Scenario
The root user enabled two-factor authentication but forgot the key, resulting in an inability to log into the PVE GUI.
Method 1: When unable to remotely log into the server via SSH
Execute the following command on the server:
pveum user tfa delete root@pam
After successfully executing this command, you can log into the GUI as root. Go to Data Center > Two-Factor Authentication, and you will see that the root’s two-factor authentication has been removed.
If it is locked due to too many incorrect password attempts, change `delete` to `unlock` to unlock it.
Method 2: When able to remotely log into the server via SSH
Execute the following commands on the server:
adduser admin
pveum useradd admin@pam
pveum passwd admin@pam
pveum aclmod / -user admin@pam -roles Administrator
This will create a new user named admin with administrative privileges.
Then log into the PVE GUI using this new account.
Click Data Center > Two-Factor Authentication, and delete the root’s two-factor authentication.
If removal fails with a “permission check fail” message,
then enter the shell and execute Method 1 to delete the root’s two-factor authentication.
Finally, you can delete the newly created admin role, although you don’t have to.
Go to Data Center > Users, select admin, and click Remove to successfully delete it.
Leave a Reply