[pbs-devel] [PATCH proxmox-backup] fix #6398: api: allow non-pam users to access shell

[Thomas Lamprecht]

Am 15.09.25 um 14:58 schrieb Shan Shaji:
> Right now PBS is not allowing users to access the shell if the user
> is not a pam user even though the `Sys.Console` permission is
> already given. To fix the issue removed the palm realm check.

This is a explicit and dedicated check, it might not be warranted,
but it might as well exist for a reason, so removing such explicit
limitations really need to argue about that in the commit message.

Here it would be probably enough to write that this is safe to do as
all users that are not root at pam will get a login shell anyway, so
they need to have some (PAM) login credentials available. This makes
sense to have as e.g. a host could be use a central authentication
system like LDAP/AD or OIDC as PBS realm and as PAM plugin. Or just
favor using a non-pam user by default for PBS but still provide
credentials to a administrative PAM user to their admins.

Another argument to make is referencing pve-manager's commit
7914f5e7b ("node console: allow usage for non-pam realms"), which
already implemented exactly this change for PVE (albeit also not
with spelling out actual arguments for doing so)