mirror of
git://git.proxmox.com/git/qemu-server.git
synced 2025-01-10 01:18:01 +03:00
3c5bdde815
We used the VNC API $ticket as password for VNC, but QEMU limits the password to the first 8 chars and ignores the rest[0]. As our tickets start with a static string (e.g., "PVE") the entropy was a bit limited. For Proxmox VE this does not matters much as the noVNC viewer provided by has to go always over the API call, and so a valid ticket and correct permissions for the requested VM are enforced anyway. This patch helps external users, which often use NoVNC-Websockify, circumventing the API and relying solely on the VNC password to avoid snooping on VNC sessions. A 'generate-password' parameter is added, if set a password from good entropy (using libopenssl) is generated. For simplicity of mapping random bits to ranges we extract 6 bit of entropy per character and add the integer value of '!' (first printable ASCII char) to that. This way we get 64^8 possibilities, which even with millions of guesses per second one would need years of guessing and mostly just DDOS the server with websocket upgrade requests. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-By: Dominik Csapak <d.csapak@proxmox.com> Reviewed-By: Dominik Csapak <d.csapak@proxmox.com> |
||
|---|---|---|
| debian | ||
| PVE | ||
| qemu-configs | ||
| qmeventd | ||
| test | ||
| vm-network-scripts | ||
| .gitignore | ||
| bootsplash.jpg | ||
| bootsplash.xcf | ||
| Makefile | ||
| modules-load.conf | ||
| qm | ||
| qmextract | ||
| qmrestore | ||
