[PVE-User] API users

Wed Apr 24 13:37:59 CEST 2019

Am 4/24/19 um 1:26 PM schrieb Mark Schouten:
> 
> The goal would indeed be to be able to limit the less secured users to specific source addresses. At this moment, we managed to limit API-calls by looking for the X-requested-by header, combined with the API URL with an exclude for novnc, but the user is still able to login to the web frontend.
> 
> API-users and API-client-addresses would be the best fix, if you ask me.

This sounds legitimate and would be the easiest solution for this providing a
"real" fix, and at the moment I cannot think about an easy workaround achieving
something like this? Could you please open an "enhancement" request at:
https://bugzilla.proxmox.com/ it probably won't be seen as to high priority,
but it should be to hard either, once one really thinks about what makes sense.
(black/whitelist? per realm or per user, ...?)

cheers,
Thomas

> But since the GUI just uses the API, I guess that is more difficult than you'd expect. :/
> 
> --
> 
> Mark Schouten <mark at tuxis.nl>
> 
> Tuxis, Ede, https://www.tuxis.nl
> 
> T: +31 318 200208 
>  
> 
> 
> 
> ----- Original Message -----
> 
> 
> From: Thomas Lamprecht (t.lamprecht at proxmox.com)
> Date: 24-04-2019 12:34
> To: PVE User List (pve-user at pve.proxmox.com), Mark Schouten (mark at tuxis.nl), Dominik Csapak (d.csapak at proxmox.com)
> Subject: Re: [PVE-User] API users
> 
> 
> Am 4/24/19 um 12:19 PM schrieb Mark Schouten:
>>
>> Hi,
>>
>> Sorry, that doesn't answer my question. I want users that have 2FA to be able to use the GUI, and I want to be able to disallow the GUI for certain users. I know that the GUI just uses the API as a backend.
> 
> That's not possible, what's your use case for this? If one has API access he can do everything you can do through WebUI anyway?
> 
> And even _if_ we would add some sort of "WebUI" lockout, the API user could just setup pve-manager's WebUI part to point at the API backend endpoint and use that one.
> Or the user could just create a own gui? So I think this is not really dooable and does not fits at all with REST APIs... You just can't control the frontend there...
> 
> If you want to make internal API users more secure you can choose a random, very big (e.g. 64 chars) password for them and be done, nobody will guess that and the user name in a realistic time with the 3 seconds block on wrong login?
> 
> What could _maybe_ make sense is to allow to restrict logins from certain (sub)networks only, so that internal users are not exposed to less trusted networks...
> 
>>
>> By 'do not allow access to /', do you mean for the user, or at a HTTP-level? Because at HTTP-level, that would completely disable the GUI, which you obviously don't want. Or do you mean in the permissions for the user?
>>
>> Thanks,
>>
>> --
>>
>> Mark Schouten <mark at tuxis.nl>
>>
>> Tuxis, Ede, https://www.tuxis.nl
>>
>> T: +31 318 200208 
>>  
>>
>>
>>
>> ----- Originele bericht -----
>>
>>
>> Van: Dominik Csapak (d.csapak at proxmox.com)
>> Datum: 24-04-2019 12:08
>> Naar: PVE User List (pve-user at pve.proxmox.com), Mark Schouten (mark at tuxis.nl)
>> Onderwerp: Re: [PVE-User] API users
>>
>>
>> On 4/24/19 11:54 AM, Mark Schouten wrote:
>>>
>>> Hi,
>>>
>>> we want all users to authenticate using 2FA, but we also want to use the API externally, and 2FA with the API is quite difficult.
>>>
>>> In the latest version, you can enable 2FA per user, but you cannot disable GUI access for e.g. API users. So a API user can just login without 2FA. Is there a way to enable 2FA, and disable the GUI for users without 2FA? Perhaps by revoking a rolepermission?
>>>
>>
>> Hi,
>>
>> The GUI and TFA are two independent things. The GUI uses the API in the
>> same way as any external api client would use it (via ajax calls).
>> If you want to disable just the gui, simply do not allow access to '/'
>> via a reverse proxy or something similar.
>>
>> If you want to enforce TFA, you have to enable it on the realm, then it
>> is enforced for all users of that realm
>>
>> The per user TFA is to enable single users to enhance the security of
>> their account, not to enforce using them.
>>
>> hope this answers your question
>>
>>
>>
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>
> 
> 
> 
> 