xpra icon
Bug tracker and wiki

Changes between Version 43 and Version 44 of Authentication


Ignore:
Timestamp:
05/08/18 16:03:23 (6 months ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Authentication

    v43 v44  
    5151||[/browser/xpra/trunk/src/xpra/server/auth/gss_auth.py gss]||Uses a GSS ticket to authenticate a client||see ticket:1691#comment:4 || >=2.3||
    5252||[/browser/xpra/trunk/src/xpra/server/auth/u2f_auth.py u2f]||[https://en.wikipedia.org/wiki/Universal_2nd_Factor Universal 2nd Factor]||see #1789 || >=2.3||
     53
     54== usernames ==
     55The username can be specified in the connection files you can save from the launcher, or in the client connection string, ie for tcp:
     56{{{
     57xpra attach tcp://username:password@host:port/
     58}}}
     59
     60When an authentication module is used to secure a single session, many modules will completely ignore the username part and it can be omitted from the connection string. ie for tcp:
     61{{{
     62xpra attach tcp://:password@host:port/
     63}}}
     64Or even replaced with any string of your liking, ie 'foobar':
     65{{{
     66xpra attach tcp://foobar:password@host:port/
     67}}}
     68
     69Only the following modules will make use of both the username and password to authenticate against their respective backend: {{{kerberos-password}}}, {{{ldap}}}, {{{ldap3}}}, {{{sys}}} ({{{pam}}} and {{{win32}}}), {{{sqlite}}},{{{multifile}}} and {{{u2f}}}.
     70In this case, using an invalid username will cause the authentication to fail.
     71
     72The username is more important when authenticating against the [/wiki/ProxyServer] (see authentication details there).
    5373}}}
    5474
     
    90110* This information applies to all clients: regular GUI clients as well as command line clients like "xpra info"
    91111* Each authentication module specifies the type of password hashing it supports (usually [https://en.wikipedia.org/wiki/Hash-based_message_authentication_code HMAC])
    92 * The "sys" authentication modules (pam and win32) require the actual password to be sent across to perform the authentication on the server - they therefore use the weak "xor" hashing
     112* Some authentication modules ({{{pam}}}, {{{win32}}}, {{{kerberos-password}}}, {{{ldap}}} and {{{ldap3}}}) require the actual password to be sent across to perform the authentication on the server - they therefore use the weak "xor" hashing
    93113* You must use [/wiki/Encryption] to be able to use "xor" hashing so that the password is protected during the exchange: the system will refuse to send a "xor" hashed password unencrypted
    94114* Encryption is processed before authentication