* [pve-devel] [PATCH widget-toolkit 1/5] password edit: support specifying a hint
2024-12-04 11:37 [pve-devel] [PATCH widget-toolkit/manager/access-control/docs 0/5] clarify that password changes for PAM realm only apply to local node Fiona Ebner
@ 2024-12-04 11:37 ` Fiona Ebner
2024-12-04 11:37 ` [pve-devel] [PATCH manager 2/5] user: password edit: clarify that password changes for PAM realm only apply to local node Fiona Ebner
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2024-12-04 11:37 UTC (permalink / raw)
To: pve-devel
Intended to be used by Proxmox VE to clarify that password changes for
the PAM realm only apply to the local node.
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/window/PasswordEdit.js | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/window/PasswordEdit.js b/src/window/PasswordEdit.js
index e012a0d..e687de3 100644
--- a/src/window/PasswordEdit.js
+++ b/src/window/PasswordEdit.js
@@ -19,6 +19,8 @@ Ext.define('Proxmox.window.PasswordEdit', {
// allow products to opt-in as their API gains support for this.
confirmCurrentPassword: false,
+ hintHtml: undefined,
+
items: [
{
xtype: 'textfield',
@@ -57,6 +59,17 @@ Ext.define('Proxmox.window.PasswordEdit', {
initialPassField: 'password',
submitValue: false,
},
+ {
+ xtype: 'component',
+ userCls: 'pmx-hint',
+ name: 'password-hint',
+ hidden: true,
+ //padding: '5 1',
+ cbind: {
+ html: '{hintHtml}',
+ hidden: '{!hintHtml}',
+ },
+ },
{
xtype: 'hiddenfield',
name: 'userid',
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH manager 2/5] user: password edit: clarify that password changes for PAM realm only apply to local node
2024-12-04 11:37 [pve-devel] [PATCH widget-toolkit/manager/access-control/docs 0/5] clarify that password changes for PAM realm only apply to local node Fiona Ebner
2024-12-04 11:37 ` [pve-devel] [PATCH widget-toolkit 1/5] password edit: support specifying a hint Fiona Ebner
@ 2024-12-04 11:37 ` Fiona Ebner
2024-12-04 11:37 ` [pve-devel] [PATCH access-control 3/5] api: " Fiona Ebner
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2024-12-04 11:37 UTC (permalink / raw)
To: pve-devel
Reported in the community forum:
https://forum.proxmox.com/threads/158518/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
www/manager6/dc/UserView.js | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/www/manager6/dc/UserView.js b/www/manager6/dc/UserView.js
index 82bd2ee7..d5844674 100644
--- a/www/manager6/dc/UserView.js
+++ b/www/manager6/dc/UserView.js
@@ -68,10 +68,16 @@ Ext.define('PVE.dc.UserView', {
return false;
},
handler: function(btn, event, rec) {
+ let hintHtml;
+ if (rec.data['realm-type'] === 'pam') {
+ hintHtml = gettext("For the PAM realm, this only applies to the local node.");
+ }
+
Ext.create('Proxmox.window.PasswordEdit', {
userid: rec.data.userid,
confirmCurrentPassword: Proxmox.UserName !== 'root@pam',
autoShow: true,
+ hintHtml: hintHtml,
minLength: 8,
listeners: {
destroy: () => reload(),
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH access-control 3/5] api: clarify that password changes for PAM realm only apply to local node
2024-12-04 11:37 [pve-devel] [PATCH widget-toolkit/manager/access-control/docs 0/5] clarify that password changes for PAM realm only apply to local node Fiona Ebner
2024-12-04 11:37 ` [pve-devel] [PATCH widget-toolkit 1/5] password edit: support specifying a hint Fiona Ebner
2024-12-04 11:37 ` [pve-devel] [PATCH manager 2/5] user: password edit: clarify that password changes for PAM realm only apply to local node Fiona Ebner
@ 2024-12-04 11:37 ` Fiona Ebner
2024-12-04 11:37 ` [pve-devel] [PATCH access-control 4/5] api: password: use singular they pronoun Fiona Ebner
2024-12-04 11:37 ` [pve-devel] [PATCH docs 5/5] user management: clarify that password changes for PAM realm only apply to local node Fiona Ebner
4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2024-12-04 11:37 UTC (permalink / raw)
To: pve-devel
Reported in the community forum:
https://forum.proxmox.com/threads/158518/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/API2/AccessControl.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index f23662a..bb7b78f 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -326,7 +326,8 @@ __PACKAGE__->register_method ({
description => "Each user is allowed to change his own password. A user can change the"
." password of another user if he has 'Realm.AllocateUser' (on the realm of user"
." <userid>) and 'User.Modify' permission on /access/groups/<group> on a group where"
- ." user <userid> is member of.",
+ ." user <userid> is member of. For the PAM realm, a password change does not take "
+ ." effect cluster-wide, but only applies to the local node.",
check => [ 'or',
['userid-param', 'self'],
[ 'and',
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH access-control 4/5] api: password: use singular they pronoun
2024-12-04 11:37 [pve-devel] [PATCH widget-toolkit/manager/access-control/docs 0/5] clarify that password changes for PAM realm only apply to local node Fiona Ebner
` (2 preceding siblings ...)
2024-12-04 11:37 ` [pve-devel] [PATCH access-control 3/5] api: " Fiona Ebner
@ 2024-12-04 11:37 ` Fiona Ebner
2024-12-04 11:37 ` [pve-devel] [PATCH docs 5/5] user management: clarify that password changes for PAM realm only apply to local node Fiona Ebner
4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2024-12-04 11:37 UTC (permalink / raw)
To: pve-devel
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
src/PVE/API2/AccessControl.pm | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index bb7b78f..c4c0699 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -323,8 +323,8 @@ __PACKAGE__->register_method ({
path => 'password',
method => 'PUT',
permissions => {
- description => "Each user is allowed to change his own password. A user can change the"
- ." password of another user if he has 'Realm.AllocateUser' (on the realm of user"
+ description => "Each user is allowed to change their own password. A user can change the"
+ ." password of another user if they have 'Realm.AllocateUser' (on the realm of user"
." <userid>) and 'User.Modify' permission on /access/groups/<group> on a group where"
." user <userid> is member of. For the PAM realm, a password change does not take "
." effect cluster-wide, but only applies to the local node.",
@@ -371,7 +371,7 @@ __PACKAGE__->register_method ({
} else {
if ($authuser eq $userid) {
$rpcenv->check_user_enabled($userid);
- # OK - each user can change its own password
+ # OK - each user can change their own password
} else {
# only root may change root password
raise_perm_exc() if $userid eq 'root@pam';
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pve-devel] [PATCH docs 5/5] user management: clarify that password changes for PAM realm only apply to local node
2024-12-04 11:37 [pve-devel] [PATCH widget-toolkit/manager/access-control/docs 0/5] clarify that password changes for PAM realm only apply to local node Fiona Ebner
` (3 preceding siblings ...)
2024-12-04 11:37 ` [pve-devel] [PATCH access-control 4/5] api: password: use singular they pronoun Fiona Ebner
@ 2024-12-04 11:37 ` Fiona Ebner
4 siblings, 0 replies; 6+ messages in thread
From: Fiona Ebner @ 2024-12-04 11:37 UTC (permalink / raw)
To: pve-devel
Reported in the community forum:
https://forum.proxmox.com/threads/158518/
Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
---
pveum.adoc | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/pveum.adoc b/pveum.adoc
index 81565ab..b8303e8 100644
--- a/pveum.adoc
+++ b/pveum.adoc
@@ -170,8 +170,14 @@ Linux PAM Standard Authentication
As Linux PAM corresponds to host system users, a system user must exist on each
node which the user is allowed to log in on. The user authenticates with their
-usual system password. This realm is added by default and can't be removed. In
-terms of configurability, an administrator can choose to require two-factor
+usual system password. This realm is added by default and can't be removed.
+
+Password changes via the GUI or, equivalently, the `/access/password` API
+endpoint only apply to the local node and not cluster-wide. Even though {pve}
+has a multi-master design, using different passwords for different nodes can
+still offer a security benefit.
+
+In terms of configurability, an administrator can choose to require two-factor
authentication with logins from the realm and to set the realm as the default
authentication realm.
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 6+ messages in thread