Proxmox 101: Authentication Realms

By default, Proxmox VE offer two type of authentication, whether by using Linux PAM standard authentication or using Proxmox Server authentication

Linux PAM Standard Authentication

Linux PAM standard authentication utilize the internal user that created inside the host itself by using adduser. User created with Linux PAM will have access to Proxmox VE Server and the host itself. If we have a clustered Proxmox VE server with many user, there is a possibility that we cannot login to other PVE host if they have different Linux PAM user/password because its tied in the machine itself.

To use this realm, we need 2 step:

  1. Create the user inside PVE server host
  2. Create the user again in the PVE server to give user ability to login into Proxmox VE WebUI

Proxmox VE Server Authentication

Different with Linux PAM, user created from Proxmox VE Server Authentication only used in Proxmox VE with no user access to the host machine. PVE user password stored in hashed text in /etc/pve/priv/shadow.cfg file.

With PVE server authentication, we can move between PVE host WebUI in a PVE cluster without need to change account because the accounts will get synchronize to all host.

Both Linux PAM standard authentication and Proxmox VE server authentication can only configure the two factor authentication for login and set to default login realm.

Other Type of Authentications

Other than those two, Proxmox can also use other realm for authentication. Quoted from Proxmox VE documentation, we have 5 type of authentication:

  1. Linux PAM standard authentication
  2. Proxmox VE server authentication
  3. LDAP authentication
  4. Microsoft Active Directory
  5. OpenID Connect

We will cover other authentication and how to integrating them to Proxmox VE later in the next articles. Stay tuned!


This post is licensed under CC BY 4.0 by the author.