Authentication

Introduction

The documentation here applies to version 0.11 and later. Older versions only support the "--password-file" authentication mode.

When using ssh to connect to a server, encryption and authentication can be skipped.

Xpra's authentication modules can be useful for:

• securing TCP sockets
• making the unix domain socket accessible to other users safely
• using the Proxy Server mode

Modules

The authentication module used is specified using the "--auth=MODULE" switch.
Here are the modules that can be used:

• allow: always allows the user to login, the username used is the one supplied by the client - dangerous / only for testing
• none: always allows the user to login, the username used is the one the server is running as - dangerous / only for testing (requires version 0.12 or later)
• fail: always fails authentication - useful for testing
• file: looks up usernames and password in the password file (see below)
• pam: linux PAM authentication
• win32: win32security authentication
• sys is a virtual module which will choose win32 or pam

Password File

When used without the Proxy Server, the password file can contain a simple password in plain text.
See proxy server file authentication for more advanced usage.

Security Considerations

• the password is never sent in plain text over the wire, the authentication modes that require the password to be sent to the server unhashed (sys: pam and win32) will refuse to run without Encryption
• when used over TCP sockets, password authentication is vulnerable to man-in-the-middle attacks where an attacker could intercept the initial exchange and use the stolen authentication challenge response to access the session, Encryption prevents that
• the client does not verify the authenticity of the server, Encryption does