The Idiot adds Two Factor Authentication to Proxmox

Let’s get some simple 2FA running on a single Proxmox instance.  Because why not?

This guide assumes you already have a user account created in the PVE realm.  I recommend creating a new admin account/group and adding the necessary permissions.  For more information on that, refer to this link.

    1. Open a Shell within Proxmox. 
    2. Ensure your time in Proxmox is accurate with the date command. (if your time is off by more than 30 seconds, time-based codes fail).
    3. Generate a OATH key with the oathkeygen command.
    4. Copy the generated 16 character code and close out the Console.
    5. In the Datacenter View, Open the “Users” tab under Permissions.
    6. Select the user you wish to add Two-Factor Authentication to and select “Edit”.
    7. Paste the code in the KeyIDs section (Ensure no spaces snuck into the paste) and click “OK”.
    8. Select “Authentication” under Permissions.
    9. Select “pve” and select “Edit”
    10. Set TFA to “OATH” and click “OK”
    11. Take that same code and add it to your authenticator (in my case, Google Authenticator).  The account name can be whatever you wish, but they Key must match the code generated earlier.  Keep the “Time based” option unchanged.  Click Add.
    12. Logout of Proxmox.
    13. When attempt to log in using your new account (don’t forget the realm if you typically use PAM), an OTP field is present.  Put your code generated from your Authenticator there. 

Leave a Reply

Your email address will not be published. Required fields are marked *