From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 4F40D1FF136 for ; Mon, 20 Apr 2026 16:19:04 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 43E4E3914; Mon, 20 Apr 2026 16:19:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776361302; x=1776966102; darn=lists.proxmox.com; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=EqDiKQZ7yD6QnziDL2bXUDjL0IDMWPDqrJKhM7SfLc4=; b=qb9nfK9CWAXVUfQV7s/uKw2GiH4WN21MNp0+HMdPvSRWQUcNeKEPSwOexWiWU5YQ27 qEfacrfl07TuognZMAQ9r2yhWjNBZYyL/iSpMxQRALEKpILr/ObdpxPR9ObO7DRfBAC1 LZv6YhMHGkKRFEu/0Wh37EzsgvdCfyl1OKeuOarrOm8PKpDT7OqQTMriE9ZboZATuxsr rQOVDLG59pcdSYHGSCg/bHJ7DXGLoUyqvaAKXRE6PQ+WwlgTY7YcGcJ4v7udwYyWHGa+ EsxOnrMKA8xmkog/hLeRR3yelUxONcIl73o6m9M3erJjqXJ4pywreIPUQN8oCtKSSkKa 4k/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776361302; x=1776966102; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=EqDiKQZ7yD6QnziDL2bXUDjL0IDMWPDqrJKhM7SfLc4=; b=r56VGXyktlf/RwZL9a2v4dBdR+853H/v00kDo7tAwr+DOLksOhjDfu1aEeN1vvWAyK MsUNjQrkZN1N/I1NLBr9at3Qx5y5DwipWhW4WnzHmf3jnB+eC6iqQQIEKm/KgfwaKA1s mWovTSDEqTJPI6weAWJyp7V/BOtF70koKRYhSU7TvFwgxQrWsQPLHMgiZyWR+pG0FGfN FUgl4S+R1pTzTt3qF6zVm+hHxY6VIis0nxdvOtJz+2MuUj36Sb0O7l+18/+VigBPYrJ0 a2242DAWbMJdSBw+ztZfiVVRAPxzbnKQU/QR3GrFsCLGX5bLleuGjizt6caPRZ/BgdIu ZOkQ== X-Gm-Message-State: AOJu0YwzJlgAqbwcIEHLoCxN5uISCV9X5fH10oyaNIrYJJEUrrTGZMgG j0epM4a7DaUBhyO3cpucLjSre5jBMWf9Wn6HjaNI2AvmCmEhhgL61M5vuN52LuHQ X-Gm-Gg: AeBDietiC/i8TTqz0L6Je7R005ax8xopiqRwFqvxSus0aoLx/IiYcTYn5s17lSQ7bOf 5a2VWy3g6+pd0Tdipu2ghyTr6ccczcalm4wi64qTFxgwseSntYuNzEUfxzA1jvGPj9R8f83QDht NObMeU8rVePwzP2DGB+lwGSgchba4eORp0+Wea/MqYJnEySXSePPjdak7qVpHjhlI9ngIdclh+f xRqOh9D00GZRZZC2qPHGbzvETsZ8QOebi37wEsL7pGfr5UDKSGYg2vfrcCSHl8oA+X3Zb0qtoVB dMQims++ysjL28iHwJJMTluIyFcN8gzrmTbK+FMn+0Y4FY0lw9JEBeqrwJScbYL53Bb5X19keSW 1g6Cw9gJexE5B8nJ0YO/iTJXnpOPD8kNnsrMM/33I8w7wzqur5yY12crW3rLRpSiJvZ+ELY7Zg2 AY/rz7o7B99TXI8aCE0d65S5NWb1btFvQEF86eWBh++lMhuFkN7+AZ+e8lCaO/9JgpEBTs6Q== X-Received: by 2002:a17:903:2f45:b0:2b2:ebed:7af8 with SMTP id d9443c01a7336-2b2ebed7ebamr201842505ad.1.1776361302246; Thu, 16 Apr 2026 10:41:42 -0700 (PDT) From: Koji Nishimura To: pve-devel@lists.proxmox.com Subject: [PATCH] fix #6079: use vncticket endpoint for VM serial terminal Date: Fri, 17 Apr 2026 02:40:46 +0900 Message-ID: <20260416174046.38591-1-nsm.kkoji@gmail.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 BAYES_00 -1.9 Bayes spam probability is 0 to 1% DKIM_SIGNED 0.1 Message has a DKIM or DK signature, not necessarily valid DKIM_VALID -0.1 Message has at least one valid DKIM or DK signature DKIM_VALID_AU -0.1 Message has a valid DKIM or DK signature from author's domain DKIM_VALID_EF -0.1 Message has a valid DKIM or DK signature from envelope-from domain DMARC_PASS -0.1 DMARC pass policy FREEMAIL_FROM 0.001 Sender email is commonly abused enduser mail provider POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes RCVD_IN_DNSWL_NONE -0.0001 Sender listed at https://www.dnswl.org/, no trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [qemu.pm] X-MailFrom: nsm.kkoji@gmail.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation Message-ID-Hash: MVDGQYNCL4ZM5U3TL45KYJYMCYOSZ346 X-Message-ID-Hash: MVDGQYNCL4ZM5U3TL45KYJYMCYOSZ346 X-Mailman-Approved-At: Mon, 20 Apr 2026 16:19:12 +0200 CC: Koji Nishimura X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Use the vncticket endpoint for the VM serial terminal termproxy path. The node shell termproxy path already uses the vncticket endpoint, but the VM serial terminal path still uses the older authentication flow. That older flow prevents VM /termproxy from working with API tokens, because authentication fails before the websocket connection can use the VNC ticket verification path. Make the VM serial terminal path use the same vncticket-based authentication flow as the node shell path. This fixes the VM /termproxy side of bug 6079. In local testing, this was required together with the already-posted access-control change for token-owned VNC ticket verification. Signed-off-by: Koji Nishimura --- src/PVE/API2/Qemu.pm | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm index 2a1e3854..0b8859fb 100644 --- a/src/PVE/API2/Qemu.pm +++ b/src/PVE/API2/Qemu.pm @@ -3152,7 +3152,16 @@ __PACKAGE__->register_method({ syslog('info', "starting qemu termproxy $upid\n"); my $cmd = - ['/usr/bin/termproxy', $port, '--path', $authpath, '--perm', 'VM.Console', '--']; + [ + '/usr/bin/termproxy', + $port, + '--path', + $authpath, + '--perm', + 'VM.Console', + '--vncticket-endpoint', + '--', + ]; push @$cmd, @$remcmd, @$termcmd; run_command($cmd); -- 2.43.0