xpra icon
Bug tracker and wiki

This bug tracker and wiki are being discontinued
please use https://github.com/Xpra-org/xpra instead.

Version 13 (modified by Antoine Martin, 8 years ago) (diff)




The documentation here applies to version 0.11 and later. Older versions only support the "--password-file" authentication mode.

When using ssh to connect to a server, encryption and authentication can be skipped.

Xpra's authentication modules can be useful for:

  • securing TCP sockets
  • making the unix domain socket accessible to other users safely
  • using the Proxy Server mode


The authentication module used is specified using the "--auth=MODULE" switch.
Here are the modules that can be used:

  • allow: always allows the user to login, the username used is the one supplied by the client - dangerous / only for testing
  • none: always allows the user to login, the username used is the one the server is running as - dangerous / only for testing (requires version 0.12 or later)
  • fail: always fails authentication, no password required - useful for testing
  • reject: always fails authentication, pretends to ask for a password - useful for testing
  • file: looks up usernames and password in the password file (see below)
  • pam: linux PAM authentication
  • win32: win32security authentication
  • sys is a virtual module which will choose win32 or pam

Password File

When used without the Proxy Server, the password file can contain a simple password in plain text.
See proxy server file authentication for more advanced usage.

Security Considerations

  • the password is never sent in plain text over the wire, the authentication modes that require the password to be sent to the server unhashed (sys: pam and win32) will refuse to run without Encryption
  • when used over TCP sockets, password authentication is vulnerable to man-in-the-middle attacks where an attacker could intercept the initial exchange and use the stolen authentication challenge response to access the session, Encryption prevents that
  • the client does not verify the authenticity of the server, Encryption does