What Secrets Lie Behind the Proxmox User Root?

Proxmox’s user management, especially its root user, is not just different from standard Linux systems; it’s significantly different. This unique approach is not a quirk but a key factor in ensuring a secure virtualization environment.

In this article, I’ll guide you through the complexities of Proxmox user management, focusing on the all-powerful root user. Understanding this system is vital for your server’s security. Unlike typical Linux setups, Proxmox handles users in ways that can catch even experienced admins off guard.

I’ll explain why Proxmox’s root user is unique, how it differs from what you might expect, and why these differences matter for your system’s safety. Whether you’re new to Proxmox or looking to tighten your server’s security, I’ve got you covered.

Are you prepared to uncover the secrets of Proxmox user management and enhance your system’s security? Let’s get started!

When I first set up Proxmox, I was surprised that sudo wasn’t included by default. This isn’t an oversight—it’s a deliberate design choice that sets Proxmox apart from many Linux distributions.

Proxmox builds on Debian but is streamlined for virtualization. The developers excluded sudo to keep the system lean and focused. It means that all administrative tasks are intended to be performed directly by the root user.

The root user in Proxmox isn’t just powerful—it has unique responsibilities. While Proxmox VE users can manage virtual machines and configure storage through the web interface, root access is crucial for certain core system functions. Most notably, root is required for clustering operations, making it irreplaceable for advanced Proxmox setups.

You might wonder, ” Can’t I just disable root for better security?” The short answer is no. Unlike standard Linux systems, where disabling root is often recommended, it’s not possible or advisable in Proxmox. Disabling root would break essential functionalities, especially in clustered environments, and could potentially lock you out of critical system management.

Understanding this unique approach to root access is crucial for managing your Proxmox server securely. In the following sections, I’ll show you how to work within this system while maintaining good security practices.

While Proxmox doesn’t come with sudo by default, I’ve found that installing it can add an extra layer of security and flexibility to your system. Here’s how I do it:

A step-by-step guide to installing Debian sudo:

First, I log in as root via SSH or the Proxmox shell

Then, I update the package lists

apt-get update

Next, I install sudo

apt-get install sudo

After installation, I verify sudo is working

sudo -v

It’s that simple! But before you start using sudo, it’s important to understand its implications in a Proxmox environment.

Potential implications of adding sudo to Proxmox:

1. Enhanced security: With sudo, you can perform admin tasks without logging in as root.
2. Better auditing: Sudo logs all commands, improving accountability.
3. Granular control: You can limit which users can use sudo and for what commands.
4. Potential conflicts: Some Proxmox-specific scripts might expect root access. Always test thoroughly after implementing sudo.
5. Learning curve: Your team must adapt to using sudo for admin tasks.
6. Maintenance consideration: You must manage the sudo configuration alongside Proxmox updates.

Remember, while sudo adds flexibility, it doesn’t entirely replace the need for root in Proxmox. In the next section, I’ll show you how to create a secure administrative user to maximize sudo.

Now that sudo is installed, let’s create a secure administrative user. I’ll guide you through the process step by step.

1. Log in as the root to the node shell.
2. Then, I create a new user. Let’s call it ‘adminuser’:

adduser adminuser

Granting sudo privileges to the new user:

I add the user to the sudo group:

usermod -aG sudo adminuser

To verify, I check the user’s groups:

groups adminuser

I test the sudo access:

su - adminuser
sudo whoami

This should return “root”.

Remember, while this user now has sudo privileges, it doesn’t automatically have full access to all Proxmox functions. In the following section, I will discuss effectively balancing root and admin user access.

Next, we have to add the new “adminuser” to the Proxmox GUI

Via GUI:

1. I log into the Proxmox web interface as root.
2. Navigate to Datacenter > Permissions > Users.
3. Click “Add” and fill in the details:
   • User name: adminuser
   • Realm: Linux PAM or Proxmox VE

Note: The choice between Linux PAM and Proxmox VE realms has essential user access and management implications. We’ll explore these differences in depth in the “Proxmox-Specific Considerations” section later in this article. If you’re unsure, choose Linux PAM for now, as it allows access to both the shell and Proxmox web interface.

To give our new user the same permissions as the Proxmox root user, we need to assign the Administrator role:

1. In the Proxmox web interface, I navigate to Datacenter > Permissions > Add > User Permission.
2. In the Add Permission dialog:
   • Path: /
   • User: adminuser
   • Role: Administrator
   • Propagate: Yes
3. I click Add to apply these permissions.

This grants ‘adminuser’ full administrative rights in the Proxmox web interface, similar to the root user. The user can now manage all aspects of Proxmox, including creating and managing VMs, storage, networking, and more.

Important: While this user now has full Proxmox administrative rights, remember that system-level tasks might still require the use of sudo or root access, depending on how you’ve set up the user (Linux PAM vs Proxmox VE).

In the next section, we’ll discuss how to balance using this new admin user with root access, ensuring both convenience and security.

Now that we’ve set up our new administrative user, it’s crucial to understand when to use it versus root access. This balance is key to maintaining security while ensuring smooth system operation.

When to use root vs. the new admin user (adminuser):

• I use the new admin user for the following:
  • Daily management tasks in the Proxmox web interface
  • Routine system updates (using sudo)
  • Most configuration changes
• I reserve root access for:
  • Initial system setup and major upgrades
  • Troubleshooting severe system issues
  • Tasks that explicitly require root (like some clustering operations)

Best practices for minimizing root usage:

1. I always log in as the admin user first, using sudo when necessary.
2. I set up SSH to disallow direct root login.
3. I use the Proxmox web interface with the admin account for most tasks.

Limitations of the new admin user compared to root:

While our new admin user is powerful, it’s not identical to root:

• Some system-level operations still require root access.
• Please remember that specific Proxmox CLI commands may need to be run as root.
• In a cluster setup, the root user can only perform certain operations.

Understanding SSH and shell access in Proxmox is important for balancing security and functionality. Here’s how I approach it:

Disabling root SSH access:

• I edit the SSH configuration file:

nano /etc/ssh/sshd_config

• I find or add the line

PermitRootLogin no

• I save the file and restart the SSH service:

systemctl restart sshd

This prevents direct root login via SSH, a standard security recommendation.

Alternate access methods: Even with root SSH disabled, I can still access the system as root when needed:

1. Proxmox web shell: Available through the GUI, it provides root access to each node.
2. SSH as ‘adminuser’: then use su - it to switch to root.
3. Physical console: Direct access to the server, if available.

Benefits of this approach:

• Improved security by limiting exposed root access
• Maintained functionality for legitimate administrative needs
• Better audit trail of who accessed root and when

By understanding these distinctions, I can maintain a better secure system while still having the flexibility to perform all necessary tasks. Remember, the goal is to minimize root usage, not eliminate it.

Proxmox uses two main authentication realms:

1. Proxmox VE realm:
   • Stores users directly in Proxmox
   • Grants access only to the Proxmox web interface
   • It doesn’t allow SSH or console login
2. Linux PAM realm:
   • Uses existing Linux system users
   • Allows both Proxmox web interface and system-level access
   • Enables SSH and console login

Choose Linux PAM for users needing both system and Proxmox access. Use Proxmox VE for users who only require web interface access.

Configuring Proxmox web interface permissions:

1. Log into the Proxmox web interface as the root
2. Create a user (see above – adding a user to Proxmox)
3. Navigate to Datacenter > Permissions > Add
4. Set Path to /
5. Select your new user
6. Choose the Administrator role for full access
7. Click Add to apply for permissions

Remember, depending on your setup, some system-level tasks might still require root access or sudo use.

Proxmox Virtual Environment (PVE) supports TOTP (Time-based One-Time Password), a form of two-factor authentication (2FA) that significantly boosts your system’s security. Here’s how to set it up:

Enabling TOTP for a user:

1. Log into the Proxmox web interface.
2. Click on your username in the top-right corner.
3. Select “Two Factor” from the dropdown menu.
4. Click “Add a TOTP login factor.”

In the TOTP setup window:

1. The “User” field will show your username.
2. Add a description (required) to identify this TOTP factor.
3. A “Secret” is automatically generated, but you can randomize it if desired.
4. The “Issuer Name” will show your Proxmox server’s name.
5. Scan the QR code with a TOTP app like Google Authenticator.
6. Enter the verification code from your TOTP app.
7. Confirm your password.
8. Click “Add” to enable TOTP for your account.

Realm-Wide 2FA Enforcement: While 2FA is set up per user, Proxmox allows enforcing it for all users within a specific authentication realm:

1. Go to Datacenter > Realms.
2. Select the realm you want to secure.
3. Click Edit and set “TFA” to “OATH” in the dropdown.

In the image below I force 2FA for the default Proxmox VE realm.

Important Considerations:

• Ensure all users have set up 2FA before enabling it realm-wide to prevent lockouts.
• Realm-wide enforcement is an all-or-nothing approach.
• For most scenarios, encouraging per-user 2FA setup is more flexible and user-friendly.

By implementing two-factor authentication (2FA), either on a per-user basis or realm-wide, you significantly increase the security of your Proxmox environment. This helps protect against unauthorized access, even if passwords are compromised.

To further enhance your Proxmox security beyond root user management, explore my guide on ‘Boost Securing SSH: Two-Factor Auth for Linux/Proxmox‘ for implementing robust SSH protection.

Proxmox’s built-in monitoring tools primarily focus on system and VM operations rather than detailed user login/logout events.

You can check the Tasks and cluster log at the bottom for user activity. Unfortunately, Proxmox’s user activity logging is somewhat limited out of the box, and enhancing it may require additional setup or external tools.

Throughout this journey into Proxmox user management, we’ve uncovered the unique aspects of the root user, explored creating secure administrative accounts, and delved into enhancing security with 2FA.

As you apply these insights to your Proxmox environment, keep security at the forefront. Review user permissions regularly, encourage 2FA use, and stay updated on Proxmox’s latest security features.

With these practices, you’ll maintain a robust and secure virtualization platform.

Happy Proxmox administrating!

I would love to get some feedback from you. Was this article helpful? Please share your opinion with me in the comment section below. Or, if you prefer a more personal touch, feel free to email me directly at info@edywerder.ch. Your thoughts and insights are always appreciated. Additionally, you can connect with me on Reddit at Navigatetech.