Split from #1690.
This will give us more flexibility, including the ability to authenticate with two passwords, password and dialog, etc.
Done in r17775, r17777 + r17890 for proxy server. Minor fix in r17824.
Examples:
echo -n 1234 > pass1.txt echo -n 5678 > pass2.txt xpra start --start=xterm :10 -d auth \ --bind-tcp=0.0.0.0:10000 --tcp-auth=file:filename=pass1.txt --tcp-auth=file:filename=pass2.txt
xpra attach tcp://localhost:10000/
The client should prompt for the password twice.
Also added in r17776 is the ability to tell the client what we are prompting for:
xpra start --bind-tcp=0.0.0.0:10000 --tcp-auth=file:filename=password.txt,prompt='secret no 1'
See also tcp wrappers: #1730
Noted, did some quick tests with the tcp-auth:
Both machines in question are Fedora 26, client and server are 2.X r17783
xpra start :12 --no-daemon --bind-tcp=0.0.0.0:2200 --start-child=xterm --tcp-auth=file:/home/max/pass1.txt --tcp-auth=file:/home/max/pass2.txt --tcp-auth=file:/home/max/pass3.txt -d auth
and attached with xpra attach tcp:ip:2200 --tcp-auth=file:/home/max/pass1.txt --tcp-auth=file:/home/max/pass2.txt --tcp-auth=file:/home/max/pass3.txt
and the connection failed after it prompted me for a password. Is this expected behavior? I find it odd that it would ask me for a password even though I gave it the auth files it asked for, and even in the right order.
I started a server with ...
That syntax is invalid and this is immediately obvious when you look at the server output:
Warning: failed to parse dictionary option '/home/max/pass1.txt': need more than 1 value to unpack
The correct syntax is auth=file,filename=/path/to/file
. This is documented everywhere, including the comment:1 just above, and also in the https://xpra.org/manual.html, and wiki/Authentication.
and attached with ...
Again, that doesn't make sense, see the man page and password-file
.
Okay I finally figured this out after like 45 minutes of reading.
I started my server with:
xpra start --start=xterm :10 -d auth --bind-tcp=0.0.0.0:2200 --auth=file,filename=pass1.txt,prompt='pass1' --auth=file,filename=pass4.txt,prompt='pass4' --no-daemon --start-via-proxy=no
And attached with:
xpra attach tcp:192.168.1.138:2200 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth
Turns out it's --auth=file,filename=/path/to/file
and NOT --tcp-auth=file,filename=/path/to/file
. Note the lack of a tcp-
.
Now that I've got the syntax sorted it works.
However I have to bother you with this ticket again.
BUT, I typed "exit" into the wrong xterm and as such lost my only xterm in the connected session. Trying to run xpra stop :10 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt
in another terminal that was SSH'd into the server in question failed with the output (from -d auth
via a second attempt)
[max@Vorfuehreffekt ~]$ xpra stop :10 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth processing challenge: ['&\xad\xf3\xc8\xdaXBK\x07^\xab\xea1\xec\xde\t`\x0e]\x02\x95\x05\xdb\x1ap\xbe\x0c\xc2@<\x9e,\xdd\xe3\x14\xaf\xf7f;z\xd7\x89\xd4&=\xd7\xad\x96\x87}\xa5S\x06\x10\xf0\x93\xd3\xb2?%\xc0\xde\xa7\xe1', '', 'hmac+sha512', 'hmac+sha512', 'pass1'] load_password() existing value found: False load_password() PASSWORD_PROMPT=True, isatty=True stdin isatty, using password prompt
Is there a typo there?
Also of note, when I do a Control + C
the prompt, the terminal becomes unresponsive afterwards - I can't see anything I type, and a Control + L
appears to do nothing.
I'd also like to note:
wiki/Authentication and comment:1 both have --auth=file:filename=/path/to/mypasswordfile.txt
listed - note the :
not the ,
as noted in comment:4
xpra attach tcp:192.168.1.138:2200 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth
That still does not make any sense. As per the examples and documentation,
the
[xxx-]auth
command line options only apply tobind[-xxx]
options. As per comment:4, for the client you want (multiple?)password-file
instead.Turns out it's
--auth=file,filename=/path/to/file
and NOT--tcp-auth=file,filename=/path/to/file
No, it's not. Neither option makes any difference whatsoever to a client.
Now that I've got the syntax sorted it works.
You don't.
Also of note, when I do a Control + C the prompt, the terminal becomes unresponsive afterwards - I can't see anything I type, and a Control + L appears to do nothing.
How do I restore input echoing in the terminal?
note the
:
not the,
as noted in comment:4
Both should work.
I thought I had closed this last week, but I guess I forgot to hit Submit.
Firstly, I apologize for getting confused on the command string, I somehow got it in my head that we were deprecating --password-file
in favor of something more modular --auth=
. That was not the case. Now that I've got it figured out, the multiple auth modules is working fine for me - I've tested it with up to 4 password files, and it all works together nicely, once you feed it the correct commands.
I also double checked and --auth=file,filename=
AND --auth=file:filename=
both work, even when mixing them in the same command string. Probably not a fantastic idea, but it will work just fine.
Now that I've checked that and there aren't any issues other than me, I'm going to go ahead and close this ticket.
Caused #1740
See also: #1691, #1789, #1728, #1791.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1728