Admin users in Proxmox

We do not want to use root for everything, actually we can't allow it. We need admin groups and administration accounts. Furthermore, we need to segregate and use other users and groups with lesser privileges on our cluster and servers.

Admin users in Proxmox
Photo by Ethan Hu / Unsplash

The importance of user security cannot be overstated. Especially if we have any sensible data on the system, or especially if we have any VM/CT facing the web. We can have PAM and PVE -accredited users on our system.

Add a PAM User in Proxmox

The default roles in Proxmox are: Administrator, PVEAdmin, PVEVMAdmin, PVEVMUser, PVEUserAdmin, PVEDatastoreAdmin, PVEDatastoreUser, PVESysAdmin, PVEPoolAdmin, PVETemplateUser, and PVEAuditor.
Additionally, there is a “No Access” role to forbid access.

  1. Create the group and the user on Debian.
  2. Add the OS user to Proxmox.
  3. Set the permission to the user.

1. Debian user add

The below command is needed to add the user. It will ask you for a password and your full name, and then it will create a home directory.

adduser <user>

You don't need to fill out: Full Name, Room Number, Work Phone, Home Phone or Other.

Another way is to use useradd and groupadd commands.

On Debian, the only constraints are that group names must neither start with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a colon (':'), a comma (','), or a whitespace (space:' ', end of line: '\n', tabulation: '\t', etc.).

Deleting a user

deluser --remove-home <user>

2. Import the Debian user to Proxmox

pveum user add <user>@pam
pveum user list

3. Set permissions and the role of the user

You can set these very exact according to the role of the user, pls. Read the manual.

pveum acl modify <PATH> --roles PVEAdmin --users <user>@pam

Use of API Tokens

Tokens bring much needed security to apps talking to the Proxmox, like monitoring apps needs to do on a high level of permissions.

Use of Two-Factor Authentication

Security is always needed, and more security is a must if we open up a service to the web. Servers are prime targets for hackers, criminals, or governments.

Home servers are easy targets for any hacker to gain access to corporate data. No 24/7 professional personnel guarding access and login.