Today is the best day in this week so I will describe how to implement multi factor authentication to the Proxmox Virtual Server enviroment… I’m finally get it working… Multi-Factor authentication to remote server with spice client configuration.
First of all we need the computer/server with virtualization ability.
Next we must install Proxmox VE on this target machine.
To-Do List:
-> Login to the Proxmox VE with root privileges,
-> Create Virtual Machine using Create VM box with SPICE ( QXL ) display,
-> Install system on the target virtual machine using console view,
-> Create Role with only VM.Console privilege in the Proxmox -> Cluster -> Permissions,
-> Create User with VM.Console Role,
-> Next create TOTP via wizzard in the Proxmox -> Cluster -> Permissions -> Two Factor -> add TOTP, scan the qr code with Google Authenticator app because user will never login without code
-> Navigate to the VM machine that you created in second step,
-> Create user (created in fifth step) permission to access Virtual Machine ( VM -> Permissions -> add User Permission )
Now You have working VDI server with one virtual machine
Next thing is to connect to that virtual machine:
You can use this script to connect to virtual machine:
#!/bin/bash
set -e
# Set auth options
USERNAME='USERNAME_FOR_USER_CREATED_IN_5_STEP'
PASSWORD='PASSWORD_FOR_USER_CREATED_IN_5_STEP'
TOTP='$1'
# Set VM ID
VMID='VMID_OF_VIRTUAL_MACHINE_CREATED_IN_2_STEP'
# Set Node
# This must either be a DNS address or name of the node in the cluster
NODE='DNS_NAME_OF_THE_PROXMOX_SERVER_IN_THE_CLUSTER'
# Proxy equals node if node is a DNS address
# Otherwise, you need to set the IP address of the node here
PROXY="$NODE"
#The rest of the script from Proxmox
NODE="${NODE%%\.*}"
COOKIE="$(curl -f -s -S -k --data-urlencode "username=$USERNAME" --data-urlencode "password=$PASSWORD" "https://$PROXY:8006/api2/json/access/ticket"|jq -r '.data.ticket')"
DATA="$(curl -f -s -S -k --data-urlencode "username=$USERNAME" --data-urlencode "password=totp:$1" --data-urlencode "tfa-challenge=$COOKIE" "https://$PROXY:8006/api2/json/access/ticket")"
echo "AUTH OK"
TICKET="${DATA//\"/}"
TICKET="${TICKET##*ticket:}"
TICKET="${TICKET%%,*}"
TICKET="${TICKET%%\}*}"
CSRF="${DATA//\"/}"
CSRF="${CSRF##*CSRFPreventionToken:}"
CSRF="${CSRF%%,*}"
CSRF="${CSRF%%\}*}"
curl -f -s -S -k -b "PVEAuthCookie=$TICKET" -H "CSRFPreventionToken: $CSRF" "https://$PROXY:8006/api2/spiceconfig/nodes/$NODE/qemu/$VMID/spiceproxy" -d "proxy=$PROXY" > spiceproxy
#Launch remote-viewer with spiceproxy file, in kiosk mode, quit on disconnect
#The run loop will get a new ticket and launch us again if we disconnect
exec remote-viewer spiceproxy
TO use this script you must modify USERAME,PASSWORD,VMID and NODE variables.
Next will be give execution permission to the created connection script:
chmod +x NAME_OF_SCRIPT
to connect to the VDI use following scheme:
./NAME_OF_SCRIPT CODE_FROM_GOOGLE_AUTHENTICATOR
Thats all… have a nice day.
antispam apache2 callout cd commands database Debian debian 9 debian 10 domain domain-hosting exim fpm hosting how to https imap imaps ksh lenovo linux logging mail man MySQL nginx php poland pop pop3 pop3s price prize server snoopy sr635 system think thinksystem update upgrade users VDI web www