Authentication

The documentation here applies to version 0.11 and later. Older versions only support the "--password-file" authentication.

When using ssh to connect to a server, wiki/Encryption and authentication can be skipped.

Xpra's authentication modules can be useful for:

• when using TCP sockets
• when making the unix domain socket accessible to other users
• when using the Proxy Server mode

Modules

The authentication module used is specified using the "--auth=MODULE" switch.
Here are the modules that can be used:

• allow: always allows the user to login - dangerous / only for testing
• fail: always fails authentication - useful for testing
• file: looks up usernames and password in the password file (more on that below)
• pam: linux PAM authentication
• win32: win32security authentication
• sys is a virtual module which will choose win32 or pam

File Authentication

When using the "file_auth" module, one must specify the extra command line argument "--password-file=FILENAME" to point to the authentication data.

This file must contain one user per line using the format:

USERNAME|PASSWORD|UID|GID|SESSION_URI|ENV_VARS|SESSION_OPTIONS

Details:

• SESSION_URI is the usual xpra connection string of the actual target session, ie:

  tcp:HOST:PORT
  

  or

  ssh:HOST:DISPLAY
  

• ENV_VARS is an optional attribute which can contain ";" separated name-value pairs which will affect the environment of the new process spawned after authentication.
• SESSION_OPTIONS is an optional attribute which can contain ";" separated name-value pairs which will override the client's connection settings and apply to the connection between the proxy and the real server only.

Note: for backwards compatibility, the file_auth module also supports a single password on a single line in the password file. (this is deprecated)