# Proxmox SSH Root Access -- STRICT SAFETY RULES Root SSH to Proxmox host is for **diagnostics only**. Password: `PROXMOX_ROOT_PASSWORD` in `env` file. ## MANDATORY RULES -- violation is unacceptable 1. **Screenshots only**: ONLY use SSH for `qm monitor screendump`. No other commands without explicit user instruction. 2. **Test VMs only**: screenshot VMs in VMID range 400-499 or 800-939, or VMs in the IncusLab pool created by our scripts. 3. **No modifications**: NEVER `qm set/stop/start/destroy`, `pct`, `zfs`, `systemctl`, or ANY write operation on the host. 4. **Do not touch the dev VM**: user's dev VM is on the same host. Do not interact with it in any way. 5. **No config access**: do not read/modify `/etc/pve/`, storage/network configs, user/ACL settings, or host-level configuration. 6. **Transparency**: every SSH command is visible. If user rejects, stop. 7. **Only during active tests**: only when test VMs are deployed. ## Permitted commands (exhaustive) Use `incusos/helpers/proxmox-screenshot VMID` instead of raw SSH. Manual fallback (only if helper unavailable): ```bash sshpass -p "$PROXMOX_ROOT_PASSWORD" ssh -o StrictHostKeyChecking=no \ root@ "echo 'screendump /tmp/vm--screen.ppm' | qm monitor " sshpass -p "$PROXMOX_ROOT_PASSWORD" scp -o StrictHostKeyChecking=no \ root@:/tmp/vm--screen.ppm /tmp/ sshpass -p "$PROXMOX_ROOT_PASSWORD" ssh -o StrictHostKeyChecking=no \ root@ "rm -f /tmp/vm--screen.ppm" ``` ## Technical notes - `screendump` is root-only in PVE 9 HMP. API tokens cannot do it. - Use `.ppm` format -- PVE 9.1 lacks libpng for PNG screendump. - PPM ~3 MB -> PNG ~20 KB via `python3 -c "from PIL import Image; ..."`.