xpra icon
Bug tracker and wiki

Version 4 (modified by Antoine Martin, 4 years ago) (diff)



The documentation here applies to version 0.11 and later. Older versions only support the "--password-file" authentication.

When using ssh to connect to a server, wiki/Encryption and authentication can be skipped.

Xpra's authentication modules can be useful for:

  • when using TCP sockets
  • when making the unix domain socket accessible to other users
  • when using the Proxy Server mode


The authentication module used is specified using the "--auth=MODULE" switch.
Here are the modules that can be used:

  • allow: always allows the user to login - dangerous / only for testing
  • fail: always fails authentication - useful for testing
  • file: looks up usernames and password in the password file (more on that below)
  • pam: linux PAM authentication
  • win32: win32security authentication
  • sys is a virtual module which will choose win32 or pam

File Authentication

When using the "file_auth" module, one must specify the extra command line argument "--password-file=FILENAME" to point to the authentication data.

This file must contain one user per line using the format:



  • SESSION_URI is the usual xpra connection string of the actual target session, ie:
  • ENV_VARS is an optional attribute which can contain ";" separated name-value pairs which will affect the environment of the new process spawned after authentication.
  • SESSION_OPTIONS is an optional attribute which can contain ";" separated name-value pairs which will override the client's connection settings and apply to the connection between the proxy and the real server only.

Note: for backwards compatibility, the file_auth module also supports a single password on a single line in the password file. (this is deprecated)