From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2A71E7332D for ; Thu, 27 May 2021 12:28:00 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 175A71C781 for ; Thu, 27 May 2021 12:28:00 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 8F2371C777 for ; Thu, 27 May 2021 12:27:59 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 5D1E746698 for ; Thu, 27 May 2021 12:27:59 +0200 (CEST) From: Stefan Reiter To: pve-devel@lists.proxmox.com Date: Thu, 27 May 2021 12:27:51 +0200 Message-Id: <20210527102751.15391-2-s.reiter@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210527102751.15391-1-s.reiter@proxmox.com> References: <20210527102751.15391-1-s.reiter@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.014 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH qemu-server 2/2] qm: assume correct VNC setup in 'vncproxy', disallow passwordless X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 May 2021 10:28:00 -0000 The QMP 'change' command is no longer available since QEMU 6.0, so this cannot work - instead of replacing it, we can just remove it however. The 'if' branch would only set the VNC socket path anew and enable password mode, which is always set and enabled on startup already. The 'else' branch was intended for certificate login (?), which according to the FIXME comment is long gone anyway - simply forbid 'vncproxy' without the PVE ticket environment variable set. Signed-off-by: Stefan Reiter --- PVE/CLI/qm.pm | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/PVE/CLI/qm.pm b/PVE/CLI/qm.pm index f8972bd..1c199b6 100755 --- a/PVE/CLI/qm.pm +++ b/PVE/CLI/qm.pm @@ -217,12 +217,10 @@ __PACKAGE__->register_method ({ my $vnc_socket = PVE::QemuServer::Helpers::vnc_socket($vmid); if (my $ticket = $ENV{LC_PVE_TICKET}) { # NOTE: ssh on debian only pass LC_* variables - mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password"); mon_cmd($vmid, "set_password", protocol => 'vnc', password => $ticket); mon_cmd($vmid, "expire_password", protocol => 'vnc', time => "+30"); } else { - # FIXME: remove or allow to add tls-creds object, as x509 vnc param is removed with qemu 4?? - mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password"); + die "LC_PVE_TICKET not set, VNC proxy without password is forbidden\n"; } run_vnc_proxy($vnc_socket); -- 2.20.1