[pve-devel] [PATCH qemu-server 2/2] qm: assume correct VNC setup in 'vncproxy', disallow passwordless

Stefan Reiter s.reiter at proxmox.com
Thu May 27 12:27:51 CEST 2021

The QMP 'change' command is no longer available since QEMU 6.0, so this
cannot work - instead of replacing it, we can just remove it however.

The 'if' branch would only set the VNC socket path anew and enable
password mode, which is always set and enabled on startup already.
The 'else' branch was intended for certificate login (?), which
according to the FIXME comment is long gone anyway - simply forbid
'vncproxy' without the PVE ticket environment variable set.

Signed-off-by: Stefan Reiter <s.reiter at proxmox.com>
 PVE/CLI/qm.pm | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/PVE/CLI/qm.pm b/PVE/CLI/qm.pm
index f8972bd..1c199b6 100755
--- a/PVE/CLI/qm.pm
+++ b/PVE/CLI/qm.pm
@@ -217,12 +217,10 @@ __PACKAGE__->register_method ({
 	my $vnc_socket = PVE::QemuServer::Helpers::vnc_socket($vmid);
 	if (my $ticket = $ENV{LC_PVE_TICKET}) {  # NOTE: ssh on debian only pass LC_* variables
-	    mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password");
 	    mon_cmd($vmid, "set_password", protocol => 'vnc', password => $ticket);
 	    mon_cmd($vmid, "expire_password", protocol => 'vnc', time => "+30");
 	} else {
-	    # FIXME: remove or allow to add tls-creds object, as x509 vnc param is removed with qemu 4??
-	    mon_cmd($vmid, "change", device => 'vnc', target => "unix:$vnc_socket,password");
+	    die "LC_PVE_TICKET not set, VNC proxy without password is forbidden\n";

More information about the pve-devel mailing list