Xpra: Ticket #1728: multiple authentication modules per socket type

Split from #1690.

This will give us more flexibility, including the ability to authenticate with two passwords, password and dialog, etc.



Fri, 29 Dec 2017 08:04:03 GMT - Antoine Martin: status changed; milestone set

Done in r17775, r17777 + r17890 for proxy server. Minor fix in r17824.

Examples:

echo -n 1234 > pass1.txt
echo -n 5678 > pass2.txt
xpra start --start=xterm :10 -d auth \
    --bind-tcp=0.0.0.0:10000
    --tcp-auth=file:filename=pass1.txt
    --tcp-auth=file:filename=pass2.txt
xpra attach tcp://localhost:10000/

The client should prompt for the password twice.

Also added in r17776 is the ability to tell the client what we are prompting for:

xpra start --bind-tcp=0.0.0.0:10000 --tcp-auth=file:filename=password.txt,prompt='secret no 1'

Fri, 29 Dec 2017 12:43:07 GMT - Antoine Martin: owner, status changed

See also tcp wrappers: #1730


Sat, 30 Dec 2017 00:03:03 GMT - J. Max Mena: owner changed

Noted, did some quick tests with the tcp-auth:

Both machines in question are Fedora 26, client and server are 2.X r17783

and attached with xpra attach tcp:ip:2200 --tcp-auth=file:/home/max/pass1.txt --tcp-auth=file:/home/max/pass2.txt --tcp-auth=file:/home/max/pass3.txt

and the connection failed after it prompted me for a password. Is this expected behavior? I find it odd that it would ask me for a password even though I gave it the auth files it asked for, and even in the right order.


Sat, 30 Dec 2017 05:44:49 GMT - Antoine Martin: owner changed

I started a server with ...

That syntax is invalid and this is immediately obvious when you look at the server output:

Warning: failed to parse dictionary option '/home/max/pass1.txt':
 need more than 1 value to unpack

The correct syntax is auth=file,filename=/path/to/file. This is documented everywhere, including the comment:1 just above, and also in the https://xpra.org/manual.html, and wiki/Authentication.

and attached with ...

Again, that doesn't make sense, see the man page and password-file.


Thu, 04 Jan 2018 18:47:47 GMT - J. Max Mena: owner changed

Okay I finally figured this out after like 45 minutes of reading.

I started my server with:

xpra start --start=xterm :10 -d auth --bind-tcp=0.0.0.0:2200 --auth=file,filename=pass1.txt,prompt='pass1' --auth=file,filename=pass4.txt,prompt='pass4' --no-daemon --start-via-proxy=no

And attached with:

xpra attach tcp:192.168.1.138:2200 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth

Turns out it's --auth=file,filename=/path/to/file and NOT --tcp-auth=file,filename=/path/to/file. Note the lack of a tcp-.

Now that I've got the syntax sorted it works.

However I have to bother you with this ticket again.

BUT, I typed "exit" into the wrong xterm and as such lost my only xterm in the connected session. Trying to run xpra stop :10 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt in another terminal that was SSH'd into the server in question failed with the output (from -d auth via a second attempt)

[max@Vorfuehreffekt ~]$ xpra stop :10 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth
processing challenge: ['&\xad\xf3\xc8\xdaXBK\x07^\xab\xea1\xec\xde\t`\x0e]\x02\x95\x05\xdb\x1ap\xbe\x0c\xc2@<\x9e,\xdd\xe3\x14\xaf\xf7f;z\xd7\x89\xd4&=\xd7\xad\x96\x87}\xa5S\x06\x10\xf0\x93\xd3\xb2?%\xc0\xde\xa7\xe1', '', 'hmac+sha512', 'hmac+sha512', 'pass1']
load_password() existing value found: False
load_password() PASSWORD_PROMPT=True, isatty=True
stdin isatty, using password prompt

Is there a typo there?

Also of note, when I do a Control + C the prompt, the terminal becomes unresponsive afterwards - I can't see anything I type, and a Control + L appears to do nothing.


I'd also like to note:

wiki/Authentication and comment:1 both have --auth=file:filename=/path/to/mypasswordfile.txt listed - note the : not the , as noted in comment:4


Fri, 05 Jan 2018 01:33:42 GMT - Antoine Martin: owner changed

xpra attach tcp:192.168.1.138:2200 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth

That still does not make any sense. As per the examples and documentation,

the [xxx-]auth command line options only apply to bind[-xxx] options. As per comment:4, for the client you want (multiple?) password-file instead.

Turns out it's --auth=file,filename=/path/to/file and NOT --tcp-auth=file,filename=/path/to/file

No, it's not. Neither option makes any difference whatsoever to a client.

Now that I've got the syntax sorted it works.

You don't.

Also of note, when I do a Control + C the prompt, the terminal becomes unresponsive afterwards - I can't see anything I type, and a Control + L appears to do nothing.

How do I restore input echoing in the terminal?

​note the : not the , as noted in comment:4

Both should work.


Tue, 09 Jan 2018 17:04:57 GMT - J. Max Mena: status changed; resolution set

I thought I had closed this last week, but I guess I forgot to hit Submit.

Firstly, I apologize for getting confused on the command string, I somehow got it in my head that we were deprecating --password-file in favor of something more modular --auth=. That was not the case. Now that I've got it figured out, the multiple auth modules is working fine for me - I've tested it with up to 4 password files, and it all works together nicely, once you feed it the correct commands.

I also double checked and --auth=file,filename= AND --auth=file:filename= both work, even when mixing them in the same command string. Probably not a fantastic idea, but it will work just fine.

Now that I've checked that and there aren't any issues other than me, I'm going to go ahead and close this ticket.


Sat, 13 Jan 2018 00:43:39 GMT - Antoine Martin:

Caused #1740


Sat, 24 Mar 2018 14:45:02 GMT - Antoine Martin: keywords set

See also: #1691, #1789, #1728, #1791.


Sat, 23 Jan 2021 05:32:12 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1728