xpra icon
Bug tracker and wiki

Changes between Version 6 and Version 7 of Authentication


Ignore:
Timestamp:
11/07/13 05:03:56 (6 years ago)
Author:
Antoine Martin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • Authentication

    v6 v7  
    33{{{#!div class="box"
    44== Introduction ==
    5 The documentation here applies to version 0.11 and later. Older versions only support the "{{{--password-file}}}" authentication.
     5The documentation here applies to version 0.11 and later. Older versions only support the "{{{--password-file}}}" authentication mode.
    66
    77When using ssh to connect to a server, [/wiki/Encryption] and authentication can be skipped.
    88
    99Xpra's authentication modules can be useful for:
    10 * when using TCP sockets
    11 * when making the unix domain socket accessible to other users
    12 * when using the [/wiki/ProxyServer Proxy Server] mode
     10* securing TCP sockets
     11* making the unix domain socket accessible to other users safely
     12* using the [/wiki/ProxyServer Proxy Server] mode
    1313}}}
    1414
     
    2525* {{{sys}}} is a virtual module which will choose win32 or pam
    2626}}}
     27
     28{{{#!div class="box"
     29== Password File ==
     30
     31When used without the [/wiki/ProxyServer Proxy Server], the password file can contain a simple password in plain text.
     32[[BR]]
     33See [/ProxyServer#FileAuthenticationExtras proxy server file authentication] for more advanced usage.
     34}}}
     35
     36{{{#!div class="box"
     37== Security Considerations ==
     38
     39* the password is never sent in plain text over the wire, the authentication modes that require the password to be sent to the server unhashed ({{{sys}}}: {{{pam}}} and {{{win32}}}) will refuse to run without [/wiki/Encryption Encryption]
     40* when used over TCP sockets, password authentication is vulnerable to man-in-the-middle attacks where an attacker could intercept the initial exchange and use the stolen authentication challenge to access the session, [/wiki/Encryption Encryption] prevents that
     41* the client does not verify the authenticity of the server, [/wiki/Encryption Encryption] does
     42}}}