#1730 closed enhancement (fixed)
tcp wrappers authentication module
Reported by: | Antoine Martin | Owned by: | J. Max Mena |
---|---|---|---|
Priority: | major | Milestone: | 2.3 |
Component: | server | Version: | 2.2.x |
Keywords: | Cc: |
Description
Follow up from #1728: now we can add TCP Wrapper support without needing new command line options.
Change History (6)
comment:1 Changed 3 years ago by
Owner: | changed from Antoine Martin to J. Max Mena |
---|
comment:2 Changed 3 years ago by
Owner: | changed from J. Max Mena to Antoine Martin |
---|
Before I close this (appears to work just fine for me), I have a quick question:
Does this apply to the proxy server as well?
For future reference to myself or anyone else that stumbles across this:
The /etc/hosts.allow
will OVERRIDE /etc/hosts.deny
file - useful for only allowing a certain range of IPs to connect, and a very quick way to test this ticket.
comment:3 Changed 3 years ago by
Side note:
You can actually edit the /etc/hosts.deny
and /etc/hosts.allow
files on the fly! That's actually quite nifty.
comment:4 Changed 3 years ago by
Owner: | changed from Antoine Martin to J. Max Mena |
---|
Before I close this (appears to work just fine for me), I have a quick question:
Does this apply to the proxy server as well?
This applies to any server, seamless, desktop, shadow, proxy, whatever.
The only requirement is that tcp-wrappers requires... a tcp socket. (minor fixes in r17784 + r17785 for websockets and ssl socket upgrades)
So the "hosts" authentication module can only be used with tcp-auth
, ws-auth
, wss-auth
and ssl-auth
, it will fail with the other connection types (ie: "unix-domain" or "vsock").
comment:5 Changed 3 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Alright duly noted - I'll make sure to pass this along.
comment:6 Changed 3 months ago by
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1730
Done in r17779.
To test, blacklist a subnet, ie:
Then tell the server to use the "hosts" authentication module:
Then try to connect from that subnet, the connection should fail.
Connections from other subnets should still work.
As per #1728, this can be combined with other authentication modules (ie: password).