Done in r17779.
To test, blacklist a subnet, ie:
echo "ALL: 192.168.1.0/255.255.255.0" >> /etc/hosts.deny
Then tell the server to use the "hosts" authentication module:
xpra start --bind-tcp=0.0.0.0:10000 --start=xterm :10 --tcp-auth=hosts -d auth
Then try to connect from that subnet, the connection should fail. Connections from other subnets should still work.
As per #1728, this can be combined with other authentication modules (ie: password).
Before I close this (appears to work just fine for me), I have a quick question:
Does this apply to the proxy server as well?
For future reference to myself or anyone else that stumbles across this:
/etc/hosts.allow will OVERRIDE
/etc/hosts.deny file - useful for only allowing a certain range of IPs to connect, and a very quick way to test this ticket.
You can actually edit the
/etc/hosts.allow files on the fly! That's actually quite nifty.
Before I close this (appears to work just fine for me), I have a quick question: Does this apply to the proxy server as well?
This applies to any server, seamless, desktop, shadow, proxy, whatever. The only requirement is that tcp-wrappers requires... a tcp socket. (minor fixes in r17784 + r17785 for websockets and ssl socket upgrades)
So the "hosts" authentication module can only be used with
ssl-auth, it will fail with the other connection types (ie: "unix-domain" or "vsock").
Alright duly noted - I'll make sure to pass this along.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1730