Created both password file and encryption key with
echo blah>key.txt && echo test>pass.txt
On both client and server.
Both client and server on the same machine using a different account from the desktop account to run the server.
Server output
[testxpra@cent64 ~]$ xpra --no-daemon --bind-tcp=0.0.0.0:15000 --encryption=AES --encryption-keyfile=key.txt --password-file=pass.txt --start-child=gnome-terminal start :15 2016-02-23 00:16:33,960 Warning: failed to load the mdns avahi publisher: No module named avahi 2016-02-23 00:16:33,960 either fix your installation or use the 'mdns=no' option X.Org X Server 1.13.0 Release Date: 2012-09-05 X Protocol Version 11, Revision 0 Build Operating System: c6b7 2.6.32-220.el6.x86_64 Current Operating System: Linux cent64 4.1.6-1.el6.elrepo.x86_64 #1 SMP Mon Aug 17 13:50:59 EDT 2015 x86_64 Kernel command line: ro root=UUID=4c413328-a356-4e7f-b12c-008fb417d039 rd_NO_LUKS rd_NO_LVM LANG=en_US.UTF-8 rd_NO_MD SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet crashkernel=auto Build Date: 22 February 2013 11:30:37AM Build ID: xorg-x11-server 1.13.0-11.el6.centos Current version of pixman: 0.26.2 Before reporting problems, check http://wiki.centos.org/Documentation to make sure that you have the latest version. Markers: (--) probed, (**) from config file, (==) default setting, (++) from command line, (!!) notice, (II) informational, (WW) warning, (EE) error, (NI) not implemented, (??) unknown. (++) Log file: "/home/testxpra/.xpra/Xorg.:15.log", Time: Tue Feb 23 00:16:33 2016 (++) Using config file: "/etc/xpra/xorg.conf" Initializing built-in extension Generic Event Extension Initializing built-in extension SHAPE Initializing built-in extension MIT-SHM Initializing built-in extension XInputExtension Initializing built-in extension XTEST Initializing built-in extension BIG-REQUESTS Initializing built-in extension SYNC Initializing built-in extension XKEYBOARD Initializing built-in extension XC-MISC Initializing built-in extension XINERAMA Initializing built-in extension XFIXES Initializing built-in extension RENDER Initializing built-in extension RANDR Initializing built-in extension COMPOSITE Initializing built-in extension DAMAGE Initializing built-in extension MIT-SCREEN-SAVER Initializing built-in extension DOUBLE-BUFFER Initializing built-in extension RECORD Initializing built-in extension DPMS Initializing built-in extension X-Resource Initializing built-in extension XVideo Initializing built-in extension XVideo-MotionCompensation Initializing built-in extension SELinux Initializing built-in extension XFree86-VidModeExtension Initializing built-in extension XFree86-DGA Initializing built-in extension XFree86-DRI Initializing built-in extension DRI2 Loading extension GLX /usr/lib/python2.6/site-packages/dbus/connection.py:242: DeprecationWarning: object.__init__() takes no parameters super(Connection, self).__init__(*args, **kwargs) 2016-02-23 00:16:34,214 Warning: outdated/buggy version of Python: 2.6.6.final.0 2016-02-23 00:16:34,214 switching to process polling every 2 seconds to support 'exit-with-children' 2016-02-23 00:16:34,336 Warning: 'password-file' used without an authentication module for unix-domain-sockets 2016-02-23 00:16:34,336 using 'file' based authentication 2016-02-23 00:16:34,375 Warning: 'password-file' used without an authentication module for tcp-sockets 2016-02-23 00:16:34,375 using 'file' based authentication 2016-02-23 00:16:35,254 Warning: lpinfo command failed and returned 1 2016-02-23 00:16:35,255 command used: '['/usr/sbin/lpinfo', '--make-and-model', 'Generic PDF Printer', '-m']' Warning: failed to import GStreamer: 1.0 failed with: No module named gi 2016-02-23 00:16:36,142 Error: failed to query sound subsystem: 2016-02-23 00:16:36,142 query did not return any data 2016-02-23 00:16:36,151 pulseaudio server started with pid 6012 2016-02-23 00:16:36,152 using notification forwarder: 2016-02-23 00:16:36,152 DBUS-NotificationsForwarder(org.freedesktop.Notifications) 2016-02-23 00:16:36,162 started command 'gnome-terminal' with pid 6016 2016-02-23 00:16:36,162 xpra X11 version 0.16.2-r11889 2016-02-23 00:16:36,169 running with pid 5970 on Linux CentOS 6.4 Final 2016-02-23 00:16:36,169 on display :15 2016-02-23 00:16:36,180 xpra is ready.
client output
[cosmo@cent64 ~]$ xpra attach --encryption=AES --encryption-keyfile=key.txt --password-file=pass.txt tcp:127.0.0.1:15000 2016-02-23 00:16:57,585 Warning: outdated/buggy version of Python: 2.6.6.final.0 2016-02-23 00:16:57,585 switching to process polling every 2 seconds to support 'exit-with-children' 2016-02-23 00:16:57,586 Xpra gtk2 client version 0.16.2-r11889 2016-02-23 00:16:57,592 running on Linux CentOS 6.4 Final Warning: failed to import GStreamer: 1.0 failed with: No module named gi 2016-02-23 00:16:57,673 Error: failed to query sound subsystem: 2016-02-23 00:16:57,674 query did not return any data 2016-02-23 00:16:57,866 OpenGL_accelerate module loaded 2016-02-23 00:16:57,866 OpenGL support is missing: 2016-02-23 00:16:57,866 renderer 'Software Rasterizer' is blacklisted! 2016-02-23 00:16:57,961 receiving data using AES encryption 2016-02-23 00:16:58,039 Warning: AES decryption failed: invalid padding 2016-02-23 00:16:58,040 internal error: AES encryption padding error - wrong key? 2016-02-23 00:16:58,040 Connection lost
If I use the same file for password and keyfile I get the original problem I was looking for
server command
xpra --no-daemon --bind-tcp=0.0.0.0:15000 --encryption=AES --encryption-keyfile=pass.txt --password-file=pass.txt --start-child=gnome-terminal start :15
client output
[cosmo@cent64 ~]$ xpra attach --encryption=AES --encryption-keyfile=pass.txt --password-file=pass.txt tcp:127.0.0.1:15000 2016-02-23 00:31:42,367 Warning: outdated/buggy version of Python: 2.6.6.final.0 2016-02-23 00:31:42,367 switching to process polling every 2 seconds to support 'exit-with-children' 2016-02-23 00:31:42,367 Xpra gtk2 client version 0.16.2-r11889 2016-02-23 00:31:42,373 running on Linux CentOS 6.4 Final Warning: failed to import GStreamer: 1.0 failed with: No module named gi 2016-02-23 00:31:42,456 Error: failed to query sound subsystem: 2016-02-23 00:31:42,456 query did not return any data 2016-02-23 00:31:42,647 OpenGL_accelerate module loaded 2016-02-23 00:31:42,648 OpenGL support is missing: 2016-02-23 00:31:42,648 renderer 'Software Rasterizer' is blacklisted! 2016-02-23 00:31:42,741 receiving data using AES encryption 2016-02-23 00:31:42,816 sending data using AES encryption Traceback (most recent call last): File "/usr/lib64/python2.6/site-packages/xpra/client/client_base.py", line 537, in _process_challenge challenge_response = hmac.HMAC(password, salt, digestmod=hashlib.md5).hexdigest() File "/usr/lib64/python2.6/hmac.py", line 75, in __init__ self.update(msg) File "/usr/lib64/python2.6/hmac.py", line 83, in update self.inner.update(msg) TypeError: update() argument 1 must be string or read-only buffer, not bytearray 2016-02-23 00:31:52,742 server failure: disconnected before the session could be established 2016-02-23 00:31:52,742 server requested disconnect: login timeout 2016-02-23 00:31:52,745 Connection lost
Those are two completely different issues: the argument 1 must be string or read-only buffer, not bytearray
is a bug in the authentication code when running on Python 2.6 or earlier (as is the case on centos 6.x), and is fixed in r12015 + r12016.
The other one happens on all platforms AFAICT.
As for the second part, you're just using the wrong command line options which makes it default to using the password as keyfile.
If you use bind-tcp
then you have to use tcp-encryption
and tcp-encryption-keyfile
. (and tcp-auth
instead of auth
)
That said, the fallback to using the password as keyfile should probably be removed (prevents confusion like this one), but that's not going to be in 0.16
Okay I tried this again on a fresh installed system. One thing I did find out was that pycrypto wasn't installed had to install this first.
I'm not sure if we want to change the spec file to require this.
Server
xpra --no-daemon --bind-tcp=0.0.0.0:15000 --tcp-encryption=AES --tcp-encryption-keyfile=key.txt --password-file=pass.txt --start-child=gnome-terminal start :15
Client
xpra attach --encryption=AES --encryption-keyfile=key.txt --password-file=pass.txt tcp:127.0.0.1:15000
I also tried this command
xpra attach --encryption=AES --tcp-encryption-keyfile=key.txt --password-file=pass.txt tcp:127.0.0.1:15000
Which failed with this output
2016-03-24 15:57:57,489 internal error: AES encryption padding error - wrong key?
Maybe I don't understand the options quite right but it seems to work now.
We probably want to revert some of these changes anyway: Xpra ML: XPRA_PASSWORD and XPRA_ENCRYPTION_KEY ?
One thing I did find out was that pycrypto wasn't installed had to install this first.
python-crypto is a dependency of xpra, including in 0.16: browser/xpra/tags/v0.16.x/rpmbuild/xpra.spec. If I try to remove it, yum wants to remove xpra with it.
Please clarify the problem you encountered.
Maybe I don't understand the options quite right but it seems to work now.
The client only used the "encryption" and "encryption-keyfile" command line options, because unlike the server it only has a single endpoint. r12336 will make the client use the tcp-encryption and tcp-encryption-keyfile if those are specified instead. (not going to backport this).
I really thought I had seen another problem somewhere, but I can't seem to hit it. The only problem that I saw with the "file" backend was that I had a trailing newline in my password file, and when I tried to use the environment variable, I didn't - so it failed. But that's just my fault.
Somewhat related for 0.17: partial reverts and updates of r12099 + r11465 in r12332 + r12334:
XPRA_ENCRYPTION_KEY
should work as before
XPRA_PASSWORD
can be used as before with the client - it can also be used with the server by selecting the "env" auth module
More details in #1159.
The original issue in this ticket has been fixed and tested.
Will follow up with more tests in #1159
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1133