[proxmox-backup.git] / docs / user-management.rst

.. _user_mgmt:

User Management
===============


User Configuration
------------------

.. image:: images/screenshots/pbs-gui-user-management.png
  :align: right
  :alt: User management

Proxmox Backup Server supports several authentication realms, and you need to
choose the realm when you add a new user. Possible realms are:

:pam: Linux PAM standard authentication. Use this if you want to
      authenticate as Linux system user (Users need to exist on the
      system).

:pbs: Proxmox Backup Server realm. This type stores hashed passwords in
      ``/etc/proxmox-backup/shadow.json``.

After installation, there is a single user ``root@pam``, which
corresponds to the Unix superuser. User configuration information is stored in the file
``/etc/proxmox-backup/user.cfg``. You can use the
``proxmox-backup-manager`` command line tool to list or manipulate
users:

.. code-block:: console

  # proxmox-backup-manager user list
  ┌─────────────┬────────┬────────┬───────────┬──────────┬────────────────┬────────────────────┐
  │ userid      │ enable │ expire │ firstname │ lastname │ email          │ comment            │
  ╞═════════════╪════════╪════════╪═══════════╪══════════╪════════════════╪════════════════════╡
  │ root@pam    │      1 │        │           │          │                │ Superuser          │
  └─────────────┴────────┴────────┴───────────┴──────────┴────────────────┴────────────────────┘

.. image:: images/screenshots/pbs-gui-user-management-add-user.png
  :align: right
  :alt: Add a new user

The superuser has full administration rights on everything, so you
normally want to add other users with less privileges. You can add a new
user with the ``user create`` subcommand or through the web
interface, under the **User Management** tab of **Configuration -> Access
Control**. The ``create`` subcommand lets you specify many options like
``--email`` or ``--password``. You can update or change any user properties
using the ``update`` subcommand later (**Edit** in the GUI):


.. code-block:: console

  # proxmox-backup-manager user create john@pbs --email john@example.com
  # proxmox-backup-manager user update john@pbs --firstname John --lastname Smith
  # proxmox-backup-manager user update john@pbs --comment "An example user."

.. todo:: Mention how to set password without passing plaintext password as cli argument.


The resulting user list looks like this:

.. code-block:: console

  # proxmox-backup-manager user list
  ┌──────────┬────────┬────────┬───────────┬──────────┬──────────────────┬──────────────────┐
  │ userid   │ enable │ expire │ firstname │ lastname │ email            │ comment          │
  ╞══════════╪════════╪════════╪═══════════╪══════════╪══════════════════╪══════════════════╡
  │ john@pbs │      1 │        │ John      │ Smith    │ john@example.com │ An example user. │
  ├──────────┼────────┼────────┼───────────┼──────────┼──────────────────┼──────────────────┤
  │ root@pam │      1 │        │           │          │                  │ Superuser        │
  └──────────┴────────┴────────┴───────────┴──────────┴──────────────────┴──────────────────┘

Newly created users do not have any permissions. Please read the Access Control
section to learn how to set access permissions.

If you want to disable a user account, you can do that by setting ``--enable`` to ``0``

.. code-block:: console

  # proxmox-backup-manager user update john@pbs --enable 0

Or completely remove the user with:

.. code-block:: console

  # proxmox-backup-manager user remove john@pbs

.. _user_tokens:

API Tokens
----------

.. image:: images/screenshots/pbs-gui-apitoken-overview.png
  :align: right
  :alt: API Token Overview

Any authenticated user can generate API tokens which can in turn be used to
configure various clients, instead of directly providing the username and
password.

API tokens serve two purposes:

#. Easy revocation in case client gets compromised
#. Limit permissions for each client/token within the users' permission

An API token consists of two parts: an identifier consisting of the user name,
the realm and a tokenname (``user@realm!tokenname``), and a secret value. Both
need to be provided to the client in place of the user ID (``user@realm``) and
the user password, respectively.

.. image:: images/screenshots/pbs-gui-apitoken-secret-value.png
  :align: right
  :alt: API secret value

The API token is passed from the client to the server by setting the
``Authorization`` HTTP header with method ``PBSAPIToken`` to the value
``TOKENID:TOKENSECRET``.

Generating new tokens can done using ``proxmox-backup-manager`` or the GUI:

.. code-block:: console

  # proxmox-backup-manager user generate-token john@pbs client1
  Result: {
    "tokenid": "john@pbs!client1",
    "value": "d63e505a-e3ec-449a-9bc7-1da610d4ccde"
  }

.. note:: The displayed secret value needs to be saved, since it cannot be
  displayed again after generating the API token.

The ``user list-tokens`` sub-command can be used to display tokens and their
metadata:

.. code-block:: console

  # proxmox-backup-manager user list-tokens john@pbs
  ┌──────────────────┬────────┬────────┬─────────┐
  │ tokenid          │ enable │ expire │ comment │
  ╞══════════════════╪════════╪════════╪═════════╡
  │ john@pbs!client1 │      1 │        │         │
  └──────────────────┴────────┴────────┴─────────┘

Similarly, the ``user delete-token`` subcommand can be used to delete a token
again.

Newly generated API tokens don't have any permissions. Please read the next
section to learn how to set access permissions.


.. _user_acl:

Access Control
--------------

By default new users and API tokens do not have any permission. Instead you
need to specify what is allowed and what is not. You can do this by assigning
roles to users/tokens on specific objects like datastores or remotes. The
following roles exist:

**NoAccess**
  Disable Access - nothing is allowed.

**Admin**
  Can do anything.

**Audit**
  Can view things, but is not allowed to change settings.

**DatastoreAdmin**
  Can do anything on datastores.

**DatastoreAudit**
  Can view datastore settings and list content. But
  is not allowed to read the actual data.

**DatastoreReader**
  Can Inspect datastore content and can do restores.

**DatastoreBackup**
  Can backup and restore owned backups.

**DatastorePowerUser**
  Can backup, restore, and prune owned backups.

**RemoteAdmin**
  Can do anything on remotes.

**RemoteAudit**
  Can view remote settings.

**RemoteSyncOperator**
  Is allowed to read data from a remote.

.. image:: images/screenshots/pbs-gui-user-management-add-user.png
  :align: right
  :alt: Add permissions for user

Access permission information is stored in ``/etc/proxmox-backup/acl.cfg``. The
file contains 5 fields, separated using a colon (':') as a delimiter. A typical
entry takes the form:

``acl:1:/datastore:john@pbs:DatastoreBackup``

The data represented in each field is as follows:

#. ``acl`` identifier
#. A ``1`` or ``0``, representing whether propagation is enabled or disabled,
   respectively
#. The object on which the permission is set. This can be a specific object
   (single datastore, remote, etc.) or a top level object, which with
   propagation enabled, represents all children of the object also.
#. The user(s)/token(s) for which the permission is set
#. The role being set

You can manage permissions via **Configuration -> Access Control ->
Permissions** in the web interface. Likewise, you can use the ``acl``
subcommand to manage and monitor user permissions from the command line. For
example, the command below will add the user ``john@pbs`` as a
**DatastoreAdmin** for the datastore ``store1``, located at
``/backup/disk1/store1``:

.. code-block:: console

  # proxmox-backup-manager acl update /datastore/store1 DatastoreAdmin --auth-id john@pbs

You can list the ACLs of each user/token using the following command:

.. code-block:: console

   # proxmox-backup-manager acl list
   ┌──────────┬───────────────────┬───────────┬────────────────┐
   │ ugid     │ path              │ propagate │ roleid         │
   ╞══════════╪═══════════════════╪═══════════╪════════════════╡
   │ john@pbs │ /datastore/store1 │         1 │ DatastoreAdmin │
   └──────────┴───────────────────┴───────────┴────────────────┘

A single user/token can be assigned multiple permission sets for different datastores.

.. Note::
  Naming convention is important here. For datastores on the host,
  you must use the convention ``/datastore/{storename}``. For example, to set
  permissions for a datastore mounted at ``/mnt/backup/disk4/store2``, you would use
  ``/datastore/store2`` for the path. For remote stores, use the convention
  ``/remote/{remote}/{storename}``, where ``{remote}`` signifies the name of the
  remote (see `Remote` below) and ``{storename}`` is the name of the datastore on
  the remote.

API Token permissions
~~~~~~~~~~~~~~~~~~~~~

API token permissions are calculated based on ACLs containing their ID
independent of those of their corresponding user. The resulting permission set
on a given path is then intersected with that of the corresponding user.

In practice this means:

#. API tokens require their own ACL entries
#. API tokens can never do more than their corresponding user

Effective permissions
~~~~~~~~~~~~~~~~~~~~~

To calculate and display the effective permission set of a user or API token
you can use the ``proxmox-backup-manager user permission`` command:

.. code-block:: console

  # proxmox-backup-manager user permissions john@pbs --path /datastore/store1
  Privileges with (*) have the propagate flag set
  
  Path: /datastore/store1
  - Datastore.Audit (*)
  - Datastore.Backup (*)
  - Datastore.Modify (*)
  - Datastore.Prune (*)
  - Datastore.Read (*)
  - Datastore.Verify (*)
  
  # proxmox-backup-manager acl update /datastore/store1 DatastoreBackup --auth-id 'john@pbs!client1'
  # proxmox-backup-manager user permissions 'john@pbs!client1' --path /datastore/store1
  Privileges with (*) have the propagate flag set
  
  Path: /datastore/store1
  - Datastore.Backup (*)

.. _user_tfa:

Two-factor authentication
-------------------------

Introduction
~~~~~~~~~~~~

With simple authentication, only a password (single factor) is required to
successfully claim an identity (authenticate), for example, to be able to log in
as `root@pam` on a specific instance of Proxmox Backup Server. In this case, if
the password gets stolen or leaked, anybody can use it to log in - even if they
should not be allowed to do so.

With two-factor authentication (TFA), a user is asked for an additional factor
to verify their authenticity. Rather than relying on something only the user
knows (a password), this extra factor requires something only the user has, for
example, a piece of hardware (security key) or a secret saved on the user's
smartphone. This prevents a remote user from gaining unauthorized access to an
account, as even if they have the password, they will not have access to the
physical object (second factor).

.. image:: images/screenshots/pbs-gui-tfa-login.png
  :align: right
  :alt: Add a new user

Available Second Factors
~~~~~~~~~~~~~~~~~~~~~~~~

You can set up multiple second factors, in order to avoid a situation in which
losing your smartphone or security key locks you out of your account
permanently.

Proxmox Backup Server supports three different two-factor authentication
methods:

* TOTP (`Time-based One-Time Password <https://en.wikipedia.org/wiki/Time-based_One-Time_Password>`_).
  A short code derived from a shared secret and the current time, it changes
  every 30 seconds.

* WebAuthn (`Web Authentication <https://en.wikipedia.org/wiki/WebAuthn>`_).
  A general standard for authentication. It is implemented by various security
  devices, like hardware keys or trusted platform modules (TPM) from a computer
  or smart phone.

* Single use Recovery Keys. A list of keys which should either be printed out
  and locked in a secure place or saved digitally in an electronic vault.
  Each key can be used only once. These are perfect for ensuring that you are
  not locked out, even if all of your other second factors are lost or corrupt.


Setup
~~~~~

.. _user_tfa_setup_totp:

TOTP
^^^^

.. image:: images/screenshots/pbs-gui-tfa-add-totp.png
  :align: right
  :alt: Add a new user

There is no server setup required. Simply install a TOTP app on your
smartphone (for example, `FreeOTP <https://freeotp.github.io/>`_) and use the
Proxmox Backup Server web-interface to add a TOTP factor.

.. _user_tfa_setup_webauthn:

WebAuthn
^^^^^^^^

For WebAuthn to work, you need to have two things:

* a trusted HTTPS certificate (for example, by using `Let's Encrypt
  <https://pbs.proxmox.com/wiki/index.php/HTTPS_Certificate_Configuration>`_).
  While it probably works with an untrusted certificate, some browsers may warn
  or refuse WebAuthn operations if it is not trusted.

* setup the WebAuthn configuration (see *Configuration -> Authentication* in the
  Proxmox Backup Server web-interface). This can be auto-filled in most setups.

Once you have fulfilled both of these requirements, you can add a WebAuthn
configuration in the *Access Control* panel.

.. _user_tfa_setup_recovery_keys:

Recovery Keys
^^^^^^^^^^^^^

.. image:: images/screenshots/pbs-gui-tfa-add-recovery-keys.png
  :align: right
  :alt: Add a new user

Recovery key codes do not need any preparation; you can simply create a set of
recovery keys in the *Access Control* panel.

.. note:: There can only be one set of single-use recovery keys per user at any
 time.

TFA and Automated Access
~~~~~~~~~~~~~~~~~~~~~~~~

Two-factor authentication is only implemented for the web-interface. You should
use :ref:`API Tokens <user_tokens>` for all other use cases, especially
non-interactive ones (for example, adding a Proxmox Backup Server to Proxmox VE
as a storage).
Commit	Line	Data
04e24b14 DW	1	.. _user_mgmt:
	2
	3	User Management
	4	===============
	5
	6
	7	User Configuration
	8	------------------
	9
	10	.. image:: images/screenshots/pbs-gui-user-management.png
	11	:align: right
	12	:alt: User management
	13
	14	Proxmox Backup Server supports several authentication realms, and you need to
	15	choose the realm when you add a new user. Possible realms are:
	16
	17	:pam: Linux PAM standard authentication. Use this if you want to
	18	authenticate as Linux system user (Users need to exist on the
	19	system).
	20
	21	:pbs: Proxmox Backup Server realm. This type stores hashed passwords in
	22	``/etc/proxmox-backup/shadow.json``.
	23
	24	After installation, there is a single user ``root@pam``, which
	25	corresponds to the Unix superuser. User configuration information is stored in the file
	26	``/etc/proxmox-backup/user.cfg``. You can use the
	27	``proxmox-backup-manager`` command line tool to list or manipulate
	28	users:
	29
	30	.. code-block:: console
	31
	32	# proxmox-backup-manager user list
	33	┌─────────────┬────────┬────────┬───────────┬──────────┬────────────────┬────────────────────┐
	34	│ userid │ enable │ expire │ firstname │ lastname │ email │ comment │
	35	╞═════════════╪════════╪════════╪═══════════╪══════════╪════════════════╪════════════════════╡
	36	│ root@pam │ 1 │ │ │ │ │ Superuser │
	37	└─────────────┴────────┴────────┴───────────┴──────────┴────────────────┴────────────────────┘
	38
	39	.. image:: images/screenshots/pbs-gui-user-management-add-user.png
	40	:align: right
	41	:alt: Add a new user
	42
	43	The superuser has full administration rights on everything, so you
6227b9ba DW	44	normally want to add other users with less privileges. You can add a new
	45	user with the ``user create`` subcommand or through the web
	46	interface, under the User Management tab of **Configuration -> Access
	47	Control**. The ``create`` subcommand lets you specify many options like
	48	``--email`` or ``--password``. You can update or change any user properties
	49	using the ``update`` subcommand later (Edit in the GUI):
04e24b14 DW	50
	51
	52	.. code-block:: console
	53
	54	# proxmox-backup-manager user create john@pbs --email john@example.com
	55	# proxmox-backup-manager user update john@pbs --firstname John --lastname Smith
	56	# proxmox-backup-manager user update john@pbs --comment "An example user."
	57
	58	.. todo:: Mention how to set password without passing plaintext password as cli argument.
	59
	60
	61	The resulting user list looks like this:
	62
	63	.. code-block:: console
	64
	65	# proxmox-backup-manager user list
	66	┌──────────┬────────┬────────┬───────────┬──────────┬──────────────────┬──────────────────┐
	67	│ userid │ enable │ expire │ firstname │ lastname │ email │ comment │
	68	╞══════════╪════════╪════════╪═══════════╪══════════╪══════════════════╪══════════════════╡
	69	│ john@pbs │ 1 │ │ John │ Smith │ john@example.com │ An example user. │
	70	├──────────┼────────┼────────┼───────────┼──────────┼──────────────────┼──────────────────┤
	71	│ root@pam │ 1 │ │ │ │ │ Superuser │
	72	└──────────┴────────┴────────┴───────────┴──────────┴──────────────────┴──────────────────┘
	73
034cf70b	74	Newly created users do not have any permissions. Please read the Access Control
04e24b14 DW	75	section to learn how to set access permissions.
	76
	77	If you want to disable a user account, you can do that by setting ``--enable`` to ``0``
	78
	79	.. code-block:: console
	80
	81	# proxmox-backup-manager user update john@pbs --enable 0
	82
	83	Or completely remove the user with:
	84
	85	.. code-block:: console
	86
	87	# proxmox-backup-manager user remove john@pbs
	88
034cf70b FG	89	.. _user_tokens:
	90
	91	API Tokens
	92	----------
	93
b9975249 DW	94	.. image:: images/screenshots/pbs-gui-apitoken-overview.png
	95	:align: right
	96	:alt: API Token Overview
	97
034cf70b FG	98	Any authenticated user can generate API tokens which can in turn be used to
	99	configure various clients, instead of directly providing the username and
	100	password.
	101
	102	API tokens serve two purposes:
	103
	104	#. Easy revocation in case client gets compromised
	105	#. Limit permissions for each client/token within the users' permission
	106
	107	An API token consists of two parts: an identifier consisting of the user name,
	108	the realm and a tokenname (``user@realm!tokenname``), and a secret value. Both
	109	need to be provided to the client in place of the user ID (``user@realm``) and
4aef06f1	110	the user password, respectively.
034cf70b	111
b9975249 DW	112	.. image:: images/screenshots/pbs-gui-apitoken-secret-value.png
	113	:align: right
	114	:alt: API secret value
	115
034cf70b FG	116	The API token is passed from the client to the server by setting the
	117	``Authorization`` HTTP header with method ``PBSAPIToken`` to the value
	118	``TOKENID:TOKENSECRET``.
	119
	120	Generating new tokens can done using ``proxmox-backup-manager`` or the GUI:
	121
	122	.. code-block:: console
	123
	124	# proxmox-backup-manager user generate-token john@pbs client1
	125	Result: {
	126	"tokenid": "john@pbs!client1",
	127	"value": "d63e505a-e3ec-449a-9bc7-1da610d4ccde"
	128	}
	129
	130	.. note:: The displayed secret value needs to be saved, since it cannot be
	131	displayed again after generating the API token.
	132
	133	The ``user list-tokens`` sub-command can be used to display tokens and their
	134	metadata:
	135
	136	.. code-block:: console
	137
	138	# proxmox-backup-manager user list-tokens john@pbs
	139	┌──────────────────┬────────┬────────┬─────────┐
	140	│ tokenid │ enable │ expire │ comment │
	141	╞══════════════════╪════════╪════════╪═════════╡
	142	│ john@pbs!client1 │ 1 │ │ │
	143	└──────────────────┴────────┴────────┴─────────┘
	144
	145	Similarly, the ``user delete-token`` subcommand can be used to delete a token
	146	again.
	147
	148	Newly generated API tokens don't have any permissions. Please read the next
	149	section to learn how to set access permissions.
	150
04e24b14 DW	151
	152	.. _user_acl:
	153
	154	Access Control
	155	--------------
	156
034cf70b FG	157	By default new users and API tokens do not have any permission. Instead you
	158	need to specify what is allowed and what is not. You can do this by assigning
	159	roles to users/tokens on specific objects like datastores or remotes. The
04e24b14 DW	160	following roles exist:
	161
	162	NoAccess
	163	Disable Access - nothing is allowed.
	164
	165	Admin
	166	Can do anything.
	167
	168	Audit
	169	Can view things, but is not allowed to change settings.
	170
	171	DatastoreAdmin
	172	Can do anything on datastores.
	173
	174	DatastoreAudit
	175	Can view datastore settings and list content. But
	176	is not allowed to read the actual data.
	177
	178	DatastoreReader
	179	Can Inspect datastore content and can do restores.
	180
	181	DatastoreBackup
	182	Can backup and restore owned backups.
	183
	184	DatastorePowerUser
	185	Can backup, restore, and prune owned backups.
	186
	187	RemoteAdmin
	188	Can do anything on remotes.
	189
	190	RemoteAudit
	191	Can view remote settings.
	192
	193	RemoteSyncOperator
	194	Is allowed to read data from a remote.
	195
b9975249	196	.. image:: images/screenshots/pbs-gui-user-management-add-user.png
04e24b14 DW	197	:align: right
	198	:alt: Add permissions for user
	199
	200	Access permission information is stored in ``/etc/proxmox-backup/acl.cfg``. The
	201	file contains 5 fields, separated using a colon (':') as a delimiter. A typical
	202	entry takes the form:
	203
	204	``acl:1:/datastore:john@pbs:DatastoreBackup``
	205
	206	The data represented in each field is as follows:
	207
	208	#. ``acl`` identifier
	209	#. A ``1`` or ``0``, representing whether propagation is enabled or disabled,
	210	respectively
	211	#. The object on which the permission is set. This can be a specific object
	212	(single datastore, remote, etc.) or a top level object, which with
	213	propagation enabled, represents all children of the object also.
034cf70b	214	#. The user(s)/token(s) for which the permission is set
04e24b14 DW	215	#. The role being set
04e24b14 DW	216
034cf70b FG	217	You can manage permissions via **Configuration -> Access Control ->
	218	Permissions** in the web interface. Likewise, you can use the ``acl``
	219	subcommand to manage and monitor user permissions from the command line. For
	220	example, the command below will add the user ``john@pbs`` as a
	221	DatastoreAdmin for the datastore ``store1``, located at
	222	``/backup/disk1/store1``:
04e24b14 DW	223
	224	.. code-block:: console
	225
034cf70b	226	# proxmox-backup-manager acl update /datastore/store1 DatastoreAdmin --auth-id john@pbs
04e24b14	227
034cf70b	228	You can list the ACLs of each user/token using the following command:
04e24b14 DW	229
	230	.. code-block:: console
	231
	232	# proxmox-backup-manager acl list
477ebe6b FE	233	┌──────────┬───────────────────┬───────────┬────────────────┐
	234	│ ugid │ path │ propagate │ roleid │
	235	╞══════════╪═══════════════════╪═══════════╪════════════════╡
	236	│ john@pbs │ /datastore/store1 │ 1 │ DatastoreAdmin │
	237	└──────────┴───────────────────┴───────────┴────────────────┘
04e24b14	238
034cf70b	239	A single user/token can be assigned multiple permission sets for different datastores.
04e24b14 DW	240
	241	.. Note::
	242	Naming convention is important here. For datastores on the host,
	243	you must use the convention ``/datastore/{storename}``. For example, to set
	244	permissions for a datastore mounted at ``/mnt/backup/disk4/store2``, you would use
	245	``/datastore/store2`` for the path. For remote stores, use the convention
	246	``/remote/{remote}/{storename}``, where ``{remote}`` signifies the name of the
	247	remote (see `Remote` below) and ``{storename}`` is the name of the datastore on
	248	the remote.
	249
034cf70b FG	250	API Token permissions
	251	~~~~~~~~~~~~~~~~~~~~~
	252
	253	API token permissions are calculated based on ACLs containing their ID
	254	independent of those of their corresponding user. The resulting permission set
	255	on a given path is then intersected with that of the corresponding user.
	256
	257	In practice this means:
	258
	259	#. API tokens require their own ACL entries
	260	#. API tokens can never do more than their corresponding user
	261
	262	Effective permissions
	263	~~~~~~~~~~~~~~~~~~~~~
	264
	265	To calculate and display the effective permission set of a user or API token
	266	you can use the ``proxmox-backup-manager user permission`` command:
	267
	268	.. code-block:: console
04e24b14	269
477ebe6b	270	# proxmox-backup-manager user permissions john@pbs --path /datastore/store1
034cf70b FG	271	Privileges with (*) have the propagate flag set
	272
	273	Path: /datastore/store1
	274	- Datastore.Audit (*)
	275	- Datastore.Backup (*)
	276	- Datastore.Modify (*)
	277	- Datastore.Prune (*)
	278	- Datastore.Read (*)
477ebe6b	279	- Datastore.Verify (*)
034cf70b FG	280
034cf70b FG	281	# proxmox-backup-manager acl update /datastore/store1 DatastoreBackup --auth-id 'john@pbs!client1'
477ebe6b	282	# proxmox-backup-manager user permissions 'john@pbs!client1' --path /datastore/store1
034cf70b FG	283	Privileges with (*) have the propagate flag set
	284
	285	Path: /datastore/store1
	286	- Datastore.Backup (*)
f9fcac51 TL	287
f9fcac51 TL	288	.. _user_tfa:
28eaff20	289
f9fcac51 TL	290	Two-factor authentication
	291	-------------------------
	292
	293	Introduction
	294	~~~~~~~~~~~~
	295
207f763d DW	296	With simple authentication, only a password (single factor) is required to
	297	successfully claim an identity (authenticate), for example, to be able to log in
	298	as `root@pam` on a specific instance of Proxmox Backup Server. In this case, if
	299	the password gets stolen or leaked, anybody can use it to log in - even if they
	300	should not be allowed to do so.
	301
	302	With two-factor authentication (TFA), a user is asked for an additional factor
	303	to verify their authenticity. Rather than relying on something only the user
	304	knows (a password), this extra factor requires something only the user has, for
	305	example, a piece of hardware (security key) or a secret saved on the user's
	306	smartphone. This prevents a remote user from gaining unauthorized access to an
	307	account, as even if they have the password, they will not have access to the
	308	physical object (second factor).
f9fcac51	309
2f617a45 TL	310	.. image:: images/screenshots/pbs-gui-tfa-login.png
	311	:align: right
	312	:alt: Add a new user
	313
f9fcac51 TL	314	Available Second Factors
	315	~~~~~~~~~~~~~~~~~~~~~~~~
	316
207f763d DW	317	You can set up multiple second factors, in order to avoid a situation in which
	318	losing your smartphone or security key locks you out of your account
	319	permanently.
f9fcac51	320
207f763d DW	321	Proxmox Backup Server supports three different two-factor authentication
207f763d DW	322	methods:
f9fcac51 TL	323
f9fcac51 TL	324	* TOTP (`Time-based One-Time Password <https://en.wikipedia.org/wiki/Time-based_One-Time_Password>`_).
207f763d	325	A short code derived from a shared secret and the current time, it changes
f9fcac51 TL	326	every 30 seconds.
	327
	328	* WebAuthn (`Web Authentication <https://en.wikipedia.org/wiki/WebAuthn>`_).
	329	A general standard for authentication. It is implemented by various security
207f763d	330	devices, like hardware keys or trusted platform modules (TPM) from a computer
f9fcac51 TL	331	or smart phone.
	332
	333	* Single use Recovery Keys. A list of keys which should either be printed out
207f763d DW	334	and locked in a secure place or saved digitally in an electronic vault.
	335	Each key can be used only once. These are perfect for ensuring that you are
	336	not locked out, even if all of your other second factors are lost or corrupt.
f9fcac51 TL	337
	338
	339	Setup
	340	~~~~~
	341
	342	.. _user_tfa_setup_totp:
28eaff20	343
f9fcac51 TL	344	TOTP
f9fcac51 TL	345	^^^^
2f617a45 TL	346
	347	.. image:: images/screenshots/pbs-gui-tfa-add-totp.png
	348	:align: right
	349	:alt: Add a new user
	350
207f763d	351	There is no server setup required. Simply install a TOTP app on your
f9fcac51 TL	352	smartphone (for example, `FreeOTP <https://freeotp.github.io/>`_) and use the
	353	Proxmox Backup Server web-interface to add a TOTP factor.
	354
	355	.. _user_tfa_setup_webauthn:
28eaff20	356
f9fcac51 TL	357	WebAuthn
	358	^^^^^^^^
	359
207f763d	360	For WebAuthn to work, you need to have two things:
f9fcac51 TL	361
f9fcac51 TL	362	* a trusted HTTPS certificate (for example, by using `Let's Encrypt
5bf9b0b0 DC	363	<https://pbs.proxmox.com/wiki/index.php/HTTPS_Certificate_Configuration>`_).
	364	While it probably works with an untrusted certificate, some browsers may warn
	365	or refuse WebAuthn operations if it is not trusted.
f9fcac51 TL	366
	367	* setup the WebAuthn configuration (see Configuration -> Authentication in the
	368	Proxmox Backup Server web-interface). This can be auto-filled in most setups.
	369
207f763d	370	Once you have fulfilled both of these requirements, you can add a WebAuthn
f9fcac51 TL	371	configuration in the Access Control panel.
	372
	373	.. _user_tfa_setup_recovery_keys:
28eaff20	374
f9fcac51 TL	375	Recovery Keys
	376	^^^^^^^^^^^^^
	377
2f617a45 TL	378	.. image:: images/screenshots/pbs-gui-tfa-add-recovery-keys.png
	379	:align: right
	380	:alt: Add a new user
	381
207f763d	382	Recovery key codes do not need any preparation; you can simply create a set of
f9fcac51 TL	383	recovery keys in the Access Control panel.
	384
	385	.. note:: There can only be one set of single-use recovery keys per user at any
	386	time.
	387
	388	TFA and Automated Access
	389	~~~~~~~~~~~~~~~~~~~~~~~~
	390
207f763d	391	Two-factor authentication is only implemented for the web-interface. You should
f9fcac51	392	use :ref:`API Tokens <user_tokens>` for all other use cases, especially
207f763d	393	non-interactive ones (for example, adding a Proxmox Backup Server to Proxmox VE
f9fcac51	394	as a storage).