On 4/24/19 11:54 AM, Mark Schouten wrote:
Hi,
we want all users to authenticate using 2FA, but we also want to use the API
externally, and 2FA with the API is quite difficult.
In the latest version, you can enable 2FA per user, but you cannot disable GUI
access for e.g. API users. So a API user can just login without 2FA. Is there a
way to enable 2FA, and disable the GUI for users without 2FA? Perhaps by
revoking a rolepermission?
Hi,
The GUI and TFA are two independent things. The GUI uses the API in the
same way as any external api client would use it (via ajax calls).
If you want to disable just the gui, simply do not allow access to '/'
via a reverse proxy or something similar.
If you want to enforce TFA, you have to enable it on the realm, then it
is enforced for all users of that realm
The per user TFA is to enable single users to enhance the security of
their account, not to enforce using them.
hope this answers your question
_______________________________________________
pve-user mailing list
pve-user@pve.proxmox.com
https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
