xpra icon
Bug tracker and wiki

Opened 7 months ago

Closed 6 months ago

Last modified 4 months ago

#1728 closed enhancement (fixed)

multiple authentication modules per socket type

Reported by: Antoine Martin Owned by: J. Max Mena
Priority: major Milestone: 2.3
Component: server Version: 2.2.x
Keywords: stackable auth Cc:

Description

Split from #1690.

This will give us more flexibility, including the ability to authenticate with two passwords, password and dialog, etc.

Change History (9)

comment:1 Changed 7 months ago by Antoine Martin

Milestone: 2.3
Status: newassigned

Done in r17775, r17777 + r17890 for proxy server. Minor fix in r17824.

Examples:

echo -n 1234 > pass1.txt
echo -n 5678 > pass2.txt
xpra start --start=xterm :10 -d auth \
    --bind-tcp=0.0.0.0:10000
    --tcp-auth=file:filename=pass1.txt
    --tcp-auth=file:filename=pass2.txt
xpra attach tcp://localhost:10000/

The client should prompt for the password twice.

Also added in r17776 is the ability to tell the client what we are prompting for:

xpra start --bind-tcp=0.0.0.0:10000 --tcp-auth=file:filename=password.txt,prompt='secret no 1'
Last edited 7 months ago by Antoine Martin (previous) (diff)

comment:2 Changed 7 months ago by Antoine Martin

Owner: changed from Antoine Martin to J. Max Mena
Status: assignednew

See also tcp wrappers: #1730

Last edited 5 months ago by Antoine Martin (previous) (diff)

comment:3 Changed 7 months ago by J. Max Mena

Owner: changed from J. Max Mena to Antoine Martin

Noted, did some quick tests with the tcp-auth:

Both machines in question are Fedora 26, client and server are 2.X r17783

  • I started a server with xpra start :12 --no-daemon --bind-tcp=0.0.0.0:2200 --start-child=xterm --tcp-auth=file:/home/max/pass1.txt --tcp-auth=file:/home/max/pass2.txt --tcp-auth=file:/home/max/pass3.txt -d auth

and attached with xpra attach tcp:ip:2200 --tcp-auth=file:/home/max/pass1.txt --tcp-auth=file:/home/max/pass2.txt --tcp-auth=file:/home/max/pass3.txt

and the connection failed after it prompted me for a password. Is this expected behavior? I find it odd that it would ask me for a password even though I gave it the auth files it asked for, and even in the right order.

comment:4 Changed 7 months ago by Antoine Martin

Owner: changed from Antoine Martin to J. Max Mena

I started a server with ...

That syntax is invalid and this is immediately obvious when you look at the server output:

Warning: failed to parse dictionary option '/home/max/pass1.txt':
 need more than 1 value to unpack

The correct syntax is auth=file,filename=/path/to/file. This is documented everywhere, including the comment:1 just above, and also in the https://xpra.org/manual.html, and wiki/Authentication.

and attached with ...

Again, that doesn't make sense, see the man page and password-file.

comment:5 Changed 7 months ago by J. Max Mena

Owner: changed from J. Max Mena to Antoine Martin

Okay I finally figured this out after like 45 minutes of reading.

I started my server with:

xpra start --start=xterm :10 -d auth --bind-tcp=0.0.0.0:2200 --auth=file,filename=pass1.txt,prompt='pass1' --auth=file,filename=pass4.txt,prompt='pass4' --no-daemon --start-via-proxy=no

And attached with:

xpra attach tcp:192.168.1.138:2200 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth

Turns out it's --auth=file,filename=/path/to/file and NOT --tcp-auth=file,filename=/path/to/file. Note the lack of a tcp-.

Now that I've got the syntax sorted it works.

However I have to bother you with this ticket again.

BUT, I typed "exit" into the wrong xterm and as such lost my only xterm in the connected session. Trying to run xpra stop :10 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt in another terminal that was SSH'd into the server in question failed with the output (from -d auth via a second attempt)

[max@Vorfuehreffekt ~]$ xpra stop :10 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth
processing challenge: ['&\xad\xf3\xc8\xdaXBK\x07^\xab\xea1\xec\xde\t`\x0e]\x02\x95\x05\xdb\x1ap\xbe\x0c\xc2@<\x9e,\xdd\xe3\x14\xaf\xf7f;z\xd7\x89\xd4&=\xd7\xad\x96\x87}\xa5S\x06\x10\xf0\x93\xd3\xb2?%\xc0\xde\xa7\xe1', '', 'hmac+sha512', 'hmac+sha512', 'pass1']
load_password() existing value found: False
load_password() PASSWORD_PROMPT=True, isatty=True
stdin isatty, using password prompt

Is there a typo there?

Also of note, when I do a Control + C the prompt, the terminal becomes unresponsive afterwards - I can't see anything I type, and a Control + L appears to do nothing.


I'd also like to note:

wiki/Authentication and comment:1 both have --auth=file:filename=/path/to/mypasswordfile.txt listed - note the : not the , as noted in comment:4

comment:6 Changed 7 months ago by Antoine Martin

Owner: changed from Antoine Martin to J. Max Mena
xpra attach tcp:192.168.1.138:2200 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth

That still does not make any sense. As per the examples and documentation,

the [xxx-]auth command line options only apply to bind[-xxx] options. As per comment:4, for the client you want (multiple?) password-file instead.

Turns out it's --auth=file,filename=/path/to/file and NOT --tcp-auth=file,filename=/path/to/file

No, it's not. Neither option makes any difference whatsoever to a client.

Now that I've got the syntax sorted it works.

You don't.

Also of note, when I do a Control + C the prompt, the terminal becomes unresponsive afterwards - I can't see anything I type, and a Control + L appears to do nothing.

How do I restore input echoing in the terminal?

​note the : not the , as noted in comment:4

Both should work.

comment:7 Changed 6 months ago by J. Max Mena

Resolution: fixed
Status: newclosed

I thought I had closed this last week, but I guess I forgot to hit Submit.

Firstly, I apologize for getting confused on the command string, I somehow got it in my head that we were deprecating --password-file in favor of something more modular --auth=. That was not the case. Now that I've got it figured out, the multiple auth modules is working fine for me - I've tested it with up to 4 password files, and it all works together nicely, once you feed it the correct commands.

I also double checked and --auth=file,filename= AND --auth=file:filename= both work, even when mixing them in the same command string. Probably not a fantastic idea, but it will work just fine.

Now that I've checked that and there aren't any issues other than me, I'm going to go ahead and close this ticket.

comment:8 Changed 6 months ago by Antoine Martin

Caused #1740

comment:9 Changed 4 months ago by Antoine Martin

Keywords: stackable auth added

See also: #1691, #1789, #1728, #1791.

Note: See TracTickets for help on using tickets.