all lists on lists.proxmox.com
 help / color / mirror / Atom feed
* [PATCH datacenter-manager v2] fix: api: allow non-pam users to access shell
@ 2026-06-23 12:03 Shan Shaji
  2026-07-15 17:47 ` applied: " Thomas Lamprecht
  0 siblings, 1 reply; 2+ messages in thread
From: Shan Shaji @ 2026-06-23 12:03 UTC (permalink / raw)
  To: pdm-devel

Remove the explicit restriction that only pam users can access the
shell. This is safe to do, as all users that are not root@pam will
be shown with a login shell. So they need to have some (PAM) login
credentials available.

This changes is useful for setups where a host integrates with central
authentication systems (e.g. LDAP or Active Directory) either as a PDM
realm or as a PAM plugin. It also allows environments that favor
non-pam users for PDM by default, but still want to keep PAM
accounts available for admnistrators.

Reference: pve-manager commit (7914f5e7b) and proxmox-backup commit
(c77dfaf31), these commits are already applied for PVE and PBS.

Signed-off-by: Shan Shaji <s.shaji@proxmox.com>
---

 changes since v1: Thanks @Dominik
 - Mention the need of valid PAM credentials inorder to access the console. 

 server/src/api/nodes/termproxy.rs | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/server/src/api/nodes/termproxy.rs b/server/src/api/nodes/termproxy.rs
index 71e4845b..7e7f1f1b 100644
--- a/server/src/api/nodes/termproxy.rs
+++ b/server/src/api/nodes/termproxy.rs
@@ -63,7 +63,9 @@ pub const SHELL_CMD_SCHEMA: Schema = StringSchema::new("The command to run.")
         }
     },
     access: {
-        description: "Restricted to users on realm 'pam'",
+        description: "The user requires `Sys.Console` privilege on `/system`.
+        All users who are not root@pam will have a login shell, so the user
+        must possess PAM login credentials.",
         permission: &Permission::Privilege(&["system"], PRIV_SYS_CONSOLE, false),
     }
 )]
@@ -81,10 +83,6 @@ async fn termproxy(cmd: Option<String>, rpcenv: &mut dyn RpcEnvironment) -> Resu
 
     let userid = auth_id.user();
 
-    if userid.realm() != "pam" {
-        bail!("only pam users can use the console");
-    }
-
     let path = "/system";
 
     // use port 0 and let the kernel decide which port is free
-- 
2.47.3





^ permalink raw reply related	[flat|nested] 2+ messages in thread

* applied: [PATCH datacenter-manager v2] fix: api: allow non-pam users to access shell
  2026-06-23 12:03 [PATCH datacenter-manager v2] fix: api: allow non-pam users to access shell Shan Shaji
@ 2026-07-15 17:47 ` Thomas Lamprecht
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2026-07-15 17:47 UTC (permalink / raw)
  To: pdm-devel, Shan Shaji

On Tue, 23 Jun 2026 14:03:14 +0200, Shan Shaji wrote:
> Remove the explicit restriction that only pam users can access the
> shell. This is safe to do, as all users that are not root@pam will
> be shown with a login shell. So they need to have some (PAM) login
> credentials available.
> 
> This changes is useful for setups where a host integrates with central
> authentication systems (e.g. LDAP or Active Directory) either as a PDM
> realm or as a PAM plugin. It also allows environments that favor
> non-pam users for PDM by default, but still want to keep PAM
> accounts available for admnistrators.
> 
> [...]

Applied, thanks!

[1/1] fix: api: allow non-pam users to access shell
      commit: f3eecedf7cafbe59a1e309df9882784b9c9b5460




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-15 17:47 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-23 12:03 [PATCH datacenter-manager v2] fix: api: allow non-pam users to access shell Shan Shaji
2026-07-15 17:47 ` applied: " Thomas Lamprecht

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal