Proxmox: Disable root@pam Login and Create a Sudo User

Out of the box, Proxmox VE only has the root@pam account. Logging in directly as root is convenient during initial setup, but it is a bad habit to keep. This post walks through creating a named PAM user, granting it sudo access, and then disabling root login via both SSH and the web UI.

Authentication Realms: @pam vs @pve

The @ suffix in Proxmox usernames is not cosmetic -- it identifies which authentication realm validates the password.

@pam -- Linux Pluggable Authentication Modules. Proxmox delegates the password check to the host operating system. The user must exist as a real UNIX account in /etc/passwd. Password changes happen with passwd on the shell. SSH login uses the same credentials. This is the realm for admin accounts that also need shell access.

@pve -- Proxmox Virtual Environment internal realm. Passwords are stored in Proxmox's own database (/etc/pve/priv/shadow.cfg), completely separate from the OS. The user has no UNIX account and cannot SSH in. This is the right realm for giving colleagues or tenants web UI access without touching the OS user database.

@ldap / @ad -- Optional realms for binding to an LDAP directory or Active Directory. Not covered here.

Realm	Password stored	SSH access	UNIX account required
`@pam`	Linux PAM (`/etc/shadow`)	Yes	Yes
`@pve`	Proxmox internal DB	No	No

For the admin account in this guide we use @pam because we also want sudo and SSH access.

Why Bother

Audit logs become meaningful. root in auth logs could be anyone; dave is traceable.
SSH brute-force tools target root first. Disabling it removes the most-attacked entry point.
Sudo with NOPASSWD for specific commands is still safer than a permanent root shell.

1. Install sudo

Proxmox minimal installs may not include sudo:

apt update && apt install -y sudo

2. Create the System User

useradd -m -s /bin/bash dave
passwd dave

-m creates a home directory. Set a strong password when prompted.

3. Grant sudo Access

Add dave to the sudo group, which is already configured in /etc/sudoers to allow full sudo:

usermod -aG sudo dave

To verify the group membership took effect:

id dave

You should see sudo in the groups list.

4. Register the User in Proxmox

Proxmox has its own user database separate from the Linux PAM database. The @pam realm bridges them, but you still need to add the user in the Proxmox layer.

Via the web UI: Datacenter > Permissions > Users > Add

User: dave
Realm: pam
Enable: checked

Via the CLI:

pveum user add dave@pam

5. Assign a Proxmox Role

The user needs at least one permission to do anything useful. For a full admin, assign the built-in Administrator role at the root path /:

pveum acl modify / -user dave@pam -role Administrator

For a more restricted setup, use PVEAdmin (everything except node-level config) or define a custom role.

6. Test the New Account

Before locking out root, confirm the new account works end to end:

Open a new terminal (do not close the existing root session).
SSH in as dave:

bash ssh dave@<proxmox-ip>
Confirm sudo works:

bash sudo -i
Log in to the Proxmox web UI at https://<proxmox-ip>:8006 as dave@pam.

Do not proceed to the next step until all three work.

7. Disable root SSH Login

Edit /etc/ssh/sshd_config:

sudo nano /etc/ssh/sshd_config

Find or add the following line:

PermitRootLogin no

Reload SSH without dropping existing connections:

sudo systemctl reload sshd

Verify by attempting ssh root@<proxmox-ip> -- it should now be refused.

8. Disable root@pam in the Proxmox Web UI

Even with SSH root login disabled, root@pam can still authenticate through the Proxmox web UI. To disable it:

Via the web UI: Datacenter > Permissions > Users > select root > Edit > uncheck Enable