xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.


Changes between Initial Version and Version 2 of Ticket #2085


Ignore:
Timestamp:
12/20/18 01:11:17 (3 years ago)
Author:
Antoine Martin
Comment:

Please always include the command lines and version information (see wiki/ReportingBugs).

So it seems that you are using the system proxy with the "pam" authentication (aka "sys") module. The pam_auth.py module will do the pam check using the "login" service.

You can change this behaviour by setting:

  • the "service" option, ie: for tcp and system-auth:
    xpra proxy --tcp-auth=pam,service=system-auth
    
  • the environment variable XPRA_PAM_AUTH_SERVICE. ie:
    xpra proxy --env=XPRA_PAM_AUTH_SERVICE=system-auth ...
    

(untested)

You can choose which service to use from the pre-defined services defined in /etc/pam.d, or even add a new one. The /etc/pam.d/xpra service file may or may not be suitable for you - it is used by the system-wide proxy server when starting as root and registering sessions with logind, see: #1105 for details.

If this works for you, please close this ticket as "invalid".

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #2085

    • Property Owner changed from Antoine Martin to steverweber
  • Ticket #2085 – Description

    initial v2  
    1010I have a test user teststev that is not in the group.
    1111this user cant ssh or use xrdp to connect to the system because they fail the pam_sss(xxx:account)
    12 
     12{{{
    1313xrdp-sesman[4918]: pam_sss(xrdp-sesman:auth): authentication success; logname= uid=0 euid=0 tty=xrdp-sesman ruser= rhost= user=teststev
    1414xrdp-sesman[4918]: pam_sss(xrdp-sesman:account): Access denied for user teststev: 6 (Permission denied)
    1515xrdp-sesman[4918]: (4918)(139798234375168)[DEBUG] Closed socket 10 (AF_INET6 ::ffff:127.0.0.1 port 3350)
    16 
     16}}}
    1717
    1818when using xpra it would be nice if this worked the same way to prevent users form gaining access to system.
    1919
    20 
     20{{{
    2121xpra[8037]:  sending challenge for username 'teststev' using xor digest
    2222python2[8037]: pam_sss(login:auth): authentication success; logname= uid=0 euid=0 tty= ruser= rhost= user=teststev
     
    4848xpra[8037]: proxy video encoders: none
    4949xpra[8037]: new proxy instance started
    50 
     50}}}
    5151
    5252Perhaps I'm just missing a configuration..