[PVE-User] API users

Mark Schouten mark at tuxis.nl
Wed Apr 24 12:19:45 CEST 2019


Sorry, that doesn't answer my question. I want users that have 2FA to be able to use the GUI, and I want to be able to disallow the GUI for certain users. I know that the GUI just uses the API as a backend.

By 'do not allow access to /', do you mean for the user, or at a HTTP-level? Because at HTTP-level, that would completely disable the GUI, which you obviously don't want. Or do you mean in the permissions for the user?



Mark Schouten <mark at tuxis.nl>

Tuxis, Ede, https://www.tuxis.nl

T: +31 318 200208 

----- Originele bericht -----

Van: Dominik Csapak (d.csapak at proxmox.com)
Datum: 24-04-2019 12:08
Naar: PVE User List (pve-user at pve.proxmox.com), Mark Schouten (mark at tuxis.nl)
Onderwerp: Re: [PVE-User] API users

On 4/24/19 11:54 AM, Mark Schouten wrote:
> Hi,
> we want all users to authenticate using 2FA, but we also want to use the API externally, and 2FA with the API is quite difficult.
> In the latest version, you can enable 2FA per user, but you cannot disable GUI access for e.g. API users. So a API user can just login without 2FA. Is there a way to enable 2FA, and disable the GUI for users without 2FA? Perhaps by revoking a rolepermission?


The GUI and TFA are two independent things. The GUI uses the API in the
same way as any external api client would use it (via ajax calls).
If you want to disable just the gui, simply do not allow access to '/'
via a reverse proxy or something similar.

If you want to enforce TFA, you have to enable it on the realm, then it
is enforced for all users of that realm

The per user TFA is to enable single users to enhance the security of
their account, not to enforce using them.

hope this answers your question

More information about the pve-user mailing list