[PVE-User] API users

Mark Schouten mark at tuxis.nl
Wed Apr 24 13:26:26 CEST 2019


The goal would indeed be to be able to limit the less secured users to specific source addresses. At this moment, we managed to limit API-calls by looking for the X-requested-by header, combined with the API URL with an exclude for novnc, but the user is still able to login to the web frontend.

API-users and API-client-addresses would be the best fix, if you ask me. But since the GUI just uses the API, I guess that is more difficult than you'd expect. :/

--

Mark Schouten <mark at tuxis.nl>

Tuxis, Ede, https://www.tuxis.nl

T: +31 318 200208 
 



----- Original Message -----


From: Thomas Lamprecht (t.lamprecht at proxmox.com)
Date: 24-04-2019 12:34
To: PVE User List (pve-user at pve.proxmox.com), Mark Schouten (mark at tuxis.nl), Dominik Csapak (d.csapak at proxmox.com)
Subject: Re: [PVE-User] API users


Am 4/24/19 um 12:19 PM schrieb Mark Schouten:
>
> Hi,
>
> Sorry, that doesn't answer my question. I want users that have 2FA to be able to use the GUI, and I want to be able to disallow the GUI for certain users. I know that the GUI just uses the API as a backend.

That's not possible, what's your use case for this? If one has API access he can do everything you can do through WebUI anyway?

And even _if_ we would add some sort of "WebUI" lockout, the API user could just setup pve-manager's WebUI part to point at the API backend endpoint and use that one.
Or the user could just create a own gui? So I think this is not really dooable and does not fits at all with REST APIs... You just can't control the frontend there...

If you want to make internal API users more secure you can choose a random, very big (e.g. 64 chars) password for them and be done, nobody will guess that and the user name in a realistic time with the 3 seconds block on wrong login?

What could _maybe_ make sense is to allow to restrict logins from certain (sub)networks only, so that internal users are not exposed to less trusted networks...

>
> By 'do not allow access to /', do you mean for the user, or at a HTTP-level? Because at HTTP-level, that would completely disable the GUI, which you obviously don't want. Or do you mean in the permissions for the user?
>
> Thanks,
>
> --
>
> Mark Schouten <mark at tuxis.nl>
>
> Tuxis, Ede, https://www.tuxis.nl
>
> T: +31 318 200208 
>  
>
>
>
> ----- Originele bericht -----
>
>
> Van: Dominik Csapak (d.csapak at proxmox.com)
> Datum: 24-04-2019 12:08
> Naar: PVE User List (pve-user at pve.proxmox.com), Mark Schouten (mark at tuxis.nl)
> Onderwerp: Re: [PVE-User] API users
>
>
> On 4/24/19 11:54 AM, Mark Schouten wrote:
>>
>> Hi,
>>
>> we want all users to authenticate using 2FA, but we also want to use the API externally, and 2FA with the API is quite difficult.
>>
>> In the latest version, you can enable 2FA per user, but you cannot disable GUI access for e.g. API users. So a API user can just login without 2FA. Is there a way to enable 2FA, and disable the GUI for users without 2FA? Perhaps by revoking a rolepermission?
>>
>
> Hi,
>
> The GUI and TFA are two independent things. The GUI uses the API in the
> same way as any external api client would use it (via ajax calls).
> If you want to disable just the gui, simply do not allow access to '/'
> via a reverse proxy or something similar.
>
> If you want to enforce TFA, you have to enable it on the realm, then it
> is enforced for all users of that realm
>
> The per user TFA is to enable single users to enhance the security of
> their account, not to enforce using them.
>
> hope this answers your question
>
>
>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>





More information about the pve-user mailing list