Out of the box, Proxmox VE only has the root@pam account. Logging in directly as root is convenient during initial setup, but it is a bad habit to keep. This post walks through creating a named PAM user, granting it sudo access, and then disabling root login via both SSH and the web UI.
Authentication Realms: @pam vs @pve
The @ suffix in Proxmox usernames is not cosmetic -- it identifies which authentication realm validates the password.
@pam -- Linux Pluggable Authentication Modules. Proxmox delegates the password check to the host operating system. The user must exist as a real UNIX account in /etc/passwd. Password changes happen with passwd on the shell. SSH login uses the same credentials. This is the realm for admin accounts that also need shell access.
@pve -- Proxmox Virtual Environment internal realm. Passwords are stored in Proxmox's own database (/etc/pve/priv/shadow.cfg), completely separate from the OS. The user has no UNIX account and cannot SSH in. This is the right realm for giving colleagues or tenants web UI access without touching the OS user database.
@ldap / @ad -- Optional realms for binding to an LDAP directory or Active Directory. Not covered here.
| Realm |
Password stored |
SSH access |
UNIX account required |
@pam |
Linux PAM (/etc/shadow) |
Yes |
Yes |
@pve |
Proxmox internal DB |
No |
No |
For the admin account in this guide we use @pam because we also want sudo and SSH access.
Why Bother
- Audit logs become meaningful.
root in auth logs could be anyone; dave is traceable.
- SSH brute-force tools target
root first. Disabling it removes the most-attacked entry point.
- Sudo with
NOPASSWD for specific commands is still safer than a permanent root shell.
1. Install sudo
Proxmox minimal installs may not include sudo:
apt update && apt install -y sudo
2. Create the System User
Log in as root on the Proxmox host (via console or SSH) and add the new UNIX account:
useradd -m -s /bin/bash dave
passwd dave
-m creates a home directory. Set a strong password when prompted.
3. Grant sudo Access
Add dave to the sudo group, which is already configured in /etc/sudoers to allow full sudo:
To verify the group membership took effect:
You should see sudo in the groups list.
4. Register the User in Proxmox
Proxmox has its own user database separate from the Linux PAM database. The @pam realm bridges them, but you still need to add the user in the Proxmox layer.
Via the web UI: Datacenter > Permissions > Users > Add
- User:
dave
- Realm:
pam
- Enable: checked
Via the CLI:
5. Assign a Proxmox Role
The user needs at least one permission to do anything useful. For a full admin, assign the built-in Administrator role at the root path /:
pveum acl modify / -user dave@pam -role Administrator
For a more restricted setup, use PVEAdmin (everything except node-level config) or define a custom role.
6. Test the New Account
Before locking out root, confirm the new account works end to end:
- Open a new terminal (do not close the existing root session).
-
SSH in as dave:
bash
ssh dave@<proxmox-ip>
-
Confirm sudo works:
bash
sudo -i
-
Log in to the Proxmox web UI at https://<proxmox-ip>:8006 as dave@pam.
Do not proceed to the next step until all three work.
7. Disable root SSH Login
Edit /etc/ssh/sshd_config:
sudo nano /etc/ssh/sshd_config
Find or add the following line:
Reload SSH without dropping existing connections:
sudo systemctl reload sshd
Verify by attempting ssh root@<proxmox-ip> -- it should now be refused.
8. Disable root@pam in the Proxmox Web UI
Even with SSH root login disabled, root@pam can still authenticate through the Proxmox web UI. To disable it:
Via the web UI: Datacenter > Permissions > Users > select root > Edit > uncheck Enable
Via the CLI:
pveum user modify root@pam --enable 0
This does not delete root or change anything at the Linux level. It only prevents login through the Proxmox authentication stack.
Note: The Linux root account remains intact. You can always recover it from the physical console or by re-enabling root@pam through the CLI as your admin user with sudo.
Verification Checklist
| Check |
Command |
Expected Result |
| dave SSH login |
ssh dave@<ip> |
Login prompt |
| dave sudo |
sudo -i |
Root shell |
| dave web UI |
Browser https://<ip>:8006 |
Logged in as dave@pam |
| root SSH blocked |
ssh root@<ip> |
Permission denied |
| root web UI blocked |
Browser login as root@pam |
Login rejected |
Summary
| Step |
What It Does |
useradd |
Creates the Linux PAM account |
apt install sudo |
Ensures sudo is present |
usermod -aG sudo |
Grants full sudo via the sudo group |
pveum user add |
Registers the account in Proxmox |
pveum acl modify |
Assigns a Proxmox role |
PermitRootLogin no |
Blocks root SSH |
pveum user modify root@pam --enable 0 |
Blocks root Proxmox web UI login |