Xpra: Ticket #1691: kerberos authentication

Looks like we can use pykerberos, if only there were better examples.

See also #1255, #1692

Wed, 15 Nov 2017 11:39:41 GMT - Antoine Martin: status, description, milestone changed

Sat, 10 Mar 2018 12:05:12 GMT - Antoine Martin:

Added dumb implementation in r18693 using pykerberos.

Going forward, we should use the tokens rather than the password, and maybe even use python-gssapi for encryption?

Sun, 11 Mar 2018 10:38:10 GMT - Antoine Martin:

Based on centos 6: configuring a kerberos 5 server, and made harder by the fact that my LAN doesn't have a domain or DNS server...

hostname localdomain
/usr/sbin/kdb5_util create -s
cat > /etc/krb5.conf << EOF
includedir /etc/krb5.conf.d/
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = LOCALDOMAIN
  kdc = localhost
  admin_server = localhost
 localdomain = LOCALDOMAIN
echo "*/admin@LOCALDOMAIN	*" > /var/kerberos/krb5kdc/kadm5.acl
kadmin.local -q "addprinc test/admin"
kinit admin
kadmin -q "addprinc xpra"

The https://pythongssapi.github.io/python-gssapi/latest/gssapi.html.

For win32, we could use pykerberos.


$ python
import gssapi
service_name = gssapi.Name("xpra")
ctx = gssapi.SecurityContext(name=service_name, usage="initiate")
k = ctx.step()


from gssapi import creds as gsscreds
from gssapi import sec_contexts as gssctx
server_creds = gsscreds.Credentials(usage='accept')
server_ctx = gssctx.SecurityContext(creds=server_creds)


v,c = kerberos.authGSSClientInit("xpra")
assert v==1
kerberos.authGSSClientStep(c, "")
k = kerberos.authGSSClientResponse(c)


v,c = kerberos.authGSSServerInit("xpra")
assert v==1
r = kerberos.authGSSServerStep(c, k)
assert r==1

Things to think about:

Mon, 12 Mar 2018 14:31:34 GMT - Antoine Martin:

The overloading of the "digest" list to add and detect support for "kerberos" and "gss" options is a bit ugly, but it is the most backwards compatible way. Older clients will just state that they don't support "kerberos" (or "gss") rather than failing in more obscure ways.


xpra start --start-child="xterm" --bind-tcp= --tcp-auth=kerberos-token,service=xpra
xpra start --start-child="xterm" --bind-tcp= --tcp-auth=gss,service=xpra


Sun, 18 Mar 2018 07:30:25 GMT - Antoine Martin: attachment set

patch for building with mingw

Sun, 18 Mar 2018 07:36:02 GMT - Antoine Martin:

On win32, building https://github.com/mongodb-labs/winkerberos/issues/21.

Sun, 18 Mar 2018 07:51:15 GMT - Antoine Martin:

Installing winkerberos from the modified source requires one more hack to prevent cx_freeze from messing up the packaging, as per stopping setup.py from installing as egg, we have to use pip to ensure it does not get installed as an egg:

pushd winkerberos-0.7.0
python2 setup.py sdist
pip2 install ./winkerberos-0.7.0/dist/winkerberos-0.7.0.tar.gz
pip3 install ./winkerberos-0.7.0/dist/winkerberos-0.7.0.tar.gz

Sun, 18 Mar 2018 13:58:31 GMT - Antoine Martin:

First, install gss support: r18758, ie on x86_64:

pacman -S mingw-w64-x86_64-gss

Building python-gssapi:

(and if I got this wrong, gss won't work...)

(clean and repeat with python3)

Changes submitted upstream: support building against mingw headers.

Wed, 21 Mar 2018 12:49:04 GMT - Antoine Martin:

Lots of improvements in r18780 (see commit message).

Examples (add -d auth for debug):

Wed, 21 Mar 2018 15:40:48 GMT - Antoine Martin: owner, status changed


Ready for testing. There are packages for most platforms.

@maxmylyn: apart from testing the obvious command lines (ie: comment:8), the difficult thing is testing single-sign-on with gss / kerberos because this requires a Authentication : kerberos Please keep this ticket tidy as this will be the reference until the details are wiki-ized.

Fri, 01 Jun 2018 11:46:35 GMT - Antoine Martin: status changed; resolution set

Sat, 23 Feb 2019 06:53:45 GMT - Antoine Martin:

The changes have been merged upstream, we should package this in mingw: #2170

Wed, 15 May 2019 11:12:21 GMT - Antoine Martin:

See also: #1796

Thu, 13 Feb 2020 16:03:35 GMT - Antoine Martin:

MSYS2 packaging for these modules: #2170.

Sat, 23 Jan 2021 05:31:12 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1691