Error after enabling TFA in Proxmox host

[oezh]

cv4pve-autosnap was working flawlessly until 2FA was enabled. It's running from a local machine inside the same network.

Here is the command and the result:

cv4pve-autosnap --host=10.0.1.1 --username=root@pam --password=PASSWORD --vmid="100" snap --label='mediodía' --keep=1 --debug

Method: POST, Url: https://10.0.1.1:8006/api2/json/access/ticket
Parameters:
password : PASSWORD
username : root
realm : pam
StatusCode: OK
ReasonPhrase: OK
IsSuccessStatusCode: True
{
"data": {
"clustername": "Cluster",
"NeedTFA": 1,
"username": "root@pam",
"CSRFPreventionToken": "5F11EA78:aSSo+iNEUzoVR4xrBagTdHqdBdRAKXiXSxjUqmD5u80",
"ticket": "PVE:tfa!root@pam:5F11EA78::iOsiFA3xER3OncdByrFziOwnefCm92JDWKoQU4/vbDO0Fu0S1s+tbBRud/k8wXd7DesBjoyL7z5jUKHizPMtEjUIS0b06sgeXtbbK/V7tN/FdGEPeQ357tI8wymLeoTAfwCL1UruSyl6jczDE1x3kTAwDOdRsa/jXZc7clLT1+rgIL32EsTob8swtgo883QgSglfhaXFspfvDRjvVF9L8XsCa3ofPPJlnL8kvw5EadebUnzFCRFamALczAHsBAmKrAqt/eoWW+v0VKb3BDb1h8L6rA2zhz/Ic3r+O/iYKj2cy0opNZQUN0mWIPOqwUCmhAK1rSY/C9MyUXtZupZaew=="
}
}

ACTION Snap
VMs: 100
Label: mediodia
Keep: 1
State: False
Phase: snap-job-start
Method: GET, Url: https://10.0.1.1:8006/api2/json/cluster/resources?type=vm
StatusCode: Unauthorized
ReasonPhrase: No ticket
IsSuccessStatusCode: False
null

================ EXCEPTION ================
Microsoft.CSharp.RuntimeBinder.RuntimeBinderException
'System.Dynamic.ExpandoObject' does not contain a definition for 'data'
at CallSite.Target(Closure , CallSite , Object )
at System.Dynamic.UpdateDelegates.UpdateAndExecute1[T0,TRet](CallSite site, T0 arg0)
at Corsinvest.ProxmoxVE.Api.Extension.VM.ClientExtension.GetVMs(PveClient client)
at Corsinvest.ProxmoxVE.Api.Extension.VM.ClientExtension.GetVMs(PveClient client, String jolly)
at Corsinvest.ProxmoxVE.AutoSnap.Commands.Snap(String vmIdsOrNames, String label, Int32 keep, Boolean state)
at Corsinvest.ProxmoxVE.AutoSnap.ShellCommands.<>c__DisplayClass6_1.b__1()
at McMaster.Extensions.CommandLineUtils.CommandLineApplication.<>c__DisplayClass144_0.b__0(CancellationToken _)
at McMaster.Extensions.CommandLineUtils.CommandLineApplication.ExecuteAsync(String[] args, CancellationToken cancellationToken)
at McMaster.Extensions.CommandLineUtils.CommandLineApplication.Execute(String[] args)
at Corsinvest.ProxmoxVE.Api.Extension.Helpers.Shell.ShellHelper.ExecuteConsoleApp(CommandLineApplication app, TextWriter stdOut, String[] args)

[franklupo]

Hi,
2FA is not supported

[franklupo]

Hi,
which version use of Proxmox VE?

[oezh]

6.2-10

[franklupo]

My idea is add new parameter --api--token

[oezh]

Excellent. I'm no developer, but if you need some testing, let me know.

[franklupo]

Excellent. I'm no developer, but if you need some testing, let me know.

Test the last release https://github.com/Corsinvest/cv4pve-autosnap/releases/tag/v1.9.2
new parameter --api-token

[oezh]

What format should I use --Api-token? The example format in README.md using my own Api Token, gave me the error: "app=XXXXXXX: event not found"

[franklupo]

Hi,
the format is USER@REALM!TOKENID=UUID
eg "root@pam!app=8a8c1cd4-d373-43f1-b366-05ce4cb8061f"

App is a TokenId example. You can create any name

[oezh]

I created Api Token via web interface for user root, with Token ID = "app" Privilege Separation = "unchecked" and expire = "never"
then I run this command:

cv4pve-autosnap --host=10.0.1.1 --api-token=root@pam!app=85725905-39f9-4510-920c-fff1435cea74 --vmid="100" snap --label='test' --keep=1 --verbose

And I get this error:
-bash: !app=85705905: event not found

is my command wrong?

[franklupo]

Execute with --debug and attach output

Best regards

[franklupo]

I created Api Token via web interface for user root, with Token ID = "app" Privilege Separation = "unchecked" and expire = "never"
then I run this command:

cv4pve-autosnap --host=10.0.1.1 --api-token=root@pam!app=85725905-39f9-4510-920c-fff1435cea74 --vmid="100" snap --label='test' --keep=1 --verbose

And I get this error:
-bash: !app=85705905: event not found

is my command wrong?

Quote --api-token value

[oezh]

Here are 3: no quotes, double quotes and single quotes. --debug activated:

`# cv4pve-autosnap --host=10.0.1.1 --api-token=root@pam!app=85705905-39f9-4110-970c-fff0435cea74 --vmid="100" snap --label='test' --keep=1 --debug
-bash: !app=85705905: event not found

cv4pve-autosnap --host=10.0.1.1 --api-token="root@pam!app=85705905-39f9-4110-970c-fff0435cea74" --vmid="100" snap --label='test' --keep=1 --debug

-bash: !app=85705905: event not found

cv4pve-autosnap --host=10.0.1.1 --api-token='root@pam!app=85705905-39f9-4110-970c-fff0435cea74' --vmid="100" snap --label='test' --keep=1 --debug

Specify --help for a list of available options and commands.
Unrecognized option '--api-token=root@pam!app=85705905-39f9-4110-970c-fff0435cea74'`

[oezh]

Ok I got it to run. For some reason, cv4pve-autosnap was not being updated with the downloaded version. Had to replace manually in /usr/bin and /usr/local/bin and now it works. It works with single quotes in --api-token value. Now I'm going to enable back TFA and will let you know. Thanks!!

[oezh]

If using Privilege Separation, which permissions should I enable? I enabled VM.snapshot and path /vms but is not working

[franklupo]

you have to try from web interface

[cheechmarino]

If using Privilege Separation, which permissions should I enable? I enabled VM.snapshot and path /vms but is not working

Try VM.Audit and VM.Snapshot