From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH access-control 1/1] api: ticket: allow token-owned VNC ticket verification
Date: Wed, 5 Nov 2025 15:13:04 +0100 [thread overview]
Message-ID: <20251105141335.1230493-3-f.gruenbichler@proxmox.com> (raw)
In-Reply-To: <20251105141335.1230493-1-f.gruenbichler@proxmox.com>
our termproxy will issue a call to this endpoint on pvedaemon to verify the VNC
ticket passed by a client. with PDM, the shell client is actually using a PVE
token to authenticate, and the VNC ticket is owned by this token as well.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
Notes:
best viewed with -w
alternatively, we could change termproxy to do this directly in
Rust instead of doing an API call..
src/PVE/API2/AccessControl.pm | 40 +++++++++++++++++++++++------------
1 file changed, 27 insertions(+), 13 deletions(-)
diff --git a/src/PVE/API2/AccessControl.pm b/src/PVE/API2/AccessControl.pm
index 457a0a6..a22c700 100644
--- a/src/PVE/API2/AccessControl.pm
+++ b/src/PVE/API2/AccessControl.pm
@@ -274,31 +274,45 @@ __PACKAGE__->register_method({
my $username = $param->{username};
$username .= "\@$param->{realm}" if $param->{realm};
- $username = PVE::AccessControl::lookup_username($username);
+ my $token_vnc_ticket_only = PVE::AccessControl::pve_verify_tokenid($username, 1) && $param->{path} && $param->{privs};
+
+ $username = PVE::AccessControl::lookup_username($username) if !$token_vnc_ticket_only;
my $rpcenv = PVE::RPCEnvironment::get();
my $res;
eval {
- # test if user exists and is enabled
- $rpcenv->check_user_enabled($username);
-
- if ($param->{path} && $param->{privs}) {
+ # special case VNC ticket check by termproxy
+ if ($token_vnc_ticket_only) {
$res = verify_auth(
$rpcenv,
$username,
$param->{password},
- $param->{otp},
+ undef,
$param->{path},
$param->{privs},
);
} else {
- $res = create_ticket_do(
- $rpcenv,
- $username,
- $param->{password},
- $param->{otp},
- $param->{'tfa-challenge'},
- );
+ # test if user exists and is enabled
+ $rpcenv->check_user_enabled($username);
+
+ if ($param->{path} && $param->{privs}) {
+ $res = verify_auth(
+ $rpcenv,
+ $username,
+ $param->{password},
+ $param->{otp},
+ $param->{path},
+ $param->{privs},
+ );
+ } else {
+ $res = create_ticket_do(
+ $rpcenv,
+ $username,
+ $param->{password},
+ $param->{otp},
+ $param->{'tfa-challenge'},
+ );
+ }
}
};
if (my $err = $@) {
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next prev parent reply other threads:[~2025-11-05 14:13 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-05 14:13 [pve-devel] [RFC access-control/manager/proxmox{, -yew-comp, -datacenter-manager}/xtermjs 00/11] add remote node shell Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH pve-xtermjs 1/1] xtermjs: add support for remote node shells via PDM Fabian Grünbichler
2025-11-05 14:13 ` Fabian Grünbichler [this message]
2025-11-05 14:13 ` [pve-devel] [PATCH manager 1/2] api: termproxy/vncwebsocket: allow tokens Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH manager 2/2] api: termproxy: add description to return schema Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox 1/2] pve-api-types: add termproxy call and types Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox 2/2] http: websocket: add proxy helper Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-yew-comp 1/1] xtermjs: add remote support Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 1/4] connection: add access to "raw" client Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 2/4] api: pve: add termproxy endpoint Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 3/4] api: pve: add vncwebsocket endpoint Fabian Grünbichler
2025-11-05 14:13 ` [pve-devel] [PATCH proxmox-datacenter-manager 4/4] ui: pve: node: add shell tab Fabian Grünbichler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251105141335.1230493-3-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox