2020-10-02 17:12:57 +03:00
.. _user_mgmt:
User Management
===============
User Configuration
------------------
.. image :: images/screenshots/pbs-gui-user-management.png
2022-11-28 19:15:42 +03:00
:target: _images/pbs-gui-user-management.png
2020-10-02 17:12:57 +03:00
:align: right
:alt: User management
Proxmox Backup Server supports several authentication realms, and you need to
choose the realm when you add a new user. Possible realms are:
:pam: Linux PAM standard authentication. Use this if you want to
2021-10-11 14:11:43 +03:00
authenticate as a Linux system user (users need to exist on the
2020-10-02 17:12:57 +03:00
system).
:pbs: Proxmox Backup Server realm. This type stores hashed passwords in
`` /etc/proxmox-backup/shadow.json `` .
2021-10-11 14:11:44 +03:00
:openid: OpenID Connect server. Users can authenticate against an external
OpenID Connect server.
2023-02-09 16:31:22 +03:00
:ldap: LDAP server. Users can authenticate against external LDAP servers.
2021-10-11 14:11:44 +03:00
After installation, there is a single user, `` root@pam `` , which corresponds to
the Unix superuser. User configuration information is stored in the file
`` /etc/proxmox-backup/user.cfg `` . You can use the `` proxmox-backup-manager ``
command line tool to list or manipulate users:
2020-10-02 17:12:57 +03:00
.. code-block :: console
# proxmox-backup-manager user list
┌─────────────┬────────┬────────┬───────────┬──────────┬────────────────┬────────────────────┐
│ userid │ enable │ expire │ firstname │ lastname │ email │ comment │
╞═════════════╪════════╪════════╪═══════════╪══════════╪════════════════╪════════════════════╡
│ root@pam │ 1 │ │ │ │ │ Superuser │
└─────────────┴────────┴────────┴───────────┴──────────┴────────────────┴────────────────────┘
.. image :: images/screenshots/pbs-gui-user-management-add-user.png
2022-11-28 19:15:42 +03:00
:target: _images/pbs-gui-user-management-add-user.png
2020-10-02 17:12:57 +03:00
:align: right
:alt: Add a new user
2021-10-11 14:11:43 +03:00
The superuser has full administration rights on everything, so it's recommended
to add other users with less privileges. You can add a new
2020-11-06 17:46:27 +03:00
user with the `` user create `` subcommand or through the web
interface, under the **User Management** tab of **Configuration -> Access
Control**. The `` create `` subcommand lets you specify many options like
`` --email `` or `` --password `` . You can update or change any user properties
2021-10-11 14:11:43 +03:00
using the `` user update `` subcommand later (**Edit** in the GUI):
2020-10-02 17:12:57 +03:00
.. code-block :: console
# proxmox-backup-manager user create john@pbs --email john@example.com
# proxmox-backup-manager user update john@pbs --firstname John --lastname Smith
# proxmox-backup-manager user update john@pbs --comment "An example user."
.. todo :: Mention how to set password without passing plaintext password as cli argument.
The resulting user list looks like this:
.. code-block :: console
# proxmox-backup-manager user list
┌──────────┬────────┬────────┬───────────┬──────────┬──────────────────┬──────────────────┐
│ userid │ enable │ expire │ firstname │ lastname │ email │ comment │
╞══════════╪════════╪════════╪═══════════╪══════════╪══════════════════╪══════════════════╡
│ john@pbs │ 1 │ │ John │ Smith │ john@example.com │ An example user. │
├──────────┼────────┼────────┼───────────┼──────────┼──────────────────┼──────────────────┤
│ root@pam │ 1 │ │ │ │ │ Superuser │
└──────────┴────────┴────────┴───────────┴──────────┴──────────────────┴──────────────────┘
2021-10-11 14:11:44 +03:00
Newly created users do not have any permissions. Please read the :ref: `user_acl`
2020-10-02 17:12:57 +03:00
section to learn how to set access permissions.
2021-10-11 14:11:43 +03:00
You can disable a user account by setting `` --enable `` to `` 0 `` :
2020-10-02 17:12:57 +03:00
.. code-block :: console
# proxmox-backup-manager user update john@pbs --enable 0
2021-10-11 14:11:43 +03:00
Or completely remove a user with:
2020-10-02 17:12:57 +03:00
.. code-block :: console
# proxmox-backup-manager user remove john@pbs
2020-10-30 17:18:42 +03:00
.. _user_tokens:
API Tokens
----------
2020-11-06 17:46:30 +03:00
.. image :: images/screenshots/pbs-gui-apitoken-overview.png
2022-11-28 19:15:42 +03:00
:target: _images/pbs-gui-apitoken-overview.png
2020-11-06 17:46:30 +03:00
:align: right
:alt: API Token Overview
2021-10-11 14:11:43 +03:00
Any authenticated user can generate API tokens, which can in turn be used to
2020-10-30 17:18:42 +03:00
configure various clients, instead of directly providing the username and
password.
API tokens serve two purposes:
#. Easy revocation in case client gets compromised
#. Limit permissions for each client/token within the users' permission
An API token consists of two parts: an identifier consisting of the user name,
the realm and a tokenname (`` user@realm!tokenname `` ), and a secret value. Both
need to be provided to the client in place of the user ID (`` user@realm `` ) and
2020-10-30 19:01:18 +03:00
the user password, respectively.
2020-10-30 17:18:42 +03:00
2020-11-06 17:46:30 +03:00
.. image :: images/screenshots/pbs-gui-apitoken-secret-value.png
2022-11-28 19:15:42 +03:00
:target: _images/pbs-gui-apitoken-secret-value.png
2020-11-06 17:46:30 +03:00
:align: right
:alt: API secret value
2020-10-30 17:18:42 +03:00
The API token is passed from the client to the server by setting the
`` Authorization `` HTTP header with method `` PBSAPIToken `` to the value
`` TOKENID:TOKENSECRET `` .
2021-10-11 14:11:43 +03:00
You can generate tokens from the GUI or by using `` proxmox-backup-manager `` :
2020-10-30 17:18:42 +03:00
.. code-block :: console
# proxmox-backup-manager user generate-token john@pbs client1
Result: {
"tokenid": "john@pbs!client1",
"value": "d63e505a-e3ec-449a-9bc7-1da610d4ccde"
}
.. note :: The displayed secret value needs to be saved, since it cannot be
displayed again after generating the API token.
The `` user list-tokens `` sub-command can be used to display tokens and their
metadata:
.. code-block :: console
# proxmox-backup-manager user list-tokens john@pbs
┌──────────────────┬────────┬────────┬─────────┐
│ tokenid │ enable │ expire │ comment │
╞══════════════════╪════════╪════════╪═════════╡
│ john@pbs!client1 │ 1 │ │ │
└──────────────────┴────────┴────────┴─────────┘
Similarly, the `` user delete-token `` subcommand can be used to delete a token
again.
Newly generated API tokens don't have any permissions. Please read the next
section to learn how to set access permissions.
2020-10-02 17:12:57 +03:00
.. _user_acl:
Access Control
--------------
2021-10-11 14:11:43 +03:00
By default, new users and API tokens do not have any permissions. Instead you
2022-05-16 09:00:40 +03:00
need to specify what is allowed and what is not.
2022-05-17 19:12:42 +03:00
Proxmox Backup Server uses a role- and path-based permission management system.
2022-05-16 09:00:40 +03:00
An entry in the permissions table allows a user, group or token to take on a
specific role when accessing an 'object' or 'path'. This means that such an
access rule can be represented as a triple of '(path, user, role)', '(path,
group, role)' or '(path, token, role)', with the role containing a set of
allowed actions, and the path representing the target of these actions.
Privileges
~~~~~~~~~~
2022-05-17 19:12:42 +03:00
Privileges are the building blocks of access roles. They are internally
2022-05-16 09:00:40 +03:00
used to enforce the actual permission checks in the API.
We currently support the following privileges:
**Sys.Audit**
2022-05-17 19:12:42 +03:00
Sys.Audit allows a user to know about the system and its status.
2022-05-16 09:00:40 +03:00
**Sys.Modify**
2022-05-17 19:12:42 +03:00
Sys.Modify allows a user to modify system-level configuration and apply updates.
2022-05-16 09:00:40 +03:00
**Sys.PowerManagement**
2022-05-17 19:12:42 +03:00
Sys.Modify allows a user to power-off and reboot the system.
2022-05-16 09:00:40 +03:00
**Datastore.Audit**
2022-05-17 19:12:42 +03:00
Datastore.Audit allows a user to know about a datastore, including reading the
2022-05-16 09:00:40 +03:00
configuration entry and listing its contents.
**Datastore.Allocate**
2022-05-17 19:12:42 +03:00
Datastore.Allocate allows a user to create or delete datastores.
2022-05-16 09:00:40 +03:00
**Datastore.Modify**
2022-05-17 19:12:42 +03:00
Datastore.Modify allows a user to modify a datastore and its contents, and to
2022-05-16 09:00:40 +03:00
create or delete namespaces inside a datastore.
**Datastore.Read**
2022-05-17 19:12:42 +03:00
Datastore.Read allows a user to read arbitrary backup contents, independent of
2022-05-16 09:00:40 +03:00
the backup group owner.
**Datastore.Verify**
Allows verifying the backup snapshots in a datastore.
**Datastore.Backup**
2022-05-17 19:12:42 +03:00
Datastore.Backup allows a user create new backup snapshots and also provides the
2022-05-16 09:00:40 +03:00
privileges of Datastore.Read and Datastore.Verify, but only if the backup
group is owned by the user or one of its tokens.
**Datastore.Prune**
2022-05-17 19:12:42 +03:00
Datastore.Prune allows a user to delete snapshots, but additionally requires
backup ownership.
2022-05-16 09:00:40 +03:00
**Permissions.Modify**
2022-05-17 19:12:42 +03:00
Permissions.Modify allows a user to modify ACLs.
2022-05-16 09:00:40 +03:00
2022-05-17 19:12:42 +03:00
.. note :: A user can always configure privileges for their own API tokens, as
they will be limited by the users privileges anyway.
2022-05-16 09:00:40 +03:00
**Remote.Audit**
2022-05-17 19:12:42 +03:00
Remote.Audit allows a user to read the remote and the sync configuration entries.
2022-05-16 09:00:40 +03:00
**Remote.Modify**
2022-05-17 19:12:42 +03:00
Remote.Modify allows a user to modify the remote configuration.
2022-05-16 09:00:40 +03:00
**Remote.Read**
2022-05-17 19:12:42 +03:00
Remote.Read allows a user to read data from a configured `Remote` .
2022-05-16 09:00:40 +03:00
**Sys.Console**
2022-05-17 19:12:42 +03:00
Sys.Console allows a user to access the system's console, note that for all
2022-05-16 09:00:40 +03:00
but `root@pam` a valid system login is still required.
**Tape.Audit**
2022-05-17 19:12:42 +03:00
Tape.Audit allows a user to read the configuration and status of tape drives,
changers and backups.
2022-05-16 09:00:40 +03:00
**Tape.Modify**
2022-05-17 19:12:42 +03:00
Tape.Modify allows a user to modify the configuration of tape drives, changers
and backups.
2022-05-16 09:00:40 +03:00
**Tape.Write**
2022-05-17 19:12:42 +03:00
Tape.Write allows a user to write to a tape media.
2022-05-16 09:00:40 +03:00
**Tape.Read**
2022-05-17 19:12:42 +03:00
Tape.Read allows a user to read tape backup configuration and contents from a
tape media.
2022-05-16 09:00:40 +03:00
**Realm.Allocate**
2022-05-17 19:12:42 +03:00
Realm.Allocate allows a user to view, create, modify and delete authentication
realms for users.
2022-05-16 09:00:40 +03:00
Access Roles
~~~~~~~~~~~~
An access role combines one or more privileges into something that can be
2022-05-17 19:12:42 +03:00
assigned to a user or API token on an object path.
2022-05-16 09:00:40 +03:00
2022-05-17 19:12:42 +03:00
Currently, there are only built-in roles, meaning you cannot create your
2022-05-16 09:00:40 +03:00
own, custom role.
The following roles exist:
2020-10-02 17:12:57 +03:00
**NoAccess**
Disable Access - nothing is allowed.
**Admin**
2022-05-16 09:00:40 +03:00
Can do anything, on the object path assigned.
2020-10-02 17:12:57 +03:00
**Audit**
2022-05-16 09:00:40 +03:00
Can view the status and configuration of things, but is not allowed to change
settings.
2020-10-02 17:12:57 +03:00
**DatastoreAdmin**
2022-05-16 09:00:40 +03:00
Can do anything on *existing* datastores.
2020-10-02 17:12:57 +03:00
**DatastoreAudit**
2022-05-16 09:00:40 +03:00
Can view datastore metrics, settings and list content. But is not allowed to
read the actual data.
2020-10-02 17:12:57 +03:00
**DatastoreReader**
2022-05-17 19:12:42 +03:00
Can inspect a datastore's or namespace's content and do restores.
2020-10-02 17:12:57 +03:00
**DatastoreBackup**
Can backup and restore owned backups.
**DatastorePowerUser**
2022-05-16 09:00:40 +03:00
Can backup, restore, and prune *owned* backups.
2020-10-02 17:12:57 +03:00
**RemoteAdmin**
Can do anything on remotes.
**RemoteAudit**
Can view remote settings.
**RemoteSyncOperator**
Is allowed to read data from a remote.
2022-05-16 09:00:40 +03:00
**TapeAdmin**
2022-05-17 19:12:42 +03:00
Can do anything related to tape backup.
2021-10-11 14:11:44 +03:00
2022-05-16 09:00:40 +03:00
**TapeAudit**
2022-05-17 19:12:42 +03:00
Can view tape-related metrics, configuration and status.
2022-05-16 09:00:40 +03:00
2021-10-11 14:11:44 +03:00
**TapeOperator**
2022-05-17 19:12:42 +03:00
Can do tape backup and restore, but cannot change any configuration.
2021-10-11 14:11:44 +03:00
**TapeReader**
2022-05-17 19:12:42 +03:00
Can read and inspect tape configuration and media content.
2021-10-11 14:11:44 +03:00
2022-05-16 11:56:12 +03:00
Objects and Paths
~~~~~~~~~~~~~~~~~
2022-05-17 19:12:42 +03:00
Access permissions are assigned to objects, such as a datastore, namespace or
2022-05-16 11:56:12 +03:00
some system resources.
2022-05-17 19:12:42 +03:00
We use filesystem-like paths to address these objects. These paths form a
2022-05-16 11:56:12 +03:00
natural tree, and permissions of higher levels (shorter paths) can optionally
be propagated down within this hierarchy.
2022-05-17 19:12:42 +03:00
Paths can be templated, meaning they can refer to the actual id of a
configuration entry. When an API call requires permissions on a templated
2022-05-16 11:56:12 +03:00
path, the path may contain references to parameters of the API call. These
2022-05-17 19:12:42 +03:00
references are specified in curly brackets.
2022-05-16 11:56:12 +03:00
Some examples are:
* `/datastore` : Access to *all* datastores on a Proxmox Backup server
* `/datastore/{store}` : Access to a specific datastore on a Proxmox Backup
server
2022-05-16 19:10:13 +03:00
* `/datastore/{store}/{ns}` : Access to a specific namespace on a specific
datastore
2022-05-16 11:56:12 +03:00
* `/remote` : Access to all remote entries
2022-05-17 19:12:42 +03:00
* `/system/network` : Access to configure the host network
2022-05-16 11:56:12 +03:00
* `/tape/` : Access to tape devices, pools and jobs
* `/access/users` : User administration
* `/access/openid/{id}` : Administrative access to a specific OpenID Connect realm
Inheritance
^^^^^^^^^^^
As mentioned earlier, object paths form a file system like tree, and
permissions can be inherited by objects down that tree through the propagate
flag, which is set by default. We use the following inheritance rules:
2022-05-17 19:12:42 +03:00
* Permissions for API tokens are always limited to those of the user.
2022-05-16 11:56:12 +03:00
* Permissions on deeper, more specific levels replace those inherited from an
upper level.
Configuration & Management
~~~~~~~~~~~~~~~~~~~~~~~~~~
.. image :: images/screenshots/pbs-gui-permissions-add.png
2022-11-28 19:15:42 +03:00
:target: _images/pbs-gui-permissions-add.png
2020-10-02 17:12:57 +03:00
:align: right
:alt: Add permissions for user
Access permission information is stored in `` /etc/proxmox-backup/acl.cfg `` . The
file contains 5 fields, separated using a colon (':') as a delimiter. A typical
entry takes the form:
`` acl:1:/datastore:john@pbs:DatastoreBackup ``
The data represented in each field is as follows:
#. `` acl `` identifier
#. A `` 1 `` or `` 0 `` , representing whether propagation is enabled or disabled,
respectively
#. The object on which the permission is set. This can be a specific object
(single datastore, remote, etc.) or a top level object, which with
propagation enabled, represents all children of the object also.
2020-10-30 17:18:42 +03:00
#. The user(s)/token(s) for which the permission is set
2020-10-02 17:12:57 +03:00
#. The role being set
2020-10-30 17:18:42 +03:00
You can manage permissions via **Configuration -> Access Control ->
Permissions** in the web interface. Likewise, you can use the `` acl ``
subcommand to manage and monitor user permissions from the command line. For
example, the command below will add the user `` john@pbs `` as a
**DatastoreAdmin** for the datastore `` store1 `` , located at
`` /backup/disk1/store1 `` :
2020-10-02 17:12:57 +03:00
.. code-block :: console
2020-10-30 17:18:42 +03:00
# proxmox-backup-manager acl update /datastore/store1 DatastoreAdmin --auth-id john@pbs
2020-10-02 17:12:57 +03:00
2020-10-30 17:18:42 +03:00
You can list the ACLs of each user/token using the following command:
2020-10-02 17:12:57 +03:00
.. code-block :: console
# proxmox-backup-manager acl list
2020-11-10 15:33:20 +03:00
┌──────────┬───────────────────┬───────────┬────────────────┐
│ ugid │ path │ propagate │ roleid │
╞══════════╪═══════════════════╪═══════════╪════════════════╡
│ john@pbs │ /datastore/store1 │ 1 │ DatastoreAdmin │
└──────────┴───────────────────┴───────────┴────────────────┘
2020-10-02 17:12:57 +03:00
2021-10-11 14:11:43 +03:00
A single user/token can be assigned multiple permission sets for different
datastores.
2020-10-02 17:12:57 +03:00
.. Note ::
Naming convention is important here. For datastores on the host,
you must use the convention `` /datastore/{storename} `` . For example, to set
permissions for a datastore mounted at `` /mnt/backup/disk4/store2 `` , you would use
`` /datastore/store2 `` for the path. For remote stores, use the convention
`` /remote/{remote}/{storename} `` , where `` {remote} `` signifies the name of the
remote (see `Remote` below) and `` {storename} `` is the name of the datastore on
the remote.
2021-10-11 14:11:43 +03:00
API Token Permissions
2020-10-30 17:18:42 +03:00
~~~~~~~~~~~~~~~~~~~~~
2021-10-11 14:11:43 +03:00
API token permissions are calculated based on ACLs containing their ID,
independently of those of their corresponding user. The resulting permission set
2020-10-30 17:18:42 +03:00
on a given path is then intersected with that of the corresponding user.
In practice this means:
#. API tokens require their own ACL entries
#. API tokens can never do more than their corresponding user
2021-10-11 14:11:43 +03:00
Effective Permissions
2020-10-30 17:18:42 +03:00
~~~~~~~~~~~~~~~~~~~~~
2021-10-11 14:11:43 +03:00
To calculate and display the effective permission set of a user or API token,
2020-10-30 17:18:42 +03:00
you can use the `` proxmox-backup-manager user permission `` command:
.. code-block :: console
2020-10-02 17:12:57 +03:00
2020-11-10 15:33:20 +03:00
# proxmox-backup-manager user permissions john@pbs --path /datastore/store1
2020-10-30 17:18:42 +03:00
Privileges with (*) have the propagate flag set
2021-10-11 14:11:43 +03:00
2020-10-30 17:18:42 +03:00
Path: /datastore/store1
- Datastore.Audit (*)
- Datastore.Backup (*)
- Datastore.Modify (*)
- Datastore.Prune (*)
- Datastore.Read (*)
2020-11-10 15:33:20 +03:00
- Datastore.Verify (*)
2021-10-11 14:11:43 +03:00
2020-10-30 17:18:42 +03:00
# proxmox-backup-manager acl update /datastore/store1 DatastoreBackup --auth-id 'john@pbs!client1'
2020-11-10 15:33:20 +03:00
# proxmox-backup-manager user permissions 'john@pbs!client1' --path /datastore/store1
2020-10-30 17:18:42 +03:00
Privileges with (*) have the propagate flag set
2021-10-11 14:11:43 +03:00
2020-10-30 17:18:42 +03:00
Path: /datastore/store1
- Datastore.Backup (*)
2021-02-01 21:46:07 +03:00
.. _user_tfa:
2021-02-13 12:23:02 +03:00
2021-10-11 14:11:43 +03:00
Two-Factor Authentication
2021-02-01 21:46:07 +03:00
-------------------------
Introduction
~~~~~~~~~~~~
2021-03-04 17:02:27 +03:00
With simple authentication, only a password (single factor) is required to
successfully claim an identity (authenticate), for example, to be able to log in
as `root@pam` on a specific instance of Proxmox Backup Server. In this case, if
2021-10-11 14:11:43 +03:00
the password gets leaked or stolen, anybody can use it to log in - even if they
2021-03-04 17:02:27 +03:00
should not be allowed to do so.
With two-factor authentication (TFA), a user is asked for an additional factor
to verify their authenticity. Rather than relying on something only the user
knows (a password), this extra factor requires something only the user has, for
example, a piece of hardware (security key) or a secret saved on the user's
smartphone. This prevents a remote user from gaining unauthorized access to an
account, as even if they have the password, they will not have access to the
physical object (second factor).
2021-02-01 21:46:07 +03:00
2021-02-03 12:33:32 +03:00
.. image :: images/screenshots/pbs-gui-tfa-login.png
2022-11-28 19:15:42 +03:00
:target: _images/pbs-gui-tfa-login.png
2021-02-03 12:33:32 +03:00
:align: right
:alt: Add a new user
2021-02-01 21:46:07 +03:00
Available Second Factors
~~~~~~~~~~~~~~~~~~~~~~~~
2021-03-04 17:02:27 +03:00
You can set up multiple second factors, in order to avoid a situation in which
losing your smartphone or security key locks you out of your account
permanently.
2021-02-01 21:46:07 +03:00
2021-03-04 17:02:27 +03:00
Proxmox Backup Server supports three different two-factor authentication
methods:
2021-02-01 21:46:07 +03:00
* TOTP (`Time-based One-Time Password <https://en.wikipedia.org/wiki/Time-based_One-Time_Password> `_ ).
2021-03-04 17:02:27 +03:00
A short code derived from a shared secret and the current time, it changes
2021-02-01 21:46:07 +03:00
every 30 seconds.
* WebAuthn (`Web Authentication <https://en.wikipedia.org/wiki/WebAuthn> `_ ).
A general standard for authentication. It is implemented by various security
2021-03-04 17:02:27 +03:00
devices, like hardware keys or trusted platform modules (TPM) from a computer
2021-02-01 21:46:07 +03:00
or smart phone.
* Single use Recovery Keys. A list of keys which should either be printed out
2021-03-04 17:02:27 +03:00
and locked in a secure place or saved digitally in an electronic vault.
Each key can be used only once. These are perfect for ensuring that you are
not locked out, even if all of your other second factors are lost or corrupt.
2021-02-01 21:46:07 +03:00
Setup
~~~~~
.. _user_tfa_setup_totp:
2021-02-13 12:23:02 +03:00
2021-02-01 21:46:07 +03:00
TOTP
^^^^
2021-02-03 12:33:32 +03:00
.. image :: images/screenshots/pbs-gui-tfa-add-totp.png
2022-11-28 19:15:42 +03:00
:target: _images/pbs-gui-tfa-add-totp.png
2021-02-03 12:33:32 +03:00
:align: right
:alt: Add a new user
2021-03-04 17:02:27 +03:00
There is no server setup required. Simply install a TOTP app on your
2021-02-01 21:46:07 +03:00
smartphone (for example, `FreeOTP <https://freeotp.github.io/> `_ ) and use the
Proxmox Backup Server web-interface to add a TOTP factor.
.. _user_tfa_setup_webauthn:
2021-02-13 12:23:02 +03:00
2021-02-01 21:46:07 +03:00
WebAuthn
^^^^^^^^
2021-03-04 17:02:27 +03:00
For WebAuthn to work, you need to have two things:
2021-02-01 21:46:07 +03:00
2021-10-11 14:11:43 +03:00
* A trusted HTTPS certificate (for example, by using `Let's Encrypt
2021-05-03 12:33:40 +03:00
<https://pbs.proxmox.com/wiki/index.php/HTTPS_Certificate_Configuration>`_).
While it probably works with an untrusted certificate, some browsers may warn
or refuse WebAuthn operations if it is not trusted.
2021-02-01 21:46:07 +03:00
2023-05-08 14:16:05 +03:00
* Setup the WebAuthn configuration (see **Configuration -> Other** in
2021-10-11 14:11:43 +03:00
the Proxmox Backup Server web interface). This can be auto-filled in most
setups.
2021-02-01 21:46:07 +03:00
2021-03-04 17:02:27 +03:00
Once you have fulfilled both of these requirements, you can add a WebAuthn
2021-10-11 14:11:44 +03:00
configuration in the **Two Factor Authentication** tab of the **Access Control**
panel.
2021-02-01 21:46:07 +03:00
.. _user_tfa_setup_recovery_keys:
2021-02-13 12:23:02 +03:00
2021-02-01 21:46:07 +03:00
Recovery Keys
^^^^^^^^^^^^^
2021-02-03 12:33:32 +03:00
.. image :: images/screenshots/pbs-gui-tfa-add-recovery-keys.png
2022-11-28 19:15:42 +03:00
:target: _images/pbs-gui-tfa-add-recovery-keys.png
2021-02-03 12:33:32 +03:00
:align: right
:alt: Add a new user
2021-03-04 17:02:27 +03:00
Recovery key codes do not need any preparation; you can simply create a set of
2021-10-11 14:11:44 +03:00
recovery keys in the **Two Factor Authentication** tab of the **Access Control**
panel.
2021-02-01 21:46:07 +03:00
.. note :: There can only be one set of single-use recovery keys per user at any
time.
TFA and Automated Access
~~~~~~~~~~~~~~~~~~~~~~~~
2021-03-04 17:02:27 +03:00
Two-factor authentication is only implemented for the web-interface. You should
2021-02-01 21:46:07 +03:00
use :ref: `API Tokens <user_tokens>` for all other use cases, especially
2021-03-04 17:02:27 +03:00
non-interactive ones (for example, adding a Proxmox Backup Server to Proxmox VE
2021-02-01 21:46:07 +03:00
as a storage).
2023-02-09 16:31:22 +03:00
2023-06-26 21:07:39 +03:00
.. _user_tfa_lockout:
Limits and Lockout of Two-Factor Authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A second factor is meant to protect users if their password is somehow leaked
or guessed. However, some factors could still be broken by brute force. For
this reason, users will be locked out after too many failed 2nd factor login
attempts.
For TOTP, 8 failed attempts will disable the user's TOTP factors. They are
unlocked when logging in with a recovery key. If TOTP was the only available
factor, admin intervention is required, and it is highly recommended to require
the user to change their password immediately.
Since FIDO2/Webauthn and recovery keys are less susceptible to brute force
attacks, the limit there is higher (100 tries), but all second factors are
blocked for an hour when exceeded.
An admin can unlock a user's Two-Factor Authentication at any time via the user
list view in the web UI, or using the command line:
.. code-block :: console
2023-06-27 15:14:27 +03:00
proxmox-backup-manager user tfa unlock joe@pbs
2023-06-26 21:07:39 +03:00
2023-02-09 16:31:22 +03:00
Authentication Realms
---------------------
.. _user_realms_ldap:
LDAP
~~~~
2023-02-13 17:24:21 +03:00
Proxmox Backup Server can utilize external LDAP servers for user authentication.
To achieve this, a realm of the type `` ldap `` has to be configured.
2023-02-09 16:31:22 +03:00
2023-02-13 17:24:21 +03:00
In LDAP, users are uniquely identified by their domain (`` dn `` ). For instance,
in the following LDIF dataset, the user `` user1 `` has the unique domain
`` uid=user1,ou=People,dc=ldap-test,dc=com `` :
2023-02-09 16:31:22 +03:00
.. code-block :: console
# user1 of People at ldap-test.com
dn: uid=user1,ou=People,dc=ldap-test,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: user1
cn: Test User 1
sn: Testers
description: This is the first test user.
2023-02-13 17:24:21 +03:00
In in similar manner, Proxmox Backup Server uses user identifiers (`` userid `` )
to uniquely identify users. Thus, it is necessary to establish a mapping
2023-03-28 15:12:25 +03:00
between a Proxmox Backup Server `` userid `` and an LDAP `` dn `` . This mapping is
established by the `` user-attr `` configuration parameter - it contains the name
of the LDAP attribute containing a valid Proxmox Backup Server user identifier.
2023-02-09 16:31:22 +03:00
2023-02-13 17:24:21 +03:00
For the example above, setting `` user-attr `` to `` uid `` will have the effect
that the user `` user1@<realm-name> `` will be mapped to the LDAP entity
2023-03-28 15:12:25 +03:00
`` uid=user1,ou=People,dc=ldap-test,dc=com `` . On user login, Proxmox Backup
Server will perform a `subtree search` under the configured Base Domain
(`` base-dn `` ) to query the user's `` dn `` . Once the `` dn `` is known, an LDAP
bind operation is performed to authenticate the user against the LDAP server.
2023-02-09 16:31:22 +03:00
2023-02-13 17:24:21 +03:00
As not all LDAP servers allow `anonymous` search operations, it is possible to
configure a bind domain (`` bind-dn `` ) and a bind password (`` password `` ).
2023-03-28 15:12:25 +03:00
If set, Proxmox Backup Server will bind to the LDAP server using these
credentials before performing any search operations.
2023-02-09 16:31:22 +03:00
A full list of all configuration parameters can be found at :ref: `domains.cfg` .
2023-02-13 17:24:21 +03:00
.. note :: In order to allow a particular user to authenticate using the LDAP
server, you must also add them as a user of that realm in Proxmox Backup
Server. This can be carried out automatically with syncing.
2023-02-09 16:31:22 +03:00
User Synchronization in LDAP realms
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
2023-02-13 17:24:21 +03:00
It is possible to automatically sync users for LDAP-based realms, rather than
having to add them to Proxmox VE manually. Synchronization options can be set
in the LDAP realm configuration dialog window in the GUI and via the
`` proxmox-backup-manager ldap create/update `` command.
User synchronization can started in the GUI at
Configuration > Access Control > Realms by selecting a realm and pressing the
`Sync` button. In the sync dialog, some of the default options set in the realm
configuration can be overridden. Alternatively, user synchronization can also
be started via the `` proxmox-backup-manager ldap sync `` command.