Xpra: Ticket #1133: CentOS 6.4 can't connect with encrytion enabled

Created both password file and encryption key with

echo blah>key.txt && echo test>pass.txt

On both client and server.

Both client and server on the same machine using a different account from the desktop account to run the server.

Server output

[testxpra@cent64 ~]$ xpra --no-daemon --bind-tcp=0.0.0.0:15000 --encryption=AES --encryption-keyfile=key.txt --password-file=pass.txt --start-child=gnome-terminal start :15
2016-02-23 00:16:33,960 Warning: failed to load the mdns avahi publisher: No module named avahi
2016-02-23 00:16:33,960  either fix your installation or use the 'mdns=no' option
X.Org X Server 1.13.0
Release Date: 2012-09-05
X Protocol Version 11, Revision 0
Build Operating System: c6b7 2.6.32-220.el6.x86_64
Current Operating System: Linux cent64 4.1.6-1.el6.elrepo.x86_64 #1 SMP Mon Aug 17 13:50:59 EDT 2015 x86_64
Kernel command line: ro root=UUID=4c413328-a356-4e7f-b12c-008fb417d039 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16  KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet crashkernel=auto
Build Date: 22 February 2013  11:30:37AM
Build ID: xorg-x11-server 1.13.0-11.el6.centos
Current version of pixman: 0.26.2
	Before reporting problems, check http://wiki.centos.org/Documentation
	to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
	(++) from command line, (!!) notice, (II) informational,
	(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/home/testxpra/.xpra/Xorg.:15.log", Time: Tue Feb 23 00:16:33 2016
(++) Using config file: "/etc/xpra/xorg.conf"
Initializing built-in extension Generic Event Extension
Initializing built-in extension SHAPE
Initializing built-in extension MIT-SHM
Initializing built-in extension XInputExtension
Initializing built-in extension XTEST
Initializing built-in extension BIG-REQUESTS
Initializing built-in extension SYNC
Initializing built-in extension XKEYBOARD
Initializing built-in extension XC-MISC
Initializing built-in extension XINERAMA
Initializing built-in extension XFIXES
Initializing built-in extension RENDER
Initializing built-in extension RANDR
Initializing built-in extension COMPOSITE
Initializing built-in extension DAMAGE
Initializing built-in extension MIT-SCREEN-SAVER
Initializing built-in extension DOUBLE-BUFFER
Initializing built-in extension RECORD
Initializing built-in extension DPMS
Initializing built-in extension X-Resource
Initializing built-in extension XVideo
Initializing built-in extension XVideo-MotionCompensation
Initializing built-in extension SELinux
Initializing built-in extension XFree86-VidModeExtension
Initializing built-in extension XFree86-DGA
Initializing built-in extension XFree86-DRI
Initializing built-in extension DRI2
Loading extension GLX
/usr/lib/python2.6/site-packages/dbus/connection.py:242: DeprecationWarning: object.__init__() takes no parameters
  super(Connection, self).__init__(*args, **kwargs)
2016-02-23 00:16:34,214 Warning: outdated/buggy version of Python: 2.6.6.final.0
2016-02-23 00:16:34,214  switching to process polling every 2 seconds to support 'exit-with-children'
2016-02-23 00:16:34,336 Warning: 'password-file' used without an authentication module for unix-domain-sockets
2016-02-23 00:16:34,336  using 'file' based authentication
2016-02-23 00:16:34,375 Warning: 'password-file' used without an authentication module for tcp-sockets
2016-02-23 00:16:34,375  using 'file' based authentication
2016-02-23 00:16:35,254 Warning: lpinfo command failed and returned 1
2016-02-23 00:16:35,255  command used: '['/usr/sbin/lpinfo', '--make-and-model', 'Generic PDF Printer', '-m']'
Warning: failed to import GStreamer:
 1.0 failed with: No module named gi
2016-02-23 00:16:36,142 Error: failed to query sound subsystem:
2016-02-23 00:16:36,142  query did not return any data
2016-02-23 00:16:36,151 pulseaudio server started with pid 6012
2016-02-23 00:16:36,152 using notification forwarder:
2016-02-23 00:16:36,152  DBUS-NotificationsForwarder(org.freedesktop.Notifications)
2016-02-23 00:16:36,162 started command 'gnome-terminal' with pid 6016
2016-02-23 00:16:36,162 xpra X11 version 0.16.2-r11889
2016-02-23 00:16:36,169  running with pid 5970 on Linux CentOS 6.4 Final
2016-02-23 00:16:36,169  on display :15
2016-02-23 00:16:36,180 xpra is ready.

client output

[cosmo@cent64 ~]$ xpra attach --encryption=AES --encryption-keyfile=key.txt --password-file=pass.txt tcp:127.0.0.1:15000
2016-02-23 00:16:57,585 Warning: outdated/buggy version of Python: 2.6.6.final.0
2016-02-23 00:16:57,585  switching to process polling every 2 seconds to support 'exit-with-children'
2016-02-23 00:16:57,586 Xpra gtk2 client version 0.16.2-r11889
2016-02-23 00:16:57,592  running on Linux CentOS 6.4 Final
Warning: failed to import GStreamer:
 1.0 failed with: No module named gi
2016-02-23 00:16:57,673 Error: failed to query sound subsystem:
2016-02-23 00:16:57,674  query did not return any data
2016-02-23 00:16:57,866 OpenGL_accelerate module loaded
2016-02-23 00:16:57,866 OpenGL support is missing:
2016-02-23 00:16:57,866  renderer 'Software Rasterizer' is blacklisted!
2016-02-23 00:16:57,961 receiving data using AES encryption
2016-02-23 00:16:58,039 Warning: AES decryption failed: invalid padding
2016-02-23 00:16:58,040 internal error: AES encryption padding error - wrong key?
2016-02-23 00:16:58,040 Connection lost


Tue, 23 Feb 2016 08:35:33 GMT - Smo:

If I use the same file for password and keyfile I get the original problem I was looking for

server command

xpra --no-daemon --bind-tcp=0.0.0.0:15000 --encryption=AES --encryption-keyfile=pass.txt --password-file=pass.txt --start-child=gnome-terminal start :15

client output

[cosmo@cent64 ~]$ xpra attach --encryption=AES --encryption-keyfile=pass.txt --password-file=pass.txt tcp:127.0.0.1:15000
2016-02-23 00:31:42,367 Warning: outdated/buggy version of Python: 2.6.6.final.0
2016-02-23 00:31:42,367  switching to process polling every 2 seconds to support 'exit-with-children'
2016-02-23 00:31:42,367 Xpra gtk2 client version 0.16.2-r11889
2016-02-23 00:31:42,373  running on Linux CentOS 6.4 Final
Warning: failed to import GStreamer:
 1.0 failed with: No module named gi
2016-02-23 00:31:42,456 Error: failed to query sound subsystem:
2016-02-23 00:31:42,456  query did not return any data
2016-02-23 00:31:42,647 OpenGL_accelerate module loaded
2016-02-23 00:31:42,648 OpenGL support is missing:
2016-02-23 00:31:42,648  renderer 'Software Rasterizer' is blacklisted!
2016-02-23 00:31:42,741 receiving data using AES encryption
2016-02-23 00:31:42,816 sending data using AES encryption
Traceback (most recent call last):
  File "/usr/lib64/python2.6/site-packages/xpra/client/client_base.py", line 537, in _process_challenge
    challenge_response = hmac.HMAC(password, salt, digestmod=hashlib.md5).hexdigest()
  File "/usr/lib64/python2.6/hmac.py", line 75, in __init__
    self.update(msg)
  File "/usr/lib64/python2.6/hmac.py", line 83, in update
    self.inner.update(msg)
TypeError: update() argument 1 must be string or read-only buffer, not bytearray
2016-02-23 00:31:52,742 server failure: disconnected before the session could be established
2016-02-23 00:31:52,742 server requested disconnect: login timeout
2016-02-23 00:31:52,745 Connection lost

Tue, 23 Feb 2016 08:36:39 GMT - Smo: owner, priority, version, component, milestone changed


Tue, 23 Feb 2016 08:37:10 GMT - Smo: owner changed


Tue, 23 Feb 2016 15:31:00 GMT - Antoine Martin: status changed

Those are two completely different issues: the argument 1 must be string or read-only buffer, not bytearray is a bug in the authentication code when running on Python 2.6 or earlier (as is the case on centos 6.x), and is fixed in r12015 + r12016.

The other one happens on all platforms AFAICT.


Wed, 24 Feb 2016 17:18:01 GMT - Antoine Martin:

As for the second part, you're just using the wrong command line options which makes it default to using the password as keyfile. If you use bind-tcp then you have to use tcp-encryption and tcp-encryption-keyfile. (and tcp-auth instead of auth) That said, the fallback to using the password as keyfile should probably be removed (prevents confusion like this one), but that's not going to be in 0.16


Thu, 24 Mar 2016 22:53:53 GMT - Smo:

Okay I tried this again on a fresh installed system. One thing I did find out was that pycrypto wasn't installed had to install this first.

I'm not sure if we want to change the spec file to require this.

Server

xpra --no-daemon --bind-tcp=0.0.0.0:15000 --tcp-encryption=AES --tcp-encryption-keyfile=key.txt --password-file=pass.txt --start-child=gnome-terminal start :15

Client

xpra attach --encryption=AES --encryption-keyfile=key.txt --password-file=pass.txt tcp:127.0.0.1:15000

I also tried this command

xpra attach --encryption=AES --tcp-encryption-keyfile=key.txt --password-file=pass.txt tcp:127.0.0.1:15000

Which failed with this output

2016-03-24 15:57:57,489 internal error: AES encryption padding error - wrong key?

Maybe I don't understand the options quite right but it seems to work now.


Thu, 24 Mar 2016 22:54:04 GMT - Smo: status changed


Tue, 05 Apr 2016 12:46:19 GMT - Antoine Martin: status changed

We probably want to revert some of these changes anyway: Xpra ML: XPRA_PASSWORD and XPRA_ENCRYPTION_KEY ?


Fri, 08 Apr 2016 08:02:06 GMT - Antoine Martin: owner, status changed

One thing I did find out was that pycrypto wasn't installed had to install this first.


python-crypto is a dependency of xpra, including in 0.16: browser/xpra/tags/v0.16.x/rpmbuild/xpra.spec. If I try to remove it, yum wants to remove xpra with it.

Please clarify the problem you encountered.

Maybe I don't understand the options quite right but it seems to work now.


The client only used the "encryption" and "encryption-keyfile" command line options, because unlike the server it only has a single endpoint. r12336 will make the client use the tcp-encryption and tcp-encryption-keyfile if those are specified instead. (not going to backport this).


I really thought I had seen another problem somewhere, but I can't seem to hit it. The only problem that I saw with the "file" backend was that I had a trailing newline in my password file, and when I tried to use the environment variable, I didn't - so it failed. But that's just my fault.


Somewhat related for 0.17: partial reverts and updates of r12099 + r11465 in r12332 + r12334:

More details in #1159.


Thu, 14 Apr 2016 18:09:44 GMT - Smo: status changed; resolution set

The original issue in this ticket has been fixed and tested.

Will follow up with more tests in #1159


Sat, 23 Jan 2021 05:15:54 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1133