xpra icon
Bug tracker and wiki

Opened 3 weeks ago

Closed 3 weeks ago

#1730 closed enhancement (fixed)

tcp wrappers authentication module

Reported by: Antoine Martin Owned by: J. Max Mena
Priority: major Milestone: 2.3
Component: server Version: 2.2.x
Keywords: Cc:

Description

Follow up from #1728: now we can add TCP Wrapper support without needing new command line options.

Change History (5)

comment:1 Changed 3 weeks ago by Antoine Martin

Owner: changed from Antoine Martin to J. Max Mena

Done in r17779.

To test, blacklist a subnet, ie:

echo "ALL: 192.168.1.0/255.255.255.0" >> /etc/hosts.deny

Then tell the server to use the "hosts" authentication module:

xpra start --bind-tcp=0.0.0.0:10000 --start=xterm :10 --tcp-auth=hosts -d auth

Then try to connect from that subnet, the connection should fail.
Connections from other subnets should still work.

As per #1728, this can be combined with other authentication modules (ie: password).

comment:2 Changed 3 weeks ago by J. Max Mena

Owner: changed from J. Max Mena to Antoine Martin

Before I close this (appears to work just fine for me), I have a quick question:

Does this apply to the proxy server as well?


For future reference to myself or anyone else that stumbles across this:

The /etc/hosts.allow will OVERRIDE /etc/hosts.deny file - useful for only allowing a certain range of IPs to connect, and a very quick way to test this ticket.

comment:3 Changed 3 weeks ago by J. Max Mena

Side note:

You can actually edit the /etc/hosts.deny and /etc/hosts.allow files on the fly! That's actually quite nifty.

comment:4 Changed 3 weeks ago by Antoine Martin

Owner: changed from Antoine Martin to J. Max Mena

Before I close this (appears to work just fine for me), I have a quick question:
Does this apply to the proxy server as well?

This applies to any server, seamless, desktop, shadow, proxy, whatever.
The only requirement is that tcp-wrappers requires... a tcp socket. (minor fixes in r17784 + r17785 for websockets and ssl socket upgrades)

So the "hosts" authentication module can only be used with tcp-auth, ws-auth, wss-auth and ssl-auth, it will fail with the other connection types (ie: "unix-domain" or "vsock").

comment:5 Changed 3 weeks ago by J. Max Mena

Resolution: fixed
Status: newclosed

Alright duly noted - I'll make sure to pass this along.

Note: See TracTickets for help on using tickets.