Xpra: Ticket #1498: attach via proxy multifile auth

Hello, trying to connect via PROXY. (Centos 7.3, xpra test 2.0) One server, and proxy and server run under Root account. Client=html so the commands:

xpra proxy :100 --bind-tcp=0.0.0.0:443 --auth=multifile:filename=/root/xpra-auth.txt -d auth -d proxy
xpra start :10 --exit-with-children --bind-tcp:0.0.0.0:10000 --start-child=/bin/gedit

and then

xpra attach --username=111 --password-file=/root/password.txt $0.0.0.0:443

gives xpra initialization error: no such option: -b

xpra attach --username=111 --password-file=/root/password.txt $PROXYHOST:443

gives "Warning: running as root. xpra initialization error: could open display"

what is wrong? and multifile and password file are available. In logs - nothing special (:10 and :100) Multifile content:

111|111|1000|1000|tcp:0.0.0.0:10000|EXAMPLE_ENV=VALUE

Thank you



Thu, 13 Apr 2017 05:34:50 GMT - Antoine Martin: owner, description changed

xpra test 2.0

Please always specify the FULL version. I don't know what "xpra test 2.0" is.

xpra attach --username=111 --password-file=/root/password.txt $0.0.0.0:443

Looks like a syntax error: why is "$" in there?

Multifile content: 111|111|1000|1000|tcp:0.0.0.0:10000|EXAMPLE_ENV=VALUE

"tcp:0.0.0.0:10000" is not a valid connection string because "0.0.0.0" is not a valid TCP address. FYI: if running the server on the same system, you don't even need TCP and you can use ":10" for the display string.

PS: please learn to use wiki wiki/WikiFormatting so I don't have to edit all your tickets.


Thu, 13 Apr 2017 05:56:29 GMT - Denis01:

1) version xpra beta -2.1-0.20170403r15507 2) i followed the wiki-proxy and copied the command "xpra attach --username=myusername --password-file=./password.txt $PROXYHOST:443" 3) ok

P.s. ok


Thu, 13 Apr 2017 08:01:10 GMT - Denis01:

And another strage point which might an idea of the cause. If i try to login through HTML client to proxy using client name =111 (which was defined in multifile) auth and proxy log says:

Athentication required by multi password file ahtbentication module
Sending challenge for username '111' using hmac+sha256 digest
start_proxy (.....found sessions: (1000,1000,....)

that seems to be properly uploaded from multifile in auth py module and then

Error: user 'xxx1235' {uid=1000} is not in the xpra group
it belongs to: None

This message is from proxy py. So could it be that system keeps somehow the data from previous connections rather the update the i fo on connection string and screen each time?

The user 'xxx12345' i used for direct session creation (without proxy) on the same port 10000 and it might be with the same uid-1000 ( don't remember well). But after that i killed all xpra sessions and even rebooted server several times.


Thu, 13 Apr 2017 08:16:07 GMT - Antoine Martin:

Error: user 'xxx1235' {uid=1000} is not in the xpra group could it be that system keeps somehow the data from previous connections

No. Just like it says, your user is not a member of the "xpra" unix group, so it is warning you that the group socket cannot be created. Either add the user to the xpra group or remove "/var/run/xpra" from the socket bind locations.

I assume that your original problem was because of syntax errors, right? If so, please close this ticket and open a new one if you have other issues.


Thu, 13 Apr 2017 08:36:22 GMT - Denis01:

Hm.. but there is no such user 'xxx12345' in multifile. There is a new one - '111' And mulfifile_auth.py sees properly new one in def authenticate_hmac self.username='111' but proxy_server.py in user=get_username_for_uid(uid) returns 'xxx12345'


Thu, 13 Apr 2017 08:47:09 GMT - Antoine Martin:

but there is no such user 'xxx12345' in multifile. There is a new one - '111'

Yes, there is:


Thu, 13 Apr 2017 11:49:08 GMT - Denis01:

:-) Linux for dummies :-) Now the user created in Linux and attached to xpra group with the correct UID given by Linux. Proxy can indentify the user. But still xpra attach doesn't work - "xpra initialization error:could not open display"

Tried to start by root and by user and many commands from Wiki

Xpra attach tcp:111@'real ip address':443

Or

Xpda attach --username=111 --auth=multifile:filename=/root/xpra-auth.txt@'real ip address':443

But results are the same :-(


Thu, 13 Apr 2017 11:54:32 GMT - Antoine Martin:

Whatever the problem is, there will be more details than "could not open display" in your "-d proxy" server log. If the display string you specify in multifile is correct, then you should be able to use it directly from a terminal where the proxy is running, ie:

xpra info tcp:HOST:PORT

Check that first.


Thu, 13 Apr 2017 13:08:12 GMT - Denis01:

Amazing.... Command "xpra attach" is not needed... It works only with "xpra proxy --auth multi..." on proxy side and "xpra start" without any --auth command at target side.

But FYI

Xpra info tcp:HOST:PORT

Under root account in the Terminal at Proxy side says

Warning:running as root
Error: authentication failed:
This server requires authentication, please provide a password"

So if you confirm that running Proxy without "xpra attach..." is normal way - i'll close thw tichet


Thu, 13 Apr 2017 13:18:32 GMT - Antoine Martin: milestone set

Under root account in the Terminal at Proxy side says (..) This server requires authentication, please provide a password"

Obviously, if you start your server with authentication, then you'll need to provide a password. Right at the top of this ticket description, your server (not the proxy) start command does not use one, so you would not need any authentication to connect to THAT server. Connecting to the proxy URI however, you would since you used "multifile" auth for THAT one.

Please make you sure you understand what each command does and close this ticket.


Thu, 13 Apr 2017 13:37:23 GMT - Denis01:

Ok, clear. And for "xpra attach" command should be executed on NON html but thick client, right?


Thu, 13 Apr 2017 13:39:01 GMT - Antoine Martin:

And for "xpra attach" command should be executed on NON html but thick client, right?

"xpra attach" is the xpra client. Not sure why you're even talking about the HTML client in this context.


Thu, 13 Apr 2017 13:49:38 GMT - Denis01:

As the WIKI says that the last operation to start the session should be command "xpra attach..." (in fact the main original issue of the topic). But for HTML connection it is not simple needed - started 'xpra proxy' on the proxy nod, 'xpra start' on the target host and entered by HTML client. It works. So i thought that probably this 'xpra attach' command should be done on in normal client (not html one). And in the case of html it is needed nowhere...


Thu, 13 Apr 2017 14:08:22 GMT - Denis01: status changed; resolution set

Yes, wiki says "users can connect as USUAL with: xpra attach.." so it has to be the cmd to start on client PC (not the case of html client) Close this ticket.


Fri, 14 Jul 2017 17:59:36 GMT - Antoine Martin: summary changed

(editing ticket title)


Sat, 23 Jan 2021 05:25:56 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1498