Unexpected authentication failure in syslog


New Member
Aug 26, 2023
When I looked at the syslog of my PVE node, I noticed the lines below.
Aug 31 20:51:48 pve IPCC.xs[4160338]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:  user=root
Aug 31 20:51:49 pve pvedaemon[4160338]: authentication failure; rhost=::ffff: user=root@pam msg=Authentication failure

At first, I thought there was someone malicious trying to log in to my node. I didn't expose the node to the Internet, and the IP address is my laptop, so I quickly checked both my Laptop and the PVE but didn't find any other clues of malicious attacks.

In `/var/log/pveproxy/access.log`, the only related log is as below.
::ffff: - - [31/08/2023:20:19:03 +0800] "POST /api2/json/access/ticket HTTP/1.1" 401 13

Referring to https://pve.proxmox.com/wiki/Proxmox_VE_API#Authentication, I found that the `/access/ticket` API is used to login OR RENEW the current ticket.
I tried to send request to that endpoint via curl and noticed that trying to renew an expired ticket also results in an `authentication failure` in syslog, just like you have typed in a wrong password.

So I guess that there may be some bugs in the management website which causes it to renew an already expired token (maybe related to my laptop's hibernation), and results in an 'authentication failure' in syslog.

This log is quite "scary" in some cases and I share my findings here, but I am not very sure whether my guess is correct or not.


The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!