[PVE-User] API users
Dominik Csapak
d.csapak at proxmox.com
Wed Apr 24 12:08:09 CEST 2019
On 4/24/19 11:54 AM, Mark Schouten wrote:
>
> Hi,
>
> we want all users to authenticate using 2FA, but we also want to use the API externally, and 2FA with the API is quite difficult.
>
> In the latest version, you can enable 2FA per user, but you cannot disable GUI access for e.g. API users. So a API user can just login without 2FA. Is there a way to enable 2FA, and disable the GUI for users without 2FA? Perhaps by revoking a rolepermission?
>
Hi,
The GUI and TFA are two independent things. The GUI uses the API in the
same way as any external api client would use it (via ajax calls).
If you want to disable just the gui, simply do not allow access to '/'
via a reverse proxy or something similar.
If you want to enforce TFA, you have to enable it on the realm, then it
is enforced for all users of that realm
The per user TFA is to enable single users to enhance the security of
their account, not to enforce using them.
hope this answers your question
More information about the pve-user
mailing list