve-cluster stop pmxcfs -l

This let me login with the webpage.

so pve-cluster doesn't work without local mode, that means something is wrong with the service or the configuration.

was this node normally a part of a cluster or just a standalone node?

the error message /etc/corosync/authkey: No such file or directory can be a hint as to why it fails (the directory or the file is missing, you might have to recreate them). one way to do that would be to delete the cluster files and create it again

 

[Forssux]

so pve-cluster doesn't work without local mode, that means something is wrong with the service or the configuration.

was this node normally a part of a cluster or just a standalone node?

the error message /etc/corosync/authkey: No such file or directory can be a hint as to why it fails (the directory or the file is missing, you might have to recreate them). one way to do that would be to delete the cluster files and create it again

It's a standalone home installation.
A advice is given to stop all running things but I wonder how do I stop pmxcfs?

 

[oguz]

A advice is given to stop all running things but I wonder how do I stop pmxcfs?

as you did before (stopping pve-cluster), but without the part where you start it manually.

 

[zeca]

hi,


you can remove the 2nd factor if you have a shell as root@pam on the server.

rm /etc/pve/priv/tfa.cfg will delete the TFA config of all users from the system.
if you just want to do it for a single user you can edit the file and remove the line for the user.

Thank you very much.

It worked here too.

Have a great week.