🔒 Introduction: Why do you need 2FA? Proxmox VE is a core infrastructure that manages virtualized environments. If you only use basic authentication, your entire system may be exposed in case of a password leak. Two-factor authentication (2FA) strengthens security by 🔑 knowledge-based (password) + ✨ possession-based (authenticator app). This guide explains step-by-step how to set it up with the Time-Based One-Time Password (TOTP) method. — ### ⚙️ Prerequisites 1. Proxmox VE 7.x or higher 2. Root or sudo account 3. Google Authenticator/Microsoft Authenticator installed on your smartphone 4. Internet connection (package download required) — ### 📦 Step 1: Install required packages Install libpam-google-authenticator package for TOTP authentication: bash # Update packages apt update && apt upgrade -y # Install TOTP package apt install libpam-google-authenticator -y ✅ Verification: Check the existence of common-auth file with the command ls /etc/pam.d/ — ### ⚙️ Step 2: Change PAM configuration Enable the authentication module: 1. Edit the /etc/pam.d/common-auth file: bash nano /etc/pam.d/common-auth 2. Add the following line at the very top of the file: conf auth required pam_google_authenticator.so nullok 👉 nullok: Allow users without 2FA setup to log in (recommended to remove after all users have been setup) 👉 no_increment_hotp: Prevents OTP reuse — ### 🌐 Step 3: Configure Proxmox Web Interface 1. Go to Data Center > Options > Authentication 2. Select Domain and click Edit 3. Change the authentication domain to Linux PAM Standard (change from existing Proxmox VE Auth Server) 
Example Image — ### 👤 Step 4: Enable 2FA per User Example for Root Account: 1. Start configuration in terminal: bash google-authenticator 2. Select step: - Select "Time-based" authentication: y - Generate QR code: y - Save one-time backup code: y (keep it in a safe place!) - Allow 30-second window: n ("n" recommended for added security) - Force OTP on login: y 3. Scan QR code with authenticator app 📱 In Google Authenticator, select “+” > “Scan QR code” — ### 🔍 Step 5: Test login 1. Log out of Proxmox web interface and reconnect 2. On the login screen, check Add 2-step field Username: root Password: ******** OTP code: 123456 <-- Enter the 6-digit number from your authenticator app — ### ⚠️ Notes & Troubleshooting #### ❗ Backup code must be saved plaintext ############ Backup code ############ 5fh3 9x2k 7tqb yw8p ... (10 in total) ################################## 👉 The only way to recover when the authentication app is lost → Offline storage is required! #### 🔧 In case of an error – OTP mismatch: Check server time synchronization (timedatectl status) – PAM error: Check /var/log/auth.log – Web access unavailable: Run pveproxy restart #### 🛡️ Security enhancement tips 1. Remove nullok: Delete nullok from /etc/pam.d/common-auth after setting up 2FA for all users 2. Backup accounts: Maintain one administrator account without 2FA (in case of emergency) 3. Regular renewal: Issue a new QR code every quarter — ### 💎 Conclusion: Effect of applying 2FA | Security threats | Risk without 2FA | Risk with 2FA | |——————|———————-|——————-| | Password leak | ⚠️ Critical | ✅ Disabled | | Brute force attack | ⚠️ High | 🔒 Almost impossible | | Insider illegal access | ⚠️ Possible | 🔒 Difficult | > 🔥 One-liner: Reduce hacking risk by 90% in 10 minutes of setup! > Implement 2FA right now and secure your Proxmox server. D
