xpra icon
Bug tracker and wiki

Opened 16 months ago

Closed 16 months ago

Last modified 14 months ago

#1264 closed defect (fixed)

proxy server errors

Reported by: Antoine Martin Owned by: Antoine Martin
Priority: blocker Milestone: 1.0
Component: server Version: trunk
Keywords: proxy Cc:

Description (last modified by Antoine Martin)

Most of this will need backporting. It would be nice if we had tests to prevent such problems in the future.

Some already fixed: r13074, r13075.

Some more:

  • connection times out before the proxy instance can steal it
  • maybe caused by the one above:
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/multiprocessing/queues.py", line 268, in _feed
        send(obj)
    IOError: [Errno 32] Broken pipe
    
  • authenticator goes MIA:
    server error processing new connection from Protocol(unix-domain socket:/home/antoine/.xpra/new-host-10): 
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/site-packages/xpra/server/server_core.py", line 785, in _process_hello
        self.hello_oked(proto, packet, c, auth_caps)
      File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_server.py", line 140, in hello_oked
        self.start_proxy(proto, c, auth_caps)
      File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_server.py", line 143, in start_proxy
        assert client_proto.authenticator is not None
    AssertionError
    
  • create socket uses a different return value now:
    Error: failed to setup control socket '/home/antoine/.xpra/localhost.localdomain-proxy-28787':
    2016-07-21 22:55:52,000  'tuple' object has no attribute 'listen'
    
  • it would be nice to allow more options in multifile so we can have password protection from proxy to server
  • cursor error:
    Error: error in network packet reading/parsing
     object of type 'int' has no len()
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/site-packages/xpra/net/protocol.py", line 674, in _read_parse_thread_loop
        self.do_read_parse_thread_loop()
      File "/usr/lib64/python2.7/site-packages/xpra/net/protocol.py", line 864, in do_read_parse_thread_loop
        self._process_packet_cb(self, packet)
      File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_instance_process.py", line 595, in process_server_packet
        self._packet_recompress(packet, 8, "cursor")
      File "/usr/lib64/python2.7/site-packages/xpra/server/proxy/proxy_instance_process.py", line 527, in _packet_recompress
        if len(data)<512:
    TypeError: object of type 'int' has no len()
    

etc..

Change History (10)

comment:1 Changed 16 months ago by Antoine Martin

Description: modified (diff)
Status: newassigned

comment:2 Changed 16 months ago by Antoine Martin

More fixes: r13077 + r13078.

comment:3 Changed 16 months ago by Antoine Martin

Owner: changed from Antoine Martin to alas
Status: assignednew

More:

  • cursor compat code (ugly): r13081 (backports are needed for compat with newer servers - we may need to add more code like this to deal with future compatibility problems)
  • proxy authentication support: r13083 (a little bit too big for backport)

For testing (add -d auth for debugging):

  • start a server:
    echo -n testpassword > password.txt 
    xpra start :100 --start=xterm --auth=file:filename=`pwd`/password.txt
    
  • start the proxy server:
    echo -n "testproxy|proxypassword|1000|1000|:100||username=testserver;password=testpassword" >  multi.txt 
    xpra proxy :10 --tcp-auth=multifile:filename=`pwd`/multi.txt --bind-tcp=0.0.0.0:10000
    
  • connect client via proxy:
    xpra attach --no-mmap --opengl=yes tcp/testproxy:proxypassword@127.0.0.1:10000
    
Last edited 16 months ago by Antoine Martin (previous) (diff)

comment:4 Changed 16 months ago by alas

Owner: changed from alas to Antoine Martin

Gave it a try with a fedora 23 1.0 r13165 server against a 1.0 r13101 windows client, and a 1.0 r13165 osx client... no luck.

Tried the start server commands with:

[jimador@jimador ~]$ nano not-password.txt
[jimador@jimador ~]$ xpra start :57 --start-child=xterm --auth=file:filename=./not-password.txt
No pam support: No module named pam
[jimador@jimador ~]$ Entering daemon mode; any further errors will be reported to:
  /home/jimador/.xpra/:57.log

... which didn't look too promising, but carried on to try the proxy server with:

[jimador@jimador ~]$ echo -n "testproxy|proxypassword|1001|1001|:57||username=rambeau;password=password" > no.txt
[jimador@jimador ~]$ xpra proxy :17 --tcp-auth=multifile:filename=./no.txt --bind-tcp=0.0.0.0:1234
No pam support: No module named pam
[jimador@jimador ~]$ Entering daemon mode; any further errors will be reported to:
  /home/jimador/.xpra/:17.log

Trying to connect the windows client, I got this output:

C:\Program Files (x86)\Xpra>xpra_cmd.exe attach --no-mmap --opengl=on tcp/testproxy:proxypassword@10.0.32.134:1234
2016-08-01 16:44:58,904 Xpra gtk2 client version 1.0-r13101 32-bit
2016-08-01 16:44:58,907  running on Microsoft Windows 8.1
2016-08-01 16:44:59,194 GStreamer version 1.6 for Python 3.4 32-bit
2016-08-01 16:44:59,673 OpenGL_accelerate module loaded
2016-08-01 16:44:59,678 OpenGL enabled with Intel(R) HD Graphics 4000
2016-08-01 16:44:59,928  detected keyboard: layout=us
2016-08-01 16:44:59,930  desktop size is 5120x2160 with 1 screen:
2016-08-01 16:44:59,930   Default (1354x571 mm - DPI: 96x96) workarea: 5120x2120
2016-08-01 16:44:59,931     DISPLAY1 3840x2160 at 1280x0 (621x341 mm - DPI: 157x160) workarea: 3840x2120
2016-08-01 16:44:59,931     DISPLAY2 1280x720 (597x336 mm - DPI: 54x54) workarea: 1280x638
2016-08-01 16:44:59,933  upscaled by 167%, virtual screen size: 3072x1296
2016-08-01 16:44:59,933   Default (1354x571 mm - DPI: 57x57) workarea: 3072x1272
2016-08-01 16:44:59,934     DISPLAY1 2304x1296 at 768x0 (621x341 mm - DPI: 94x96) workarea: 2304x1272
2016-08-01 16:44:59,934     DISPLAY2 768x432 (597x336 mm - DPI: 32x32) workarea: 768x383
2016-08-01 16:45:09,931 server failure: disconnected before the session could be established
2016-08-01 16:45:09,933 server requested disconnect: login timeout
2016-08-01 16:45:09,944 Connection lost

... the OSX client gave about the same output.

Some hopefully useful bits from those logs.

  • :57.log (server)
    2016-08-01 16:37:25,575 Warning: printing conflicts with socket authentication module '('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': './not-password.txt'})'
    
  • :17.log (proxy)
    2016-08-01 16:43:19,630 serving html content from '/usr/share/xpra/www'
    2016-08-01 16:43:19,645 xpra proxy version 1.0-r13165 64-bit
    2016-08-01 16:43:19,645  running with pid 25188 on Linux Fedora 23 TwentyThree
    2016-08-01 16:43:19,645  connected to X11 display :17
    2016-08-01 16:43:19,645 xpra is ready.
    2016-08-01 16:45:05,075 New tcp connection received from 10.0.11.162:61221
    2016-08-01 16:45:05,082 Authentication required by multi password file authenticator module
    2016-08-01 16:45:05,082  sending challenge for 'testproxy' using hmac digest
    2016-08-01 16:45:05,111 Error: password file ./no.txt is missing
    2016-08-01 16:45:05,111 Error: authentication failed
    2016-08-01 16:45:05,111 Unhandled error while processing a 'hello' packet from peer using <bound method ProxyServer._process_hello of <xpra.server.proxy.proxy_server.ProxyServer object at 0x7fedffac0910>>
    Traceback (most recent call last):
      File "/usr/lib64/python2.7/site-packages/xpra/server/server_core.py", line 1175, in process_packet
        handler(proto, packet)
      File "/usr/lib64/python2.7/site-packages/xpra/server/server_core.py", line 825, in _process_hello
        auth_caps = self.verify_hello(proto, c)
      File "/usr/lib64/python2.7/site-packages/xpra/server/server_core.py", line 945, in verify_hello
        if not proto.authenticator.authenticate(challenge_response, client_salt):
      File "/usr/lib64/python2.7/site-packages/xpra/server/auth/multifile_auth.py", line 116, in authenticate_hmac
        log.error(" no password for '%s' in %s", self.username, password_file)
    NameError: global name 'password_file' is not defined
    

Are you sure that the --tcp-auth=multifile:filename=./multi.txt parameter wants the "./"? (Assuming that you are, I'll pass this back for you to look and see what I might be going wrong... I used nano to create the password file just out of curiosity, just fyi.)

comment:5 Changed 16 months ago by Antoine Martin

Owner: changed from Antoine Martin to alas
Error: password file ./no.txt is missing

Is your problem: if the password file cannot be found, it cannot authenticate users.
(the stacktrace that followed it should be improved in r13166, the "printing conflicts" message is improved in r13167, gid / uid handling improved in r13168)

Works fine for me.
My guess is that the instructions you posted are not the ones you actually used. Maybe you changed directory, or ran it from a different terminal in a different path.


I used nano to create the password file just out of curiosity


Along the same lines, do not to use "nano" in your instructions as it doesn't record what was stored in that file, if anything. It may also add a newline character at the end of the file, which won't be present in the multifile password field and therefore will not match. Use "echo -n" as per the instructions in comment:3 ("-n" prevents the newline) so this can be reproduced exactly every time, and quickly too (just cut & paste). Matching the value in your proxy multiauth file, I have used:

echo -n password > not-password.txt

The No pam support: No module named pam can be ignored, see #1105.

Last edited 16 months ago by Antoine Martin (previous) (diff)

comment:6 Changed 16 months ago by alas

Owner: changed from alas to Antoine Martin

Hmm... I was able to get it to work, but there seemed to be a number of wrinkles.

Firstly, trying to launch the proxy with

[jimador@jimador ticket1264]$ echo -n "testproxy|proxypassword|1001|1001|:57||username=testserver;password=password" > multi.txt
[jimador@jimador ticket1264]$ xpra proxy :17 --tcp-auth=multifile:filename=multi.txt --bind-tcp=0.0.0.0:1234

... failed with that same Error: password file 'multi.txt' is missing error.

I finally succeeded by trying (wait for it) xpra proxy :17 --tcp-auth=multifile:filename=/home/jimador/ticket1264/multi.txt --bind-tcp=0.0.0.0:1234 - a full path to the password file.

Supposing that that was what the './' was meant to do, I tried again, and got the connection failure again:

2016-08-04 14:22:27,924 created unix domain socket: /home/jimador/.xpra/jimador.plata-17
2016-08-04 14:22:27,974 Warning: failed to load the mdns avahi publisher:
2016-08-04 14:22:27,975  No module named avahi
2016-08-04 14:22:27,975  either fix your installation or use the 'mdns=no' option
2016-08-04 14:22:28,044 serving html content from '/usr/share/xpra/www'
2016-08-04 14:22:28,044 get_auth_module(unix-domain, , {..})
2016-08-04 14:22:28,044 get_auth_module(tcp, multifile:filename=./multi.txt, {..})
2016-08-04 14:22:28,059 get_auth_module(ssl, multifile:filename=./multi.txt, {..})
2016-08-04 14:22:28,059 get_auth_module(vsock, , {..})
2016-08-04 14:22:28,059 init_auth(..) auth class=None, tcp auth class=('multifile', <class 'xpra.server.auth.multifile_auth.Authenticator'>, {'filename': './multi.txt'}), ssl auth class=('multifile', <class 'xpra.server.auth.multifile_auth.Authenticator'>, {'filename': './multi.txt'}), vsock auth class=None
2016-08-04 14:22:28,059 xpra proxy version 1.0-r13211 64-bit
2016-08-04 14:22:28,060  running with pid 32369 on Linux Fedora 23 TwentyThree
2016-08-04 14:22:28,060  connected to X11 display :17
2016-08-04 14:22:28,060 xpra is ready.
2016-08-04 14:22:35,132 New tcp connection received from 10.0.11.162:57556
2016-08-04 14:22:35,133 socktype=tcp, auth class=('multifile', <class 'xpra.server.auth.multifile_auth.Authenticator'>, {'filename': './multi.txt'}), encryption=, keyfile=
2016-08-04 14:22:35,136 creating authenticator ('multifile', <class 'xpra.server.auth.multifile_auth.Authenticator'>, {'filename': './multi.txt'})
2016-08-04 14:22:35,138 multifile=multi password file
2016-08-04 14:22:35,138 processing authentication with multi password file, response=None, client_salt=, challenge_sent=False
2016-08-04 14:22:35,138 challenge: ('95520cbfaa16407ea4aaa65e7d2df4f06c96d7a1373841ea8d1f67a5f81dfa0d', 'hmac')
2016-08-04 14:22:35,138 Authentication required by multi password file authenticator module
2016-08-04 14:22:35,138  sending challenge for 'testproxy' using hmac digest
2016-08-04 14:22:35,170 processing authentication with multi password file, response=d1f9ee9d5613d8872bbc852e1e994070, client_salt=34353061656631313939343734336630616464366264356265336136666137393235363562333039333463623432636138366335396530343139313631363931, challenge_sent=True
2016-08-04 14:22:35,171 Error: password file './multi.txt' is missing
2016-08-04 14:22:35,171 authenticate(testproxy) auth-info=None
2016-08-04 14:22:35,171 Error: authentication failed
2016-08-04 14:22:35,171  no password for 'testproxy' in './multi.txt'
2016-08-04 14:22:35,172 Error: authentication failed
2016-08-04 14:22:35,172  invalid challenge response
2016-08-04 14:22:36,174 Disconnecting client 10.0.11.162:57556:
2016-08-04 14:22:36,174  invalid challenge response

Meanwhile, I have been completely unable to get the --auth=file:filename=./not-password.txt syntax to work, whether I feed in a full filepath, use a './{filename}', or just use the filename for a file in the same directory.

Launching the server and proxy with:

[jimador@jimador ticket1264]$ echo -n "testproxy|proxypassword|1000|1000|:57||username=jimador;password=password" > multi.txt
[jimador@jimador ticket1264]$ cat multi.txt
testproxy|proxypassword|1000|1000|:57||username=jimador;password=password[jimador@jimador ticket1264]$
[jimador@jimador ticket1264]$ echo -n password > not-password.txt
[jimador@jimador ticket1264]$ cat not-password.txt
password[jimador@jimador ticket1264]$
[jimador@jimador ticket1264]$ xpra start :57 --start-child=xterm --auth=file:filename=not-password.txt -d auth
No pam support: No module named pam
[jimador@jimador ticket1264]$ Entering daemon mode; any further errors will be reported to:
  /home/jimador/.xpra/:57.log

[jimador@jimador ticket1264]$ xpra proxy :17 --tcp-auth=multifile:filename=/home/jimador/ticket1264/multi.txt --bind-tcp=0.0.0.0:1234 -d auth
No pam support: No module named pam
[jimador@jimador ticket1264]$ Entering daemon mode; any further errors will be reported to:
  /home/jimador/.xpra/:17.log

Then trying to connect with a windows client with xpra_cmd.exe attach --no-mmap --opengl=on tcp/testproxy:proxypassword@10.0.32.134:1234 -d auth I get similar failures and see the following from the :57.log:

[jimador@jimador ticket1264]$ cat ../.xpra/:57.log

X.Org X Server 1.18.3
Release Date: 2016-04-04
X Protocol Version 11, Revision 0
Build Operating System:  4.4.9-300.fc23.x86_64
Current Operating System: Linux jimador.plata 4.4.9-300.fc23.x86_64 #1 SMP Wed May 4 23:56:27 UTC 2016 x86_64
Kernel command line: BOOT_IMAGE=/vmlinuz-4.4.9-300.fc23.x86_64 root=UUID=7dc8a1f0-603b-4d33-9f61-95ee93330923 ro rhgb quiet LANG=en_US.UTF-8
Build Date: 30 June 2016  11:04:38PM
Build ID: xorg-x11-server 1.18.3-3.fc23
Current version of pixman: 0.34.0
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/home/jimador/.xpra/Xorg.:57.log", Time: Thu Aug  4 14:34:18 2016
(++) Using config file: "/etc/xpra/xorg.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
/home/jimador/.xpra/jimador.plata-57 is not responding, waiting for it to timeout before clearing it.....
2016-08-04 14:34:22,801 created unix domain socket: /home/jimador/.xpra/jimador.plata-57
2016-08-04 14:34:23,064 Warning: failed to load the mdns avahi publisher:
2016-08-04 14:34:23,065  No module named avahi
2016-08-04 14:34:23,065  either fix your installation or use the 'mdns=no' option
2016-08-04 14:34:23,257 get_auth_module(unix-domain, file:filename=not-password.txt, {..})
2016-08-04 14:34:23,274 get_auth_module(tcp, file:filename=not-password.txt, {..})
2016-08-04 14:34:23,274 get_auth_module(ssl, file:filename=not-password.txt, {..})
2016-08-04 14:34:23,275 get_auth_module(vsock, , {..})
2016-08-04 14:34:23,275 init_auth(..) auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), tcp auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), ssl auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), vsock auth class=None
2016-08-04 14:34:23,321 Warning: webcam forwarding is disabled
2016-08-04 14:34:23,321  the virtual video directory '/sys/devices/virtual/video4linux' was not found
2016-08-04 14:34:23,322  make sure that the 'v4l2loopback' kernel module is installed and loaded
2016-08-04 14:34:23,322 found 0 virtual video devices for webcam forwarding
2016-08-04 14:34:23,329 pulseaudio server started with pid 560
2016-08-04 14:34:23,465 GStreamer version 1.6 for Python 2.7 64-bit
2016-08-04 14:34:23,513 D-Bus notification forwarding is available
2016-08-04 14:34:23,523 started command 'xterm' with pid 572
2016-08-04 14:34:23,523 xpra X11 version 1.0-r13211 64-bit
2016-08-04 14:34:23,523  running with pid 456 on Linux Fedora 23 TwentyThree
2016-08-04 14:34:23,524  connected to X11 display :57
xterm: cannot load font '-misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso10646-1'
2016-08-04 14:34:23,562 xpra is ready.
2016-08-04 14:34:23,641 printer forwarding enabled using postscript and pdf
2016-08-04 14:34:23,642 Warning: printing conflicts with socket authentication module 'file'
2016-08-04 14:35:58,284 New unix-domain connection received on /home/jimador/.xpra/jimador.plata-57
2016-08-04 14:35:58,286 socktype=unix-domain, auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), encryption=, keyfile=
2016-08-04 14:35:58,575 New unix-domain connection received on /home/jimador/.xpra/jimador.plata-57
2016-08-04 14:35:58,576 socktype=unix-domain, auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), encryption=, keyfile=
2016-08-04 14:35:58,583 creating authenticator ('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'})
2016-08-04 14:35:58,587 file=password file
2016-08-04 14:35:58,588 processing authentication with password file, response=None, client_salt=, challenge_sent=False
2016-08-04 14:35:58,588 challenge: ('2ec140680af54f9eb2ab138cb8f315e47f951ab0879d463bacf76ae3bf3cefee', 'hmac')
2016-08-04 14:35:58,589 Authentication required by password file authenticator module
2016-08-04 14:35:58,589  sending challenge for 'testproxy' using hmac digest
2016-08-04 14:35:58,598 processing authentication with password file, response=1de81a0a7192ce67e1da8878f2ecf95c, client_salt=63623833646139396636343834383766396536633733626462353661623536366235306364623865323737323462346239656464316339343063306538666564, challenge_sent=True
2016-08-04 14:35:58,599 Error: password file 'not-password.txt' is missing
2016-08-04 14:35:58,599 Error: password file authentication failed
2016-08-04 14:35:58,599  no password defined for 'testproxy'
2016-08-04 14:35:58,599 Error: authentication failed
2016-08-04 14:35:58,599  invalid challenge response
2016-08-04 14:35:59,601 Disconnecting client /home/jimador/.xpra/jimador.plata-57:
2016-08-04 14:35:59,602  invalid challenge response

In fact, launching the server with the --auth=file:filename=not-password.txt flag, xpra stop :57 fails because it also fails authentication, and I have to use a kill -9.

If, instead of the above syntax, I use the old-timey --password-file=not-password.txt, however, then it works for me.

So:

echo -n password > not-password.txt
xpra start :57 --start-child=xterm --password-file=not-password.txt

+

echo -n "testproxy|proxypassword|1000|1000|:57||username=jimador;password=password" > multi.txt
xpra proxy :17 --tcp-auth=multifile:filename=/home/jimador/ticket1264/multi.txt --bind-tcp=0.0.0.0:1234

+

xpra_cmd.exe attach --no-mmap --opengl=on tcp/testproxy:proxypassword@10.0.32.134:1234

=
:)

Last edited 16 months ago by Antoine Martin (previous) (diff)

comment:7 Changed 16 months ago by Antoine Martin

Resolution: fixed
Status: newclosed

TLDR:

  • with --no-daemon you can use relative paths
  • daemon=yes will change the current directory to "/" so you should use absolute paths, ie: file=`pwd`/filename

I have edited the comments above. r13217 will make that clearer in the error message by always using absolute paths so one can see what the relative path ended up resolving to.
It works, closing.

comment:8 Changed 15 months ago by Antoine Martin

See also #952.

comment:9 Changed 14 months ago by Antoine Martin

More fixes: r13800, r13790.

comment:10 Changed 14 months ago by Antoine Martin

More proxy improvements (recording here for lack of a better place):

  • r13830 will use "nobody" user / group if nothing is specified in the multifile fields for uid / gid
  • r13829: allows us to specify the username and group as strings (look them up in the password / group database), validate non-zero uid and gid earlier before starting the proxy instance and fail with a more helpful error message
Note: See TracTickets for help on using tickets.