URL accessing VM without PVE Dashboard

carlip

New Member
Oct 16, 2024
2
0
1
I am trying to create a system for users to access a VM without having to use the PVE dashboard. Currently, it seems like I am reinventing the wheel with my approach and was wondering if anyone has any insight into this. I am using powershell with curl to send username and password, this returns the user json data correctly. Then I parse out the CSRF token and ticket info. This is then sent back via Invoke-webrequest with a header containing the token/ticket, this is not working correctly, probably, due to my error. Once that is functional the script would prepare a dummy page that holds the URL to the VM with the proper ticket info and opens it in Chrome.

I was messing around with API tokens, but that doesn't seem to do what I was expecting. Is there another way to accomplish this? Below is the powershell code so far.

cls
$username=(Read-Host "Enter Username: ") +"@network.local"
$password = Read-Host -AsSecureString "Enter Password: "
$Newpass = [Runtime.InteropServices.Marshal]::PtrToStringAuto([Runtime.InteropServices.Marshal]::SecureStringToBSTR($password))
$json=C:\Windows\WinSxS\wow64_curl_31bf3856ad364e35_10.0.19041.3693_none_fd5e373906da5997\curl.exe -k -d "username=$username" --data-urlencode "password=$Newpass" https://{SERVER-IP}:8006/api2/json/access/ticket | convertfrom-json

$ticket=$json.data.ticket
$csrf=$json.data.CSRFPreventionToken
echo $ticket $csrf
$vncuri="https://{SERVER-IP}:8006/?console=kvm&novnc=1&vmid=101&vmname=banking&node=proxmox&resize=off"

$response = Invoke-WebRequest -Uri $vncuri -Headers @{"Cookie"="PVEAuthCookie=$ticket"}
echo $response
$tempFile = New-TemporaryFile -Suffix ".html"
$response.Content | Out-File -FilePath $tempFile.FullName -Encoding utf8
Start-Process "chrome.exe" $tempFile.FullName
 
Getting further into this I have found that during the curl ticket request the returned json shows a ticket with a randomized number after the username, in the same json response the CSRFtoken shares that randomized number.

However, in chrome, looking at the headers for /api2/json/nodes/{NODE}/qemu/{VMID}/vncproxy the cookie and the csrf token numbers DO NOT match. This entry is the only one that uses the CSRF token, but I cannot figure out where it is coming from?
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!