mirror of
https://git.proxmox.com/git/qemu-server
synced 2025-05-02 20:59:46 +00:00
3c5bdde815
We used the VNC API $ticket as password for VNC, but QEMU limits the password to the first 8 chars and ignores the rest[0]. As our tickets start with a static string (e.g., "PVE") the entropy was a bit limited. For Proxmox VE this does not matters much as the noVNC viewer provided by has to go always over the API call, and so a valid ticket and correct permissions for the requested VM are enforced anyway. This patch helps external users, which often use NoVNC-Websockify, circumventing the API and relying solely on the VNC password to avoid snooping on VNC sessions. A 'generate-password' parameter is added, if set a password from good entropy (using libopenssl) is generated. For simplicity of mapping random bits to ranges we extract 6 bit of entropy per character and add the integer value of '!' (first printable ASCII char) to that. This way we get 64^8 possibilities, which even with millions of guesses per second one would need years of guessing and mostly just DDOS the server with websocket upgrade requests. Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com> Tested-By: Dominik Csapak <d.csapak@proxmox.com> Reviewed-By: Dominik Csapak <d.csapak@proxmox.com> |
||
|---|---|---|
| .. | ||
| Qemu | ||
| Makefile | ||
| Qemu.pm | ||