From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH access-control 1/1] api: ticket: allow token-owned VNC ticket verification
Date: Wed, 5 Nov 2025 15:13:04 +0100 [thread overview]
Message-ID: <20251105141335.1230493-3-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20251105141335.1230493-1-f.gruenbichler@proxmox.com>
our termproxy will issue a call to this endpoint on pvedaemon to verify the VNC
ticket passed by a client. with PDM, the shell client is actually using a PVE
token to authenticate, and the VNC ticket is owned by this token as well.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
best viewed with -w
alternatively, we could change termproxy to do this directly in
Rust instead of doing an API call..
src/PVE/API2/AccessControl.pm | 40 +++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 13 deletions(-)
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 457a0a6..a22c700 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -274,31 +274,45 @@ __PACKAGE__->register_method({
my $username = $param->{username};
$username .= "\@$param->{realm}" if $param->{realm};
- $username = PVE::AccessControl::lookup_username($username);
+ my $token_vnc_ticket_only = PVE::AccessControl::pve_verify_tokenid($username, 1) && $param->{path} && $param->{privs};
+
+ $username = PVE::AccessControl::lookup_username($username) if !$token_vnc_ticket_only;
my $rpcenv = PVE::RPCEnvironment::get();
my $res;
eval {
- # test if user exists and is enabled
- $rpcenv->check_user_enabled($username);
-
- if ($param->{path} && $param->{privs}) {
+ # special case VNC ticket check by termproxy
+ if ($token_vnc_ticket_only) {
$res = verify_auth(
$rpcenv,
$username,
$param->{password},
- $param->{otp},
+ undef,
$param->{path},
$param->{privs},
);
} else {
- $res = create_ticket_do(
- $rpcenv,
- $username,
- $param->{password},
- $param->{otp},
- $param->{'tfa-challenge'},
- );
+ # test if user exists and is enabled
+ $rpcenv->check_user_enabled($username);
+
+ if ($param->{path} && $param->{privs}) {
+ $res = verify_auth(
+ $rpcenv,
+ $username,
+ $param->{password},
+ $param->{otp},
+ $param->{path},
+ $param->{privs},
+ );
+ } else {
+ $res = create_ticket_do(
+ $rpcenv,
+ $username,
+ $param->{password},
+ $param->{otp},
+ $param->{'tfa-challenge'},
+ );
+ }
}
};
if (my $err = $@) {
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-05 14:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-05 14:13 [pve-devel] [RFC access-control/manager/proxmox{, -yew-comp, -datacenter-manager}/xtermjs 00/11] add remote node shell Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH pve-xtermjs 1/1] xtermjs: add support for remote node shells via PDM Fabian Grünbichler
2025-11-05 14:13 ` Fabian Grünbichler [this message]
2025-11-05 14:13 ` [pve-devel] [PATCH manager 1/2] api: termproxy/vncwebsocket: allow tokens Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH manager 2/2] api: termproxy: add description to return schema Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox 1/2] pve-api-types: add termproxy call and types Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox 2/2] http: websocket: add proxy helper Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-yew-comp 1/1] xtermjs: add remote support Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 1/4] connection: add access to "raw" client Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 2/4] api: pve: add termproxy endpoint Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 3/4] api: pve: add vncwebsocket endpoint Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 4/4] ui: pve: node: add shell tab Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251105141335.1230493-3-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.