user management: clarify that password changes for PAM realm only apply to local node

Reported in the community forum: https://forum.proxmox.com/threads/158518/ Signed-off-by: Fiona Ebner <f.ebner@proxmox.com>
2025-04-28 04:35:36 +00:00 · 2024-12-04 12:37:08 +01:00 · 2024-12-04 12:37:08 +01:00 · 2ad2c765e9
commit 2ad2c765e9
parent 5107b302d3
1 changed files with 8 additions and 2 deletions
--- a/pveum.adoc
+++ b/pveum.adoc
@ -170,8 +170,14 @@ Linux PAM Standard Authentication

 As Linux PAM corresponds to host system users, a system user must exist on each
 node which the user is allowed to log in on. The user authenticates with their
-usual system password. This realm is added by default and can't be removed. In
-terms of configurability, an administrator can choose to require two-factor
+usual system password. This realm is added by default and can't be removed.
+
+Password changes via the GUI or, equivalently, the `/access/password` API
+endpoint only apply to the local node and not cluster-wide. Even though {pve}
+has a multi-master design, using different passwords for different nodes can
+still offer a security benefit.
+
+In terms of configurability, an administrator can choose to require two-factor
 authentication with logins from the realm and to set the realm as the default
 authentication realm.