[PVE-User] API users

Dominik Csapak d.csapak at proxmox.com
Wed Apr 24 12:08:09 CEST 2019

On 4/24/19 11:54 AM, Mark Schouten wrote:
> Hi,
> we want all users to authenticate using 2FA, but we also want to use the API externally, and 2FA with the API is quite difficult.
> In the latest version, you can enable 2FA per user, but you cannot disable GUI access for e.g. API users. So a API user can just login without 2FA. Is there a way to enable 2FA, and disable the GUI for users without 2FA? Perhaps by revoking a rolepermission?


The GUI and TFA are two independent things. The GUI uses the API in the 
same way as any external api client would use it (via ajax calls).
If you want to disable just the gui, simply do not allow access to '/' 
via a reverse proxy or something similar.

If you want to enforce TFA, you have to enable it on the realm, then it 
is enforced for all users of that realm

The per user TFA is to enable single users to enhance the security of
their account, not to enforce using them.

hope this answers your question

More information about the pve-user mailing list