Xpra: Ticket #1264: proxy server errors

Most of this will need backporting. It would be nice if we had tests to prevent such problems in the future.

Some already fixed: r13074, r13075.

Some more:

etc..



Fri, 22 Jul 2016 08:15:20 GMT - Antoine Martin: status, description changed


Fri, 22 Jul 2016 10:00:51 GMT - Antoine Martin:

More fixes: r13077 + r13078.


Sat, 23 Jul 2016 10:16:47 GMT - Antoine Martin: owner, status changed

More:

For testing (add -d auth for debugging):


Tue, 02 Aug 2016 01:37:00 GMT - alas: owner changed

Gave it a try with a fedora 23 1.0 r13165 server against a 1.0 r13101 windows client, and a 1.0 r13165 osx client... no luck.

Tried the start server commands with:

[jimador@jimador ~]$ nano not-password.txt
[jimador@jimador ~]$ xpra start :57 --start-child=xterm --auth=file:filename=./not-password.txt
No pam support: No module named pam
[jimador@jimador ~]$ Entering daemon mode; any further errors will be reported to:
  /home/jimador/.xpra/:57.log

... which didn't look too promising, but carried on to try the proxy server with:

[jimador@jimador ~]$ echo -n "testproxy|proxypassword|1001|1001|:57||username=rambeau;password=password" > no.txt
[jimador@jimador ~]$ xpra proxy :17 --tcp-auth=multifile:filename=./no.txt --bind-tcp=0.0.0.0:1234
No pam support: No module named pam
[jimador@jimador ~]$ Entering daemon mode; any further errors will be reported to:
  /home/jimador/.xpra/:17.log

Trying to connect the windows client, I got this output:

C:\Program Files (x86)\Xpra>xpra_cmd.exe attach --no-mmap --opengl=on tcp/testproxy:proxypassword@10.0.32.134:1234
2016-08-01 16:44:58,904 Xpra gtk2 client version 1.0-r13101 32-bit
2016-08-01 16:44:58,907  running on Microsoft Windows 8.1
2016-08-01 16:44:59,194 GStreamer version 1.6 for Python 3.4 32-bit
2016-08-01 16:44:59,673 OpenGL_accelerate module loaded
2016-08-01 16:44:59,678 OpenGL enabled with Intel(R) HD Graphics 4000
2016-08-01 16:44:59,928  detected keyboard: layout=us
2016-08-01 16:44:59,930  desktop size is 5120x2160 with 1 screen:
2016-08-01 16:44:59,930   Default (1354x571 mm - DPI: 96x96) workarea: 5120x2120
2016-08-01 16:44:59,931     DISPLAY1 3840x2160 at 1280x0 (621x341 mm - DPI: 157x160) workarea: 3840x2120
2016-08-01 16:44:59,931     DISPLAY2 1280x720 (597x336 mm - DPI: 54x54) workarea: 1280x638
2016-08-01 16:44:59,933  upscaled by 167%, virtual screen size: 3072x1296
2016-08-01 16:44:59,933   Default (1354x571 mm - DPI: 57x57) workarea: 3072x1272
2016-08-01 16:44:59,934     DISPLAY1 2304x1296 at 768x0 (621x341 mm - DPI: 94x96) workarea: 2304x1272
2016-08-01 16:44:59,934     DISPLAY2 768x432 (597x336 mm - DPI: 32x32) workarea: 768x383
2016-08-01 16:45:09,931 server failure: disconnected before the session could be established
2016-08-01 16:45:09,933 server requested disconnect: login timeout
2016-08-01 16:45:09,944 Connection lost

... the OSX client gave about the same output.

Some hopefully useful bits from those logs.

Are you sure that the --tcp-auth=multifile:filename=./multi.txt parameter wants the "./"? (Assuming that you are, I'll pass this back for you to look and see what I might be going wrong... I used nano to create the password file just out of curiosity, just fyi.)


Tue, 02 Aug 2016 04:53:23 GMT - Antoine Martin: owner changed

Error: password file ./no.txt is missing

Is your problem: if the password file cannot be found, it cannot authenticate users. (the stacktrace that followed it should be improved in r13166, the "printing conflicts" message is improved in r13167, gid / uid handling improved in r13168)

Works fine for me. My guess is that the instructions you posted are not the ones you actually used. Maybe you changed directory, or ran it from a different terminal in a different path.


I used nano to create the password file just out of curiosity


Along the same lines, do not to use "nano" in your instructions as it doesn't record what was stored in that file, if anything. It may also add a newline character at the end of the file, which won't be present in the multifile password field and therefore will not match. Use "echo -n" as per the instructions in comment:3 ("-n" prevents the newline) so this can be reproduced exactly every time, and quickly too (just cut & paste). Matching the value in your proxy multiauth file, I have used:

echo -n password > not-password.txt

The No pam support: No module named pam can be ignored, see #1105.


Thu, 04 Aug 2016 21:56:11 GMT - alas: owner changed

Hmm... I was able to get it to work, but there seemed to be a number of wrinkles.

Firstly, trying to launch the proxy with

[jimador@jimador ticket1264]$ echo -n "testproxy|proxypassword|1001|1001|:57||username=testserver;password=password" > multi.txt
[jimador@jimador ticket1264]$ xpra proxy :17 --tcp-auth=multifile:filename=multi.txt --bind-tcp=0.0.0.0:1234

... failed with that same Error: password file 'multi.txt' is missing error.

I finally succeeded by trying (wait for it) xpra proxy :17 --tcp-auth=multifile:filename=/home/jimador/ticket1264/multi.txt --bind-tcp=0.0.0.0:1234 - a full path to the password file.

Supposing that that was what the './' was meant to do, I tried again, and got the connection failure again:

2016-08-04 14:22:27,924 created unix domain socket: /home/jimador/.xpra/jimador.plata-17
2016-08-04 14:22:27,974 Warning: failed to load the mdns avahi publisher:
2016-08-04 14:22:27,975  No module named avahi
2016-08-04 14:22:27,975  either fix your installation or use the 'mdns=no' option
2016-08-04 14:22:28,044 serving html content from '/usr/share/xpra/www'
2016-08-04 14:22:28,044 get_auth_module(unix-domain, , {..})
2016-08-04 14:22:28,044 get_auth_module(tcp, multifile:filename=./multi.txt, {..})
2016-08-04 14:22:28,059 get_auth_module(ssl, multifile:filename=./multi.txt, {..})
2016-08-04 14:22:28,059 get_auth_module(vsock, , {..})
2016-08-04 14:22:28,059 init_auth(..) auth class=None, tcp auth class=('multifile', <class 'xpra.server.auth.multifile_auth.Authenticator'>, {'filename': './multi.txt'}), ssl auth class=('multifile', <class 'xpra.server.auth.multifile_auth.Authenticator'>, {'filename': './multi.txt'}), vsock auth class=None
2016-08-04 14:22:28,059 xpra proxy version 1.0-r13211 64-bit
2016-08-04 14:22:28,060  running with pid 32369 on Linux Fedora 23 TwentyThree
2016-08-04 14:22:28,060  connected to X11 display :17
2016-08-04 14:22:28,060 xpra is ready.
2016-08-04 14:22:35,132 New tcp connection received from 10.0.11.162:57556
2016-08-04 14:22:35,133 socktype=tcp, auth class=('multifile', <class 'xpra.server.auth.multifile_auth.Authenticator'>, {'filename': './multi.txt'}), encryption=, keyfile=
2016-08-04 14:22:35,136 creating authenticator ('multifile', <class 'xpra.server.auth.multifile_auth.Authenticator'>, {'filename': './multi.txt'})
2016-08-04 14:22:35,138 multifile=multi password file
2016-08-04 14:22:35,138 processing authentication with multi password file, response=None, client_salt=, challenge_sent=False
2016-08-04 14:22:35,138 challenge: ('95520cbfaa16407ea4aaa65e7d2df4f06c96d7a1373841ea8d1f67a5f81dfa0d', 'hmac')
2016-08-04 14:22:35,138 Authentication required by multi password file authenticator module
2016-08-04 14:22:35,138  sending challenge for 'testproxy' using hmac digest
2016-08-04 14:22:35,170 processing authentication with multi password file, response=d1f9ee9d5613d8872bbc852e1e994070, client_salt=34353061656631313939343734336630616464366264356265336136666137393235363562333039333463623432636138366335396530343139313631363931, challenge_sent=True
2016-08-04 14:22:35,171 Error: password file './multi.txt' is missing
2016-08-04 14:22:35,171 authenticate(testproxy) auth-info=None
2016-08-04 14:22:35,171 Error: authentication failed
2016-08-04 14:22:35,171  no password for 'testproxy' in './multi.txt'
2016-08-04 14:22:35,172 Error: authentication failed
2016-08-04 14:22:35,172  invalid challenge response
2016-08-04 14:22:36,174 Disconnecting client 10.0.11.162:57556:
2016-08-04 14:22:36,174  invalid challenge response

Meanwhile, I have been completely unable to get the --auth=file:filename=./not-password.txt syntax to work, whether I feed in a full filepath, use a './{filename}', or just use the filename for a file in the same directory.

Launching the server and proxy with:

[jimador@jimador ticket1264]$ echo -n "testproxy|proxypassword|1000|1000|:57||username=jimador;password=password" > multi.txt
[jimador@jimador ticket1264]$ cat multi.txt
testproxy|proxypassword|1000|1000|:57||username=jimador;password=password[jimador@jimador ticket1264]$
[jimador@jimador ticket1264]$ echo -n password > not-password.txt
[jimador@jimador ticket1264]$ cat not-password.txt
password[jimador@jimador ticket1264]$
[jimador@jimador ticket1264]$ xpra start :57 --start-child=xterm --auth=file:filename=not-password.txt -d auth
No pam support: No module named pam
[jimador@jimador ticket1264]$ Entering daemon mode; any further errors will be reported to:
  /home/jimador/.xpra/:57.log
[jimador@jimador ticket1264]$ xpra proxy :17 --tcp-auth=multifile:filename=/home/jimador/ticket1264/multi.txt --bind-tcp=0.0.0.0:1234 -d auth
No pam support: No module named pam
[jimador@jimador ticket1264]$ Entering daemon mode; any further errors will be reported to:
  /home/jimador/.xpra/:17.log

Then trying to connect with a windows client with xpra_cmd.exe attach --no-mmap --opengl=on tcp/testproxy:proxypassword@10.0.32.134:1234 -d auth I get similar failures and see the following from the :57.log:

[jimador@jimador ticket1264]$ cat ../.xpra/:57.log
X.Org X Server 1.18.3
Release Date: 2016-04-04
X Protocol Version 11, Revision 0
Build Operating System:  4.4.9-300.fc23.x86_64
Current Operating System: Linux jimador.plata 4.4.9-300.fc23.x86_64 #1 SMP Wed May 4 23:56:27 UTC 2016 x86_64
Kernel command line: BOOT_IMAGE=/vmlinuz-4.4.9-300.fc23.x86_64 root=UUID=7dc8a1f0-603b-4d33-9f61-95ee93330923 ro rhgb quiet LANG=en_US.UTF-8
Build Date: 30 June 2016  11:04:38PM
Build ID: xorg-x11-server 1.18.3-3.fc23
Current version of pixman: 0.34.0
        Before reporting problems, check http://wiki.x.org
        to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
        (++) from command line, (!!) notice, (II) informational,
        (WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/home/jimador/.xpra/Xorg.:57.log", Time: Thu Aug  4 14:34:18 2016
(++) Using config file: "/etc/xpra/xorg.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
/home/jimador/.xpra/jimador.plata-57 is not responding, waiting for it to timeout before clearing it.....
2016-08-04 14:34:22,801 created unix domain socket: /home/jimador/.xpra/jimador.plata-57
2016-08-04 14:34:23,064 Warning: failed to load the mdns avahi publisher:
2016-08-04 14:34:23,065  No module named avahi
2016-08-04 14:34:23,065  either fix your installation or use the 'mdns=no' option
2016-08-04 14:34:23,257 get_auth_module(unix-domain, file:filename=not-password.txt, {..})
2016-08-04 14:34:23,274 get_auth_module(tcp, file:filename=not-password.txt, {..})
2016-08-04 14:34:23,274 get_auth_module(ssl, file:filename=not-password.txt, {..})
2016-08-04 14:34:23,275 get_auth_module(vsock, , {..})
2016-08-04 14:34:23,275 init_auth(..) auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), tcp auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), ssl auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), vsock auth class=None
2016-08-04 14:34:23,321 Warning: webcam forwarding is disabled
2016-08-04 14:34:23,321  the virtual video directory '/sys/devices/virtual/video4linux' was not found
2016-08-04 14:34:23,322  make sure that the 'v4l2loopback' kernel module is installed and loaded
2016-08-04 14:34:23,322 found 0 virtual video devices for webcam forwarding
2016-08-04 14:34:23,329 pulseaudio server started with pid 560
2016-08-04 14:34:23,465 GStreamer version 1.6 for Python 2.7 64-bit
2016-08-04 14:34:23,513 D-Bus notification forwarding is available
2016-08-04 14:34:23,523 started command 'xterm' with pid 572
2016-08-04 14:34:23,523 xpra X11 version 1.0-r13211 64-bit
2016-08-04 14:34:23,523  running with pid 456 on Linux Fedora 23 TwentyThree
2016-08-04 14:34:23,524  connected to X11 display :57
xterm: cannot load font '-misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso10646-1'
2016-08-04 14:34:23,562 xpra is ready.
2016-08-04 14:34:23,641 printer forwarding enabled using postscript and pdf
2016-08-04 14:34:23,642 Warning: printing conflicts with socket authentication module 'file'
2016-08-04 14:35:58,284 New unix-domain connection received on /home/jimador/.xpra/jimador.plata-57
2016-08-04 14:35:58,286 socktype=unix-domain, auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), encryption=, keyfile=
2016-08-04 14:35:58,575 New unix-domain connection received on /home/jimador/.xpra/jimador.plata-57
2016-08-04 14:35:58,576 socktype=unix-domain, auth class=('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'}), encryption=, keyfile=
2016-08-04 14:35:58,583 creating authenticator ('file', <class 'xpra.server.auth.file_auth.Authenticator'>, {'filename': 'not-password.txt'})
2016-08-04 14:35:58,587 file=password file
2016-08-04 14:35:58,588 processing authentication with password file, response=None, client_salt=, challenge_sent=False
2016-08-04 14:35:58,588 challenge: ('2ec140680af54f9eb2ab138cb8f315e47f951ab0879d463bacf76ae3bf3cefee', 'hmac')
2016-08-04 14:35:58,589 Authentication required by password file authenticator module
2016-08-04 14:35:58,589  sending challenge for 'testproxy' using hmac digest
2016-08-04 14:35:58,598 processing authentication with password file, response=1de81a0a7192ce67e1da8878f2ecf95c, client_salt=63623833646139396636343834383766396536633733626462353661623536366235306364623865323737323462346239656464316339343063306538666564, challenge_sent=True
2016-08-04 14:35:58,599 Error: password file 'not-password.txt' is missing
2016-08-04 14:35:58,599 Error: password file authentication failed
2016-08-04 14:35:58,599  no password defined for 'testproxy'
2016-08-04 14:35:58,599 Error: authentication failed
2016-08-04 14:35:58,599  invalid challenge response
2016-08-04 14:35:59,601 Disconnecting client /home/jimador/.xpra/jimador.plata-57:
2016-08-04 14:35:59,602  invalid challenge response

In fact, launching the server with the --auth=file:filename=not-password.txt flag, xpra stop :57 fails because it also fails authentication, and I have to use a kill -9.

If, instead of the above syntax, I use the old-timey --password-file=not-password.txt, however, then it works for me.

So:

echo -n password > not-password.txt
xpra start :57 --start-child=xterm --password-file=not-password.txt

+

echo -n "testproxy|proxypassword|1000|1000|:57||username=jimador;password=password" > multi.txt
xpra proxy :17 --tcp-auth=multifile:filename=/home/jimador/ticket1264/multi.txt --bind-tcp=0.0.0.0:1234

+

xpra_cmd.exe attach --no-mmap --opengl=on tcp/testproxy:proxypassword@10.0.32.134:1234

= :)


Fri, 05 Aug 2016 04:52:28 GMT - Antoine Martin: status changed; resolution set

TLDR:

I have edited the comments above. r13217 will make that clearer in the error message by always using absolute paths so one can see what the relative path ended up resolving to. It works, closing.


Mon, 05 Sep 2016 04:53:32 GMT - Antoine Martin:

See also #952.


Wed, 21 Sep 2016 08:29:18 GMT - Antoine Martin:

More fixes: r13800, r13790.


Fri, 23 Sep 2016 03:26:45 GMT - Antoine Martin:

More proxy improvements (recording here for lack of a better place):


Sat, 23 Jan 2021 05:19:30 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1264