API: console tokens

M

Maxnet

New Member
Aug 6, 2009
14
0
1
www.noc-ps.com
When I use the API (nodes/$node/qemu/$vmid/vncproxy) to make a console connection, I receive a ticket back.

I assume I need to use that as VNC password?
Can this token only be used to access the console of that particular VM, or can it be (ab)used for other management actions as well?

Just wondering if I can safely pass the ticket to end-users that are only supposed to have access to the console of exactly one VM, and should not be allowed to do anything else.
 
Last edited:
Maxnet said:
I assume I need to use that as VNC password?
Click to expand...

You can use any valid ticket

Maxnet said:
Can this token only be used to access the console of that particular VM, or can it be (ab)used for other management actions as well?
Click to expand...

That can be use for any API actions (all user access restrictions applies).
 
Maxnet said:
Is it possible for root to impersonate a less powerful user through the API, without knowing the user's password?
Click to expand...

No. But the user can type the password on the VNC applet instead.

What is the exact use case (that would help to undestand your request)?
 
dietmar said:
No. But the user can type the password on the VNC applet instead.

What is the exact use case (that would help to undestand your request)?
Click to expand...

In short: I only want to use Proxmox for its backend, and use my own webinterface as frontend instead of the one that comes with Proxmox.
I also would prefer to handle authentication in my own application instead of the user having to type an extra Proxmox password.
 
Maxnet said:
In short: I only want to use Proxmox for its backend, and use my own webinterface as frontend instead of the one that comes with Proxmox.
I also would prefer to handle authentication in my own application instead of the user having to type an extra Proxmox password.
Click to expand...

So you basically always connect as root? I guess we can adopt the /access/ticket method to issue ticket for other users (if you connect as root).

Please can you file a bug report at https://bugzilla.proxmox.com ?
 
dietmar said:
So you basically always connect as root?
Click to expand...

Correct.
My own web application logs into Proxmox as root through the API.
My application is also responsible for access control.

For normal actions like "power on" and "power off" this is easy:

1) User requests the action through my webinterface
2) My webapplication verifies if the user is allowed to do the action
3) My webapplication makes the right API call to Proxmox (as root).

The problem is with consoles.
If I would simply hand the user the token to use as VNC password, the user could also use that token to talk to Proxmox directly and do more stuff than he is allowed to.

Will create a bug/feature request.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back