xpra icon
Bug tracker and wiki

Changes between Version 26 and Version 27 of Authentication


Ignore:
Timestamp:
01/11/17 15:04:56 (4 years ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Authentication

    v26 v27  
    66{{{#!div class="box"
    77== Introduction ==
    8 The documentation here applies to version 0.11 and later.
    98Version 1.0 also supports SSL (see #1252) which can be used for authentication using certificates (see #1252).
    109
    11 When using ssh to connect to a server, [/wiki/Encryption encryption] and authentication can be skipped.
     10When using ssh to connect to a server, [/wiki/Encryption encryption] and authentication can be skipped (by default the unix domain sockets used by ssh do not use authentication).
    1211
    1312Xpra's authentication modules can be useful for:
     
    3029||= Module =||= Result =||= Purpose =||= Version requirements =||
    3130||[/browser/xpra/trunk/src/xpra/server/auth/allow_auth.py allow]||always allows the user to login, the username used is the one supplied by the client||dangerous / only for testing|| ||
    32 ||[/browser/xpra/trunk/src/xpra/server/auth/none_auth.py none]||always allows the user to login, the username used is the one the server is running as||dangerous / only for testing|| >=0.12||
     31||[/browser/xpra/trunk/src/xpra/server/auth/none_auth.py none]||always allows the user to login, the username used is the one the server is running as||dangerous / only for testing|| ||
    3332||[/browser/xpra/trunk/src/xpra/server/auth/fail_auth.py fail]||always fails authentication, no password required||useful for testing|| ||
    34 ||[/browser/xpra/trunk/src/xpra/server/auth/reject_auth.py reject]||always fails authentication, pretends to ask for a password||useful for testing|| >=0.12||
     33||[/browser/xpra/trunk/src/xpra/server/auth/reject_auth.py reject]||always fails authentication, pretends to ask for a password||useful for testing|| ||
    3534||[/browser/xpra/trunk/src/xpra/server/auth/env_auth.py env]||matches against an environment variable ({{{XPRA_PASSWORD}}} by default)||alternative to file module|| >=0.17||
    3635||[/browser/xpra/trunk/src/xpra/server/auth/password_auth.py password]||matches against a password given as a module option, ie: {{{auth=password:value=mysecret}}}||alternative to file module||  >=0.17||
     
    6362== Password File ==
    6463
    65 In versions before 0.17, the password file could contain a single password or multiple usernames and passwords. This was confusing and error prone, which is why 0.17 has distinct modules for each use case: file and multifile. See #1159 for details.
     64In versions before 0.17, the password file could contain a single password or multiple usernames and passwords. This was confusing and error prone, which is why 0.17 has distinct modules for each use case: "file" and "multifile". See #1159 for details.
    6665
    6766For more information on the multifile password file format, see [/ProxyServer#FileAuthenticationExtras proxy server file authentication].
     
    7675* If the client is not configured for authentication, the connection will fail with an authentication error
    7776
    78 Notes:
     77[[BR]]
     78
     79== Notes ==
    7980* This information applies to all clients: regular GUI clients as well as command line clients like "xpra info"
    8081* Each authentication module specifies the type of password hashing it supports (usually [https://en.wikipedia.org/wiki/Hash-based_message_authentication_code HMAC])
     
    8586For more information on packets, see [/wiki/NetworkProtocol].
    8687
    87 Negotiation:
     88[[BR]]
     89
     90== Negotiation ==
    8891* All clients first send a ''hello'' packet to the server. If the client expects the server to request authentication for the connection, the client packet may omit most of the regular configuration information since a second packet will need to be sent. Until the server accepts the connection with its own ''hello'' packet response, the only packets that will be accepted by the clients are ''challenge'' and ''set_deflate'' (used to control packet compression). The client will exit unless the server responds within the {{{XPRA_SOCKET_TIMEOUT}}} delay + 10 seconds.
    8992* The server sends back a ''challenge'' packet containing a random salt and the digest method to use as specified by the authentication module. If the client does not respond within the {{{XPRA_SOCKET_TIMEOUT}}} delay (defaults to 10 seconds), it is disconnected. The only packets that will be accepted by the server until the client has successfully authenticated are ''hello'' and ''disconnect''.