[pve-devel] Block password change for @pve users
Thomas Lamprecht
t.lamprecht at proxmox.com
Sat Feb 8 13:28:14 CET 2020
On 2/7/20 9:09 PM, Frederico F. Siena wrote:
> I created a group, user and role for the specific purpose of access in
> kiosk mode via spice using the script
> "/usr/share/doc/pve-manager/examples/spice-example-sh". It's working
> perfectly, but if a bad user intends to change the password set via the web
> gui, he can then, how to block the password change of a @pve user?
> I looked at the format in /etc/pve/user.cfg and the pveum options, and
> found no way to block the password change.
A user can always change it's own password, that's by design and cannot
be avoided.
Either:
* create a user for each kiosk, add them to the respective group for
permissions, this way the bad user can only change their password,
not affecting others
* use API token for access, those are really new, packages with support
for them are only in pvetest, and docs/user interface still need to be
finished. But, they would allow to generate one, or better, multiple
API tokens which cannot change the password of their underlying user.
hope that helps,
cheers, Thomas
More information about the pve-devel
mailing list