When I looked at the syslog of my PVE node, I noticed the lines below.
At first, I thought there was someone malicious trying to log in to my node. I didn't expose the node to the Internet, and the IP address 192.168.1.50 is my laptop, so I quickly checked both my Laptop and the PVE but didn't find any other clues of malicious attacks.
In `/var/log/pveproxy/access.log`, the only related log is as below.
Referring to https://pve.proxmox.com/wiki/Proxmox_VE_API#Authentication, I found that the `/access/ticket` API is used to login OR RENEW the current ticket.
I tried to send request to that endpoint via curl and noticed that trying to renew an expired ticket also results in an `authentication failure` in syslog, just like you have typed in a wrong password.
So I guess that there may be some bugs in the management website which causes it to renew an already expired token (maybe related to my laptop's hibernation), and results in an 'authentication failure' in syslog.
This log is quite "scary" in some cases and I share my findings here, but I am not very sure whether my guess is correct or not.
Code:
Aug 31 20:51:48 pve IPCC.xs[4160338]: pam_unix(proxmox-ve-auth:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=::ffff:192.168.1.50 user=root
Aug 31 20:51:49 pve pvedaemon[4160338]: authentication failure; rhost=::ffff:192.168.1.50 user=root@pam msg=Authentication failure
At first, I thought there was someone malicious trying to log in to my node. I didn't expose the node to the Internet, and the IP address 192.168.1.50 is my laptop, so I quickly checked both my Laptop and the PVE but didn't find any other clues of malicious attacks.
In `/var/log/pveproxy/access.log`, the only related log is as below.
Code:
::ffff:192.168.1.50 - - [31/08/2023:20:19:03 +0800] "POST /api2/json/access/ticket HTTP/1.1" 401 13
Referring to https://pve.proxmox.com/wiki/Proxmox_VE_API#Authentication, I found that the `/access/ticket` API is used to login OR RENEW the current ticket.
I tried to send request to that endpoint via curl and noticed that trying to renew an expired ticket also results in an `authentication failure` in syslog, just like you have typed in a wrong password.
So I guess that there may be some bugs in the management website which causes it to renew an already expired token (maybe related to my laptop's hibernation), and results in an 'authentication failure' in syslog.
This log is quite "scary" in some cases and I share my findings here, but I am not very sure whether my guess is correct or not.