From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 1ED711FF148 for ; Mon, 27 Apr 2026 11:06:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id F2AC215EEA; Mon, 27 Apr 2026 11:06:37 +0200 (CEST) Message-ID: Date: Mon, 27 Apr 2026 11:05:58 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH] fix #6079: use vncticket endpoint for VM serial terminal To: Koji Nishimura , pve-devel@lists.proxmox.com References: <20260416174046.38591-1-nsm.kkoji@gmail.com> Content-Language: en-US From: Fiona Ebner In-Reply-To: <20260416174046.38591-1-nsm.kkoji@gmail.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1777280668796 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.141 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment POISEN_SPAM_PILL 0.1 Meta: its spam POISEN_SPAM_PILL_1 0.1 random spam to be learned in bayes POISEN_SPAM_PILL_3 0.1 random spam to be learned in bayes SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: TSW6RTPZBZGNDXZB6CGVHTVWIALCDRVL X-Message-ID-Hash: TSW6RTPZBZGNDXZB6CGVHTVWIALCDRVL X-MailFrom: f.ebner@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi, Am 20.04.26 um 4:17 PM schrieb Koji Nishimura: > Use the vncticket endpoint for the VM serial terminal termproxy path. > > The node shell termproxy path already uses the vncticket endpoint, > but the VM serial terminal path still uses the older authentication > flow. > > That older flow prevents VM /termproxy from working with API tokens, > because authentication fails before the websocket connection can use > the VNC ticket verification path. > > Make the VM serial terminal path use the same vncticket-based > authentication flow as the node shell path. > > This fixes the VM /termproxy side of bug 6079. In local testing, > this was required together with the already-posted access-control > change for token-owned VNC ticket verification. > > Signed-off-by: Koji Nishimura > --- > src/PVE/API2/Qemu.pm | 11 ++++++++++- > 1 file changed, 10 insertions(+), 1 deletion(-) > > diff --git a/src/PVE/API2/Qemu.pm b/src/PVE/API2/Qemu.pm > index 2a1e3854..0b8859fb 100644 > --- a/src/PVE/API2/Qemu.pm > +++ b/src/PVE/API2/Qemu.pm > @@ -3152,7 +3152,16 @@ __PACKAGE__->register_method({ > syslog('info', "starting qemu termproxy $upid\n"); > > my $cmd = > - ['/usr/bin/termproxy', $port, '--path', $authpath, '--perm', 'VM.Console', '--']; > + [ > + '/usr/bin/termproxy', > + $port, > + '--path', > + $authpath, > + '--perm', > + 'VM.Console', > + '--vncticket-endpoint', > + '--', > + ]; > push @$cmd, @$remcmd, @$termcmd; > > run_command($cmd); many thanks for your contribution! FYI, the issue was independently fixed already with commit c9ee34b5 ("api: vnc/termproxy: encode and verify port in ticket") [0] as part of some other changes, which also switched to using the 'vncticket' endpoint. Best Regards, Fiona [0]: https://git.proxmox.com/?p=qemu-server.git;a=commitdiff;h=c9ee34b50280f46b793e93b9652fbbd5a742c6e4