From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <s.reiter@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 2A71E7332D
 for <pve-devel@lists.proxmox.com>; Thu, 27 May 2021 12:28:00 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 175A71C781
 for <pve-devel@lists.proxmox.com>; Thu, 27 May 2021 12:28:00 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 8F2371C777
 for <pve-devel@lists.proxmox.com>; Thu, 27 May 2021 12:27:59 +0200 (CEST)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5D1E746698
 for <pve-devel@lists.proxmox.com>; Thu, 27 May 2021 12:27:59 +0200 (CEST)
From: Stefan Reiter <s.reiter@proxmox.com>
To: pve-devel@lists.proxmox.com
Date: Thu, 27 May 2021 12:27:51 +0200
Message-Id: <20210527102751.15391-2-s.reiter@proxmox.com>
X-Mailer: git-send-email 2.20.1
In-Reply-To: <20210527102751.15391-1-s.reiter@proxmox.com>
References: <20210527102751.15391-1-s.reiter@proxmox.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.014 Adjusted score from AWL reputation of From: address
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pve-devel] [PATCH qemu-server 2/2] qm: assume correct VNC setup in
 'vncproxy', disallow passwordless
X-BeenThere: pve-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox VE development discussion <pve-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pve-devel/>
List-Post: <mailto:pve-devel@lists.proxmox.com>
List-Help: <mailto:pve-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel>, 
 <mailto:pve-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 10:28:00 -0000

The QMP 'change' command is no longer available since QEMU 6.0, so this
cannot work - instead of replacing it, we can just remove it however.

The 'if' branch would only set the VNC socket path anew and enable
password mode, which is always set and enabled on startup already.
The 'else' branch was intended for certificate login (?), which
according to the FIXME comment is long gone anyway - simply forbid
'vncproxy' without the PVE ticket environment variable set.

Signed-off-by: Stefan Reiter <s.reiter@proxmox.com>
---
 PVE/CLI/qm.pm | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/PVE/CLI/qm.pm b/PVE/CLI/qm.pm
index f8972bd..1c199b6 100755
--- a/PVE/CLI/qm.pm
+++ b/PVE/CLI/qm.pm
@@ -217,12 +217,10 @@ __PACKAGE__->register_method ({
 	my $vnc_socket = PVE::QemuServer::Helpers::vnc_socket($vmid);
 
 	if (my $ticket = $ENV{LC_PVE_TICKET}) {  # NOTE: ssh on debian only pass LC_* variables
-	    mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password");
 	    mon_cmd($vmid, "set_password", protocol => 'vnc', password => $ticket);
 	    mon_cmd($vmid, "expire_password", protocol => 'vnc', time => "+30");
 	} else {
-	    # FIXME: remove or allow to add tls-creds object, as x509 vnc param is removed with qemu 4??
-	    mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password");
+	    die "LC_PVE_TICKET not set, VNC proxy without password is forbidden\n";
 	}
 
 	run_vnc_proxy($vnc_socket);
-- 
2.20.1