On 2/7/20 9:09 PM, Frederico F. Siena wrote: > I created a group, user and role for the specific purpose of access in > kiosk mode via spice using the script > "/usr/share/doc/pve-manager/examples/spice-example-sh". It's working > perfectly, but if a bad user intends to change the password set via the web > gui, he can then, how to block the password change of a @pve user? > I looked at the format in /etc/pve/user.cfg and the pveum options, and > found no way to block the password change.
A user can always change it's own password, that's by design and cannot be avoided. Either: * create a user for each kiosk, add them to the respective group for permissions, this way the bad user can only change their password, not affecting others * use API token for access, those are really new, packages with support for them are only in pvetest, and docs/user interface still need to be finished. But, they would allow to generate one, or better, multiple API tokens which cannot change the password of their underlying user. hope that helps, cheers, Thomas _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
