pikvm/docs/auth.md

# Authentication

PiKVM OS is based on a regular Linux system, so everything about authorization in this OS is also true for PiKVM.
It comes with the following default passwords:

* **Linux admin** (SSH, console, etc.): user `root`, password `root`.
* **PiKVM Web Interface, [API](api.md), [VNC](vnc.md)...**: user `admin`, password `admin`, no 2FA code.

**These are two separate entities with independent accounts.**

Also there is another special Linux user: `kvmd-webterm`.
It can't be used for login or remote access to PiKVM OS and has the non-privileged rights in the OS.
Password access and `sudo` is disabled for it. It is used only for launching the Web Terminal.
These restrictions are set for security reasons.


-----
## Root access in the Web Terminal

As mentioned above, the Web Terminal runs under user `kvmd-webterm` with disabled `sudo` and password access.
However, most PiKVM administration commands require the `root` access.
To obtain it in the Web Terminal, type `su -` and then enter the `root` user password:

```console
[kvmd-webterm@pikvm ~]$ su -
...
[root@pikvm kvmd-webterm]#
```

??? tip "Disabling the Web Terminal"

    Sometimes the actual owner of a PiKVM device and the user who is allowed to use it are different people.
    So you may want to disable console access from the Web UI. To do this, use the following:

    ```
    [root@pikvm ~]# rw
    [root@pikvm ~]# systemctl disable --now kvmd-webterm
    [root@pikvm ~]# ro
    ```

    For your own access to PiKVM OS, you will still have SSH.


-----
## Changing the Linux password

```
[root@pikvm ~]# rw
[root@pikvm ~]# passwd root
[root@pikvm ~]# ro
```


-----
## Changing the KVM password

```
[root@pikvm ~]# rw
[root@pikvm ~]# kvmd-htpasswd set admin
[root@pikvm ~]# ro
```

Please note that `admin` is a name of a default user. It is possible to create several different users
with different passwords to access the Web UI, but keep in mind that they all have the same rights:

```
[root@pikvm ~]# kvmd-htpasswd set <user> # Sets a new user with password
[root@pikvm ~]# kvmd-htpasswd list # Show the list of users
[root@pikvm ~]# kvmd-htpasswd del <user> # Removes/deletes a user
```

-----
## Two-factor authentication

This is a new method of strengthening the protection of PiKVM, available since `KVM >= 3.196`.
It is strongly recommended to enable it if you expose the PiKVM in the big and scary Internet.

!!! warning
    Using 2FA eliminates the possibility of using [IPMI](ipmi) and [VNC with vncauth](vnc) (both disabled by default).
    It also slightly affects the use of [API](api.md) and regular VNC with user/password, read below.

    Please note that 2FA does not concern the Linux OS access for the `root` user, so take care of a strong password
    for it for SSH access (or setup the [key access](https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server)).

??? example "Step by step: Enabling 2FA on PiKVM"

    1. Update OS and reboot:

        ```
        [root@pikvm ~]# rw
        [root@pikvm ~]# pacman -Syu
        [root@pikvm ~]# reboot
        ```

    2. **Make sure that NTP is running otherwise you will not be able to access** (`timedatectl` command).
        The timezone doesn't matter.

    3. Install the `Google Authenticator` app to your mobile device
        ([iOS](https://apps.apple.com/us/app/google-authenticator/id388497605),
        [Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2)). It will generate one-time access codes.

    4. Create a secret for one-time codes on PiKVM:
       ```
       [root@pikvm ~]# rw
       [root@pikvm ~]# kvmd-totp init
       [root@pikvm ~]# ro
       ```

    5. Run the `Google Authenticator` and scan the QR code.

    6. Now, on the PiKVM login page, you will need to add 6 digits to the `2FA code` field.

All Web UI users will be required to enter a one-time password on login.
In other words, **the secret is the same for all users**.

!!! note
    With 2FA for API or VNC authentication, you will need to append the one-time code to the password without spaces.
    That is, if the password is `foobar` and the code is `123456`, then you need to use `foobar123456` as the password.

To view the current QR code of the secret use command `kvmd-totp show`.

To disable 2FA and remove the secret, use command `kvmd-totp del`.
2fa 1 year ago			`# Authentication`

update 11 months ago			`PiKVM OS is based on a regular Linux system, so everything about authorization in this OS is also true for PiKVM.`
			`It comes with the following default passwords:`
2fa 1 year ago
			* Linux admin (SSH, console, etc.): user `root`, password `root`.
update 11 months ago			* PiKVM Web Interface, [API](api.md), [VNC](vnc.md)...: user `admin`, password `admin`, no 2FA code.
2fa 1 year ago
update 1 year ago			`These are two separate entities with independent accounts.`
2fa 1 year ago
update 11 months ago			Also there is another special Linux user: `kvmd-webterm`.
update 11 months ago			`It can't be used for login or remote access to PiKVM OS and has the non-privileged rights in the OS.`
update 11 months ago			Password access and `sudo` is disabled for it. It is used only for launching the Web Terminal.
update 11 months ago			`These restrictions are set for security reasons.`
update 11 months ago

			`-----`
			`## Root access in the Web Terminal`

update 11 months ago			As mentioned above, the Web Terminal runs under user `kvmd-webterm` with disabled `sudo` and password access.
update 11 months ago			However, most PiKVM administration commands require the `root` access.
update 11 months ago			To obtain it in the Web Terminal, type `su -` and then enter the `root` user password:
update 11 months ago
update 11 months ago			```console
update 11 months ago			`[kvmd-webterm@pikvm ~]$ su -`
			`...`
			`[root@pikvm kvmd-webterm]#`
			```

update 11 months ago			`??? tip "Disabling the Web Terminal"`
update 11 months ago
			`Sometimes the actual owner of a PiKVM device and the user who is allowed to use it are different people.`
			`So you may want to disable console access from the Web UI. To do this, use the following:`

			```
			`[root@pikvm ~]# rw`
			`[root@pikvm ~]# systemctl disable --now kvmd-webterm`
			`[root@pikvm ~]# ro`
			```

			`For your own access to PiKVM OS, you will still have SSH.`

update 11 months ago
			`-----`
update 1 year ago			`## Changing the Linux password`
2fa 1 year ago
			```
update 11 months ago			`[root@pikvm ~]# rw`
			`[root@pikvm ~]# passwd root`
			`[root@pikvm ~]# ro`
2fa 1 year ago			```

update 11 months ago
			`-----`
update 1 year ago			`## Changing the KVM password`
2fa 1 year ago
			```
update 11 months ago			`[root@pikvm ~]# rw`
			`[root@pikvm ~]# kvmd-htpasswd set admin`
			`[root@pikvm ~]# ro`
2fa 1 year ago			```

update 11 months ago			Please note that `admin` is a name of a default user. It is possible to create several different users
2fa 1 year ago			`with different passwords to access the Web UI, but keep in mind that they all have the same rights:`

			```
update 11 months ago			`[root@pikvm ~]# kvmd-htpasswd set <user> # Sets a new user with password`
			`[root@pikvm ~]# kvmd-htpasswd list # Show the list of users`
			`[root@pikvm ~]# kvmd-htpasswd del <user> # Removes/deletes a user`
2fa 1 year ago			```

update 11 months ago			`-----`
2fa 1 year ago			`## Two-factor authentication`

			This is a new method of strengthening the protection of PiKVM, available since `KVM >= 3.196`.
			`It is strongly recommended to enable it if you expose the PiKVM in the big and scary Internet.`

			`!!! warning`
update 11 months ago			`Using 2FA eliminates the possibility of using [IPMI](ipmi) and [VNC with vncauth](vnc) (both disabled by default).`
			`It also slightly affects the use of [API](api.md) and regular VNC with user/password, read below.`

			Please note that 2FA does not concern the Linux OS access for the `root` user, so take care of a strong password
			`for it for SSH access (or setup the [key access](https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server)).`

			`??? example "Step by step: Enabling 2FA on PiKVM"`
2fa 1 year ago
update 11 months ago			`1. Update OS and reboot:`
2fa 1 year ago
update 11 months ago			```
			`[root@pikvm ~]# rw`
			`[root@pikvm ~]# pacman -Syu`
			`[root@pikvm ~]# reboot`
			```
2fa 1 year ago
update 11 months ago			2. Make sure that NTP is running otherwise you will not be able to access (`timedatectl` command).
			`The timezone doesn't matter.`
2fa 1 year ago
update 11 months ago			3. Install the `Google Authenticator` app to your mobile device
			`([iOS](https://apps.apple.com/us/app/google-authenticator/id388497605),`
			`[Android](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2)). It will generate one-time access codes.`
2fa 1 year ago
update 11 months ago			`4. Create a secret for one-time codes on PiKVM:`
			```
			`[root@pikvm ~]# rw`
			`[root@pikvm ~]# kvmd-totp init`
			`[root@pikvm ~]# ro`
			```
2fa 1 year ago
update 11 months ago			5. Run the `Google Authenticator` and scan the QR code.
2fa 1 year ago
update 11 months ago			6. Now, on the PiKVM login page, you will need to add 6 digits to the `2FA code` field.
2fa 1 year ago
update 11 months ago			`All Web UI users will be required to enter a one-time password on login.`
			`In other words, the secret is the same for all users.`
update 1 year ago
2fa 1 year ago			`!!! note`
update 11 months ago			`With 2FA for API or VNC authentication, you will need to append the one-time code to the password without spaces.`
update 1 year ago			That is, if the password is `foobar` and the code is `123456`, then you need to use `foobar123456` as the password.
fix 1 year ago
update 11 months ago			To view the current QR code of the secret use command `kvmd-totp show`.
fix 1 year ago
update 11 months ago			To disable 2FA and remove the secret, use command `kvmd-totp del`.