Proxmox User Management

Yes, you need more than root. Security says busing root everyware isn't safe and that segregating of duty is a good way to hardening security.

Proxmox User Management
Photo by Alex Kotliarskyi / Unsplash

Setting up user and groups is quintessential for security reasons. Proxmox can't do it all, linux and pfSense will also help with the networking part. It's used to control which nodes, VMs and disk a users has access to. You may want to use pools for this. Do they have rights to manage users. But, you can't control a users access to NIC's (exept OVN) and you can't control how much disk, ram or cors a user can allocate.

That said it's a great tool to segregate by duties and responsibilities within the DevOps community - as I think should be the sole purpose. Meaning it's not suitable for VPS use.

Permissions can be set very fine graded and taking out some clutter from the GUI. E.g. if they are not allowed to use NFS storage it will not show,r if they can only use 100 G of a storage they will be shown hove mutch of it they have used not the total, or you can hide the PBS storages to only the Backup OPs.

The Groups

Groups are the preferred way to organize access permissions.Grant permissions to groups instead of individual users. That way you will get a much more maintainable access control list. Each user can be a member of several groups.

Datacenter -> Permissions -> Groups and hit Create

Pools

Poolos are like groups for Proxmox units like VMs. You can give access to a juser to multiple VMs by having the in a pool and even add a storage to that pool. A VM can only belong to one pool, storage to many.

Roles

Trough roles it's possible to give rights to users, groups and pools.

The Realms

Proxmox VE Authentication Server

This is the simplest realm to add users into. If he users have no need to have shell access to the server, then this realm is it.
To add users to this realm, navigate Datacenter -> Permissions -> Users. Click on Add at the top. A pop up screen appears where you can fill in the information for the new user. Select Realm as Proxmox VE Authentication Server is selected. Fill out any other details you see fit.

Linux PAM Standard Authentication

This realm is similar to the previous realm, but there is one key difference: users have access to the command line. If your users need to access the command line, then this realm is the option for you. Adding users into this realm is a two step process.

  1. Use the shell access from the GUI or over SSH. In the shell, you want to add the new user adduser $username . This will create a user in the shell of the underlying Linux system.
    If the user user needs shell access run usermod -aG sudo $username .
  2. The second step is identical to the previous, but.
    make sure that Linux PAM Standard Authentication is selected instead.

As Linux PAM corresponds to host system users, a system user must exist on each node which the user is allowed to log in on. The user authenticates with their usual system password.

API Tokens

API tokens allow stateless access to most parts of the REST API from another system, software or API client. Tokens can be generated for individual users and can be given separate permissions and expiration dates to limit the scope and duration of the access. Should the API token get compromised, it can be revoked without disabling the user itself.

To use an API token, set the HTTP header Authorization to the displayed value of the form PVEAPIToken=USER@REALM!TOKENID=UUID when making API requests, or refer to your API client’s documentation.

API tokens come in two basic types:

Separated privileges

  • The token needs to be given explicit access with ACLs. Its effective permissions are calculated by intersecting user and token permissions.

Full privileges

  • The token’s permissions are identical to that of the associated user.
💡
The token value is only displayed/returned once when the token is generated. It cannot be retrieved again over the API at a later time!

Other Authentication Realms

LDAP

LDAP (Lightweight Directory Access Protocol) is an open, cross-platform protocol for authentication using directory services. OpenLDAP is a popular open-source implementations of the LDAP protocol.

Active Directory (AD)

Microsofts version of LDAP. AD)is a directory service for Windows domain networks and is supported as an authentication realm for Proxmox VE. It supports LDAP as an authentication protocol.

OpenID Connect

OpenID Connect is implemented as an identity layer on top of the OATH 2.0 protocol. It allows clients to verify the identity of the user, based on authentication performed by an external authorization server.

Two-Factor Authentication

Use 2FA it's greate. There are two ways to use 2FA by TOTP or YubiKey OTP.

It can be required by the authentication realm or the user level.

  • YubiKey OTP. In this case, a newly created user needs to have their keys added immediately, as there is no way to log in without the second factor.
  • TOTP, users can also change the TOTP later on, provided they can log in first. Alternatively, users can choose to opt-in to two-factor authentication later on, even if the realm does not enforce it.

References

Proxmox user management [1] TOTP [2] Yubico [3] OpenID [4]


  1. Proxmox wiki ↩︎

  2. Time-based one-time password on Wikipedia ↩︎

  3. Yubico homepage ↩︎

  4. OpenID homepage ↩︎