[GH-ISSUE #156] Weird OTP problem

kerem commented

2026-02-27 15:46:19 +03:00

Owner

Originally created by @addelovein on GitHub (Jan 24, 2024).
Original GitHub issue: https://github.com/proxmoxer/proxmoxer/issues/156

Originally assigned to: @jhollowe on GitHub.

Most likely im doing something wrong...

import proxmoxer
username = "user@pve"
passwd = "pass123"
totp=639359
print( username, passwd, totp )
proxmox = proxmoxer.ProxmoxAPI(
                    host="MYHOST",
                    user=username,
                    password=passwd,
                    otp=totp,
                    verify_ssl=True,
                    port=443
                )
print(proxmox.get("cluster/options"))

Returns
proxmoxer.core.AuthenticationError: Couldn't authenticate user: user@pve to https://MYHOST:443/api2/json/access/ticket

If i remove OTP and try a user without TFA... It logs in.
The user that fails can log in directly to proxmox using OTP
The failing user works if i remove TFA from proxmox and OTP here...

Am i missing someting? Going a bit crazy here....

Originally created by @addelovein on GitHub (Jan 24, 2024). Original GitHub issue: https://github.com/proxmoxer/proxmoxer/issues/156 Originally assigned to: @jhollowe on GitHub. Most likely im doing something wrong... ``` import proxmoxer username = "user@pve" passwd = "pass123" totp=639359 print( username, passwd, totp ) proxmox = proxmoxer.ProxmoxAPI( host="MYHOST", user=username, password=passwd, otp=totp, verify_ssl=True, port=443 ) print(proxmox.get("cluster/options")) ``` **Returns** proxmoxer.core.AuthenticationError: Couldn't authenticate user: user@pve to https://MYHOST:443/api2/json/access/ticket If i remove OTP and try a user without TFA... It logs in. The user that fails can log in directly to proxmox using OTP The failing user works if i remove TFA from proxmox and OTP here... Am i missing someting? Going a bit crazy here....

kerem

2026-02-27 15:46:19 +03:00

closed this issue
added the
type:bug 🐞

backend:https
labels

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@addelovein commented on GitHub (Jan 24, 2024):

    proxmox = proxmoxer.ProxmoxAPI(
              ^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\core.py", line 210, in __init__
    self._backend = importlib.import_module(f".backends.{backend}", "proxmoxer").Backend(
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 302, in __init__
    self.auth = ProxmoxHTTPAuth(
                ^^^^^^^^^^^^^^^^
  File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 59, in __init__
    self._get_new_tokens(password=password, otp=otp)
  File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 77, in _get_new_tokens
    raise AuthenticationError(
proxmoxer.core.AuthenticationError: Couldn't authenticate use```

@addelovein commented on GitHub (Jan 24, 2024): ``` File "c:\Users\AddeLovein\source\repos\pveclient\test.py", line 6, in <module> proxmox = proxmoxer.ProxmoxAPI( ^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\core.py", line 210, in __init__ self._backend = importlib.import_module(f".backends.{backend}", "proxmoxer").Backend( ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 302, in __init__ self.auth = ProxmoxHTTPAuth( ^^^^^^^^^^^^^^^^ File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 59, in __init__ self._get_new_tokens(password=password, otp=otp) File "C:\Users\AddeLovein\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.12_qbz5n2kfra8p0\LocalCache\local-packages\Python312\site-packages\proxmoxer\backends\https.py", line 77, in _get_new_tokens raise AuthenticationError( proxmoxer.core.AuthenticationError: Couldn't authenticate use```

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@jhollowe commented on GitHub (Jan 24, 2024):

Please try having the OTP be a ~~strong~~string rather than an integer. I don't know if that is the issue, but I think it might be

@jhollowe commented on GitHub (Jan 24, 2024): Please try having the OTP be a ~~strong~~string rather than an integer. I don't know if that is the issue, but I think it might be

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@addelovein commented on GitHub (Jan 24, 2024):

strong

Same issue if I declare totp with totp="292695"

@addelovein commented on GitHub (Jan 24, 2024): > strong Same issue if I declare totp with totp="292695"

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@jhollowe commented on GitHub (Jan 27, 2024):

Can you look at the network traffic in your browser and see what data the api2/json/access/ticket request has?

@jhollowe commented on GitHub (Jan 27, 2024): Can you look at the network traffic in your browser and see what data the `api2/json/access/ticket` request has?

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@addelovein commented on GitHub (Jan 27, 2024):

You mean when I log in to proxmox via browser?

First ticket:

Request

username: adde
password: test123
realm: pve
new-format: 1

Response

{
    "success": 1,
    "data": {
        "ticket": "PVE:!tfa!{\"totp\"%3Atrue}:***********::JElr2K5oW2*************************BbxjQsa/HvhIfYrfoe*********************ULU57YW1S9pvD417VesGsKWLMLnXllg9CKSO9k*****************lSLEu7OUikT78mZ56JIIMw1IMyUXBV35+TpkR0wyZ0Lb28VpAnsFOABOqd5vZGT1e7N1ZJEx7QEXDBSqH7vhnSu0Qk1CSUQQfgyOy0V/x1GLQqLbj0jF3elamU69KiR*************************g==",
        "username": "adde@pve",
        "NeedTFA": 1,
        "CSRFPreventionToken": "65B4DD50:URrwhOOq+7tWqbOsBW6Xg2EJ3yn24R05XRqV9PpsOTc"
    }
}

Second Ticket (The Real Authentication)

Request

username: adde@pve
tfa-challenge: PVE:!tfa!{"totp"%3Atrue}:***********::JElr2K5oW2*************************BbxjQsa/HvhIfYrfoe*********************ULU57YW1S9pvD417VesGsKWLMLnXllg9CKSO9k*****************lSLEu7OUikT78mZ56JIIMw1IMyUXBV35+TpkR0wyZ0Lb28VpAnsFOABOqd5vZGT1e7N1ZJEx7QEXDBSqH7vhnSu0Qk1CSUQQfgyOy0V/x1GLQqLbj0jF3elamU69KiR*************************g=="
password: totp:473543

Response
Authenticated.....

That should be enough data ;-)

@addelovein commented on GitHub (Jan 27, 2024): You mean when I log in to proxmox via browser? ### First ticket: **Request** ``` username: adde password: test123 realm: pve new-format: 1 ``` **Response** ``` { "success": 1, "data": { "ticket": "PVE:!tfa!{\"totp\"%3Atrue}:***********::JElr2K5oW2*************************BbxjQsa/HvhIfYrfoe*********************ULU57YW1S9pvD417VesGsKWLMLnXllg9CKSO9k*****************lSLEu7OUikT78mZ56JIIMw1IMyUXBV35+TpkR0wyZ0Lb28VpAnsFOABOqd5vZGT1e7N1ZJEx7QEXDBSqH7vhnSu0Qk1CSUQQfgyOy0V/x1GLQqLbj0jF3elamU69KiR*************************g==", "username": "adde@pve", "NeedTFA": 1, "CSRFPreventionToken": "65B4DD50:URrwhOOq+7tWqbOsBW6Xg2EJ3yn24R05XRqV9PpsOTc" } } ``` ### Second Ticket (The Real Authentication) **Request** ``` username: adde@pve tfa-challenge: PVE:!tfa!{"totp"%3Atrue}:***********::JElr2K5oW2*************************BbxjQsa/HvhIfYrfoe*********************ULU57YW1S9pvD417VesGsKWLMLnXllg9CKSO9k*****************lSLEu7OUikT78mZ56JIIMw1IMyUXBV35+TpkR0wyZ0Lb28VpAnsFOABOqd5vZGT1e7N1ZJEx7QEXDBSqH7vhnSu0Qk1CSUQQfgyOy0V/x1GLQqLbj0jF3elamU69KiR*************************g==" password: totp:473543 ``` **Response** Authenticated..... That should be enough data ;-)

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@jhollowe commented on GitHub (Jan 31, 2024):

I'm not sure. You might try asking in the proxmox forums how to pass OTP values to the api2/json/access/ticket API endpoint. proxmoxer does not do the two-step OTP process and instead just passes the username, password, and OTP all in one request. This may be no longer supported by the Proxmox auth layer and we may need to adjust the login flow if an OTP value is provided.

@jhollowe commented on GitHub (Jan 31, 2024): I'm not sure. You might try asking in the proxmox forums how to pass OTP values to the `api2/json/access/ticket` API endpoint. proxmoxer does not do the two-step OTP process and instead just passes the username, password, and OTP all in one request. This may be no longer supported by the Proxmox auth layer and we may need to adjust the login flow if an OTP value is provided.

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@addelovein commented on GitHub (Jan 31, 2024):

It sure is supported, this code works... Just wrote it based of how proxmox itself authenticates its webui...

import sys
import requests, json

pvehost = "pve.yourdomain.se"
pveport = "8006"
username = "adde"
password = "test123"
realm = "pve"


headers = {'Content-Type': 'application/x-www-form-urlencoded'}

data = {"realm": realm, "username": username, "password": password, "new-format": 1}
print("\nSending Payload: ", data)
r = requests.post(f'https://{pvehost}:{pveport}/api2/json/access/ticket', headers=headers, data=data, verify=True)
if r.status_code!=200:
    print("Auth Failed at Step One, cant proceed with OTP")
    sys.exit()

bytes_value = r.content
jsonval = bytes_value.decode('utf8').replace("'", '"')
jsondata = json.loads(jsonval)
print("RESPONSE: ",jsondata['data'])

ticket = jsondata['data']['ticket']
code = input("\n\tEnter your value: ") 

totp={"tfa-challenge" : ticket, "username": username, "password": f"totp:{code}","realm": realm }

print("\nSending Payload: ", totp)
r2 = requests.post(f'https://{pvehost}:{pveport}/api2/json/access/ticket', headers=headers, data=totp, verify=True)
bytes_value = r2.content
jsonval = bytes_value.decode('utf8').replace("'", '"')
jsondata = json.loads(jsonval)


if r2.status_code==200:
        print("Auth Success: ", r2.json)
else:
        print("Auth Failed: ", r2.json)

@addelovein commented on GitHub (Jan 31, 2024): It sure is supported, this code works... Just wrote it based of how proxmox itself authenticates its webui... ``` import sys import requests, json pvehost = "pve.yourdomain.se" pveport = "8006" username = "adde" password = "test123" realm = "pve" headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = {"realm": realm, "username": username, "password": password, "new-format": 1} print("\nSending Payload: ", data) r = requests.post(f'https://{pvehost}:{pveport}/api2/json/access/ticket', headers=headers, data=data, verify=True) if r.status_code!=200: print("Auth Failed at Step One, cant proceed with OTP") sys.exit() bytes_value = r.content jsonval = bytes_value.decode('utf8').replace("'", '"') jsondata = json.loads(jsonval) print("RESPONSE: ",jsondata['data']) ticket = jsondata['data']['ticket'] code = input("\n\tEnter your value: ") totp={"tfa-challenge" : ticket, "username": username, "password": f"totp:{code}","realm": realm } print("\nSending Payload: ", totp) r2 = requests.post(f'https://{pvehost}:{pveport}/api2/json/access/ticket', headers=headers, data=totp, verify=True) bytes_value = r2.content jsonval = bytes_value.decode('utf8').replace("'", '"') jsondata = json.loads(jsonval) if r2.status_code==200: print("Auth Success: ", r2.json) else: print("Auth Failed: ", r2.json) ```

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@addelovein commented on GitHub (Feb 17, 2024):

No response on this at all?

@addelovein commented on GitHub (Feb 17, 2024): No response on this at all?

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@jpattWPC commented on GitHub (Feb 18, 2024):

I added #158 to address this on the HTTPS backend. Please let me know if this can be merged into a release.

@jpattWPC commented on GitHub (Feb 18, 2024): I added #158 to address this on the HTTPS backend. Please let me know if this can be merged into a release.

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@jhollowe commented on GitHub (Feb 22, 2024):

@addelovein sorry for the slow response, this fell off my radar.

Thanks @jpattWPC for the PR!

I've started a thread in the PVE forums to see if the single request flow is still supported or if this needs to move to the two-step flow:
https://forum.proxmox.com/threads/single-post-auth-with-otp-no-longer-supported.141830/

@jhollowe commented on GitHub (Feb 22, 2024): @addelovein sorry for the slow response, this fell off my radar. Thanks @jpattWPC for the PR! I've started a thread in the PVE forums to see if the single request flow is still supported or if this needs to move to the two-step flow: https://forum.proxmox.com/threads/single-post-auth-with-otp-no-longer-supported.141830/

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@addelovein commented on GitHub (Mar 24, 2024):

I posted a working example...

@addelovein commented on GitHub (Mar 24, 2024): I posted a working example...

kerem commented

2026-02-27 15:46:20 +03:00

Author

Owner

@jpattWPC commented on GitHub (Mar 24, 2024):

I'm waiting on PR acceptance from the proxmoxer repo, you're correct that 2
step auth is now required. I submitted a PR to fix this issue in the
proxmoxer repo.

On Sun, Mar 24, 2024, 6:55 PM Adde Lovein @.***> wrote:

I posted a working example...

—
Reply to this email directly, view it on GitHub
https://github.com/proxmoxer/proxmoxer/issues/156#issuecomment-2016996509,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AD4U7MEG4CUHQJWR22Y2NU3YZ5RXTAVCNFSM6AAAAABCH7IHQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJWHE4TMNJQHE
.
You are receiving this because you were mentioned.Message ID:
@.***>

@jpattWPC commented on GitHub (Mar 24, 2024): I'm waiting on PR acceptance from the proxmoxer repo, you're correct that 2 step auth is now required. I submitted a PR to fix this issue in the proxmoxer repo. On Sun, Mar 24, 2024, 6:55 PM Adde Lovein ***@***.***> wrote: > I posted a working example... > > — > Reply to this email directly, view it on GitHub > <https://github.com/proxmoxer/proxmoxer/issues/156#issuecomment-2016996509>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AD4U7MEG4CUHQJWR22Y2NU3YZ5RXTAVCNFSM6AAAAABCH7IHQ2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJWHE4TMNJQHE> > . > You are receiving this because you were mentioned.Message ID: > ***@***.***> >

Rows
Columns

[GH-ISSUE #156] Weird OTP problem #82

First ticket:

Second Ticket (The Real Authentication)