Skip to content

Proxmox hardening - 2FA

Two-factor authentication / authentication for Proxmox

Two-factor authentication (2FA) adds an additional layer of security by requiring users to provide a second factor of authentication in addition to their password. This can be a temporary code generated on a mobile device or a hardware token. Even if an attacker knows the password, he cannot gain access without the second factor. This effectively protects against many types of attacks, especially those where credentials have been compromised.

Preparation and requirements:

  • Make sure you have a 2FA compatible authentication tool, such as 1Password, Google Authenticator, Authy or similar.
  • Also make sure the Proxmox environment is up to date.

Enable two-factor authentication in Proxmox:

  • Log in to the Proxmox web interface as an administrator.
  • Go to Datacenter -> Permissions -> Realms.
  • Select the Authentication Realm you want to use (pve by default).
  • Click Edit and enable two-factor authentication by selecting the appropriate 2FA mode (e.g. TOTP).

Force users to use 2FA:

  • Go to Datacenter -> Users.
  • Select the user for whom 2FA should be enabled.
  • Edit the user and enable the 2FA option.

Configure 2FA for the user:

  • The user must now log in again and will be asked to set up two-factor authentication.
  • The user opens the 2FA app (e.g. Google Authenticator) on their mobile device.
  • The user scans the QR code displayed by the Proxmox VE interface or manually enters the key provided.
  • The 2FA app now generates regularly changing one-time codes that must be used to log in.

Testing 2FA integration:

  • Log out and then log back in to the Proxmox VE web interface.
  • After entering your username and password, enter the code generated by the 2FA app when prompted.
  • Provide backup codes:
  • Some 2FA systems allow the creation of backup codes that can be used if the user loses access to their 2FA device. It is good practice to keep these backup codes safe.

Best Practices:

  • Regular review and renewal: Users should be regularly prompted to review their 2FA settings and renew them as necessary to ensure they remain secure.
  • Emergency procedures: Develop an emergency procedure in the event that a user loses access to their 2FA device. This could include identity verification by the administrator and temporarily disabling 2FA.
  • User training: Train all users on how to set up and use 2FA to ensure they understand the process and perform it correctly.
  • After activating and correctly configuring two-factor authentication in Proxmox, an additional protection mechanism is introduced that significantly increases the security of the login processes. Even if attackers gain access to user credentials, they cannot gain access to the system without the second factor. This significantly minimizes the risk of successful unauthorized access.