xpra icon
Bug tracker and wiki

Opened 5 months ago

Closed 5 months ago

Last modified 2 months ago

#1498 closed defect (fixed)

attach via proxy multifile auth

Reported by: Denis01 Owned by: Denis01
Priority: major Milestone: 2.1
Component: server Version: trunk
Keywords: proxy Cc:

Description (last modified by Antoine Martin)

Hello,
trying to connect via PROXY. (Centos 7.3, xpra test 2.0)
One server, and proxy and server run under Root account. Client=html
so the commands:

xpra proxy :100 --bind-tcp=0.0.0.0:443 --auth=multifile:filename=/root/xpra-auth.txt -d auth -d proxy
xpra start :10 --exit-with-children --bind-tcp:0.0.0.0:10000 --start-child=/bin/gedit

and then

xpra attach --username=111 --password-file=/root/password.txt $0.0.0.0:443

gives xpra initialization error: no such option: -b

xpra attach --username=111 --password-file=/root/password.txt $PROXYHOST:443

gives "Warning: running as root. xpra initialization error: could open display"

what is wrong?
and multifile and password file are available. In logs - nothing special (:10 and :100)
Multifile content:

111|111|1000|1000|tcp:0.0.0.0:10000|EXAMPLE_ENV=VALUE

Thank you

Change History (15)

comment:1 Changed 5 months ago by Antoine Martin

Description: modified (diff)
Owner: changed from Antoine Martin to Denis01

xpra test 2.0

Please always specify the FULL version. I don't know what "xpra test 2.0" is.

xpra attach --username=111 --password-file=/root/password.txt $0.0.0.0:443

Looks like a syntax error: why is "$" in there?

Multifile content:
111|111|1000|1000|tcp:0.0.0.0:10000|EXAMPLE_ENV=VALUE

"tcp:0.0.0.0:10000" is not a valid connection string because "0.0.0.0" is not a valid TCP address.
FYI: if running the server on the same system, you don't even need TCP and you can use ":10" for the display string.

PS: please learn to use wiki wiki/WikiFormatting so I don't have to edit all your tickets.

comment:2 Changed 5 months ago by Denis01

1) version xpra beta -2.1-0.20170403r15507
2) i followed the wiki-proxy and copied the command "xpra attach --username=myusername --password-file=./password.txt $PROXYHOST:443"
3) ok

P.s. ok

comment:3 Changed 5 months ago by Denis01

And another strage point which might an idea of the cause.
If i try to login through HTML client to proxy using client name =111 (which was defined in multifile) auth and proxy log says:

Athentication required by multi password file ahtbentication module
Sending challenge for username '111' using hmac+sha256 digest
start_proxy (.....found sessions: (1000,1000,....)

that seems to be properly uploaded from multifile in auth py module and then

Error: user 'xxx1235' {uid=1000} is not in the xpra group
it belongs to: None

This message is from proxy py. So could it be that system keeps somehow the data from previous connections rather the update the i fo on connection string and screen each time?

The user 'xxx12345' i used for direct session creation (without proxy) on the same port 10000 and it might be with the same uid-1000 ( don't remember well).
But after that i killed all xpra sessions and even rebooted server several times.

Last edited 5 months ago by Denis01 (previous) (diff)

comment:4 Changed 5 months ago by Antoine Martin

Error: user 'xxx1235' {uid=1000} is not in the xpra group
could it be that system keeps somehow the data from previous connections

No.
Just like it says, your user is not a member of the "xpra" unix group, so it is warning you that the group socket cannot be created. Either add the user to the xpra group or remove "/var/run/xpra" from the socket bind locations.

I assume that your original problem was because of syntax errors, right?
If so, please close this ticket and open a new one if you have other issues.

comment:5 Changed 5 months ago by Denis01

Hm..
but there is no such user 'xxx12345' in multifile. There is a new one - '111'
And mulfifile_auth.py sees properly new one in def authenticate_hmac self.username='111' but proxy_server.py in user=get_username_for_uid(uid) returns 'xxx12345'

comment:6 Changed 5 months ago by Antoine Martin

but there is no such user 'xxx12345' in multifile. There is a new one - '111'

Yes, there is:

  • '111' is the authentication username, it can be any string and does not have to be a in your unix password database
  • uid=1000 must point to a real unix user, otherwise the proxy server won't be able to change uid. (and by the looks of things, the username for uid=1000 is 'xxx12345')

comment:7 Changed 5 months ago by Denis01

:-) Linux for dummies :-)
Now the user created in Linux and attached to xpra group with the correct UID given by Linux.
Proxy can indentify the user.
But still xpra attach doesn't work - "xpra initialization error:could not open display"

Tried to start by root and by user and many commands from Wiki

Xpra attach tcp:111@'real ip address':443

Or

Xpda attach --username=111 --auth=multifile:filename=/root/xpra-auth.txt@'real ip address':443

But results are the same :-(

comment:8 Changed 5 months ago by Antoine Martin

  • "--auth=" doesn't make any sense for "xpra attach"
  • since you require authentication, I believe, you would be better off using this form which is clearer: "xpra attach tcp/username:password@host:port/"

Whatever the problem is, there will be more details than "could not open display" in your "-d proxy" server log.
If the display string you specify in multifile is correct, then you should be able to use it directly from a terminal where the proxy is running, ie:

xpra info tcp:HOST:PORT

Check that first.

comment:9 Changed 5 months ago by Denis01

Amazing....
Command "xpra attach" is not needed...
It works only with "xpra proxy --auth multi..." on proxy side and "xpra start" without any --auth command at target side.

But FYI

Xpra info tcp:HOST:PORT

Under root account in the Terminal at Proxy side says

Warning:running as root
Error: authentication failed:
This server requires authentication, please provide a password"

So if you confirm that running Proxy without "xpra attach..." is normal way - i'll close thw tichet

comment:10 Changed 5 months ago by Antoine Martin

Milestone: 2.1

Under root account in the Terminal at Proxy side says
(..)
This server requires authentication, please provide a password"

Obviously, if you start your server with authentication, then you'll need to provide a password.
Right at the top of this ticket description, your server (not the proxy) start command does not use one, so you would not need any authentication to connect to THAT server. Connecting to the proxy URI however, you would since you used "multifile" auth for THAT one.

Please make you sure you understand what each command does and close this ticket.

Last edited 5 months ago by Antoine Martin (previous) (diff)

comment:11 Changed 5 months ago by Denis01

Ok, clear.
And for "xpra attach" command should be executed on NON html but thick client, right?

comment:12 Changed 5 months ago by Antoine Martin

And for "xpra attach" command should be executed on NON html but thick client, right?

"xpra attach" is the xpra client.
Not sure why you're even talking about the HTML client in this context.

comment:13 Changed 5 months ago by Denis01

As the WIKI says that the last operation to start the session should be command "xpra attach..." (in fact the main original issue of the topic).
But for HTML connection it is not simple needed - started 'xpra proxy' on the proxy nod, 'xpra start' on the target host and entered by HTML client. It works.
So i thought that probably this 'xpra attach' command should be done on in normal client (not html one). And in the case of html it is needed nowhere...

comment:14 Changed 5 months ago by Denis01

Resolution: fixed
Status: newclosed

Yes, wiki says "users can connect as USUAL with: xpra attach.." so it has to be the cmd to start on client PC (not the case of html client)
Close this ticket.

comment:15 Changed 2 months ago by Antoine Martin

Summary: Proxy. Attachattach via proxy multifile auth

(editing ticket title)

Note: See TracTickets for help on using tickets.