From 2ad2c765e99b45d822d0e8ad6b9ef72e60e8a0b0 Mon Sep 17 00:00:00 2001 From: Fiona Ebner Date: Wed, 4 Dec 2024 12:37:08 +0100 Subject: [PATCH] user management: clarify that password changes for PAM realm only apply to local node Reported in the community forum: https://forum.proxmox.com/threads/158518/ Signed-off-by: Fiona Ebner --- pveum.adoc | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/pveum.adoc b/pveum.adoc index ebb8e17..8e0a5f7 100644 --- a/pveum.adoc +++ b/pveum.adoc @@ -170,8 +170,14 @@ Linux PAM Standard Authentication As Linux PAM corresponds to host system users, a system user must exist on each node which the user is allowed to log in on. The user authenticates with their -usual system password. This realm is added by default and can't be removed. In -terms of configurability, an administrator can choose to require two-factor +usual system password. This realm is added by default and can't be removed. + +Password changes via the GUI or, equivalently, the `/access/password` API +endpoint only apply to the local node and not cluster-wide. Even though {pve} +has a multi-master design, using different passwords for different nodes can +still offer a security benefit. + +In terms of configurability, an administrator can choose to require two-factor authentication with logins from the realm and to set the realm as the default authentication realm.