[pve-devel] [PATCH docs 5/5] user management: clarify that password changes for PAM realm only apply to local node
Fiona Ebner
f.ebner at proxmox.com
Wed Dec 4 12:37:08 CET 2024
Reported in the community forum:
https://forum.proxmox.com/threads/158518/
Signed-off-by: Fiona Ebner <f.ebner at proxmox.com>
---
pveum.adoc | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/pveum.adoc b/pveum.adoc
index 81565ab..b8303e8 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -170,8 +170,14 @@ Linux PAM Standard Authentication
As Linux PAM corresponds to host system users, a system user must exist on each
node which the user is allowed to log in on. The user authenticates with their
-usual system password. This realm is added by default and can't be removed. In
-terms of configurability, an administrator can choose to require two-factor
+usual system password. This realm is added by default and can't be removed.
+
+Password changes via the GUI or, equivalently, the `/access/password` API
+endpoint only apply to the local node and not cluster-wide. Even though {pve}
+has a multi-master design, using different passwords for different nodes can
+still offer a security benefit.
+
+In terms of configurability, an administrator can choose to require two-factor
authentication with logins from the realm and to set the realm as the default
authentication realm.
--
2.39.5
More information about the pve-devel
mailing list