xpra icon
Bug tracker and wiki

Opened 12 months ago

Closed 8 months ago

#1690 closed enhancement (fixed)

request access to session

Reported by: Antoine Martin Owned by: J. Max Mena
Priority: major Milestone: 2.3
Component: core Version: trunk
Keywords: Cc:

Description (last modified by Antoine Martin)

This ticket was originally meant for all types of sessions, but the scope was changed to support sessions with a display attached. (typically shadow mode)

Generic access request now moved to #1799.

Change History (6)

comment:1 Changed 12 months ago by Antoine Martin

Description: modified (diff)
Status: newassigned

comment:2 Changed 12 months ago by Antoine Martin

Milestone: 3.02.3

comment:3 Changed 11 months ago by Antoine Martin

Stackable authentication modules moved to #1728

Still TODO: add UI prompt authentication via built-in GTK based prompt, "dialog"?

Last edited 10 months ago by Antoine Martin (previous) (diff)

comment:4 Changed 11 months ago by Antoine Martin

Implemented for shadow servers using the new "exec" auth module in r17780.
With platform support for macos added in r17781 + r17825 + r17822, win32 in r17783, and RPM + DEB packaging in r17782.

Usage:

xpra shadow --bind-tcp=0.0.0.0:10000 --tcp-auth=exec

This will popup a dialog asking if the new connection should be allowed or not.

This new auth module has two configuration options:

  • timeout: the delay in seconds before we terminate the command and fail, ie: tcp-auth=exec:timeout=60
  • command, ie: tcp-auth=exec:command=/bin/true. The command will be given the request message (ie: Connection request from ...) and the timeout as arguments. It should return 0 to allow the connection, any other value to reject it. By default, we use the "auth_dialog" tool that we ship. (just a simple yes-no dialog)

As per #1728, this can now be combined with other auth modules. (ie: password + request, or tcp-wrappers + request, etc)

This is only useful for "shadow" sessions since there will be an existing display connected where the user can accept the request.

Still TODO:

  • maybe rename or alias this module? (keep "exec" for generic configurable exec)
  • maybe make this the default for shadow sessions (at least on win32?)
  • rate limiting: we don't want to flood the user's display with requests
  • deal with regular servers (non-shadow): probably not using authentication modules but client-server messages

We could piggyback onto #1735

Last edited 10 months ago by Antoine Martin (previous) (diff)

comment:5 Changed 8 months ago by Antoine Martin

Description: modified (diff)
Owner: changed from Antoine Martin to J. Max Mena
Status: assignednew

Mostly a FYI, see comment:4.

comment:6 Changed 8 months ago by J. Max Mena

Resolution: fixed
Status: newclosed

Noted and closing.

Note: See TracTickets for help on using tickets.