Changes between Version 6 and Version 7 of Authentication

Timestamp:

11/07/13 05:03:56 (8 years ago)

Author:

Antoine Martin

Comment:

--

Authentication

@@ -3 +3 @@
 {{{#!div class="box"
 == Introduction ==
-The documentation here applies to version 0.11 and later. Older versions only support the "{{{--password-file}}}" authentication.
+The documentation here applies to version 0.11 and later. Older versions only support the "{{{--password-file}}}" authentication mode.
 
 When using ssh to connect to a server, [/wiki/Encryption] and authentication can be skipped.
 
 Xpra's authentication modules can be useful for:
-* when using TCP sockets
-* when making the unix domain socket accessible to other users
-* when using the [/wiki/ProxyServer Proxy Server] mode
+* securing TCP sockets
+* making the unix domain socket accessible to other users safely
+* using the [/wiki/ProxyServer Proxy Server] mode
 }}}
 
@@ -25 +25 @@
 * {{{sys}}} is a virtual module which will choose win32 or pam
 }}}
+
+{{{#!div class="box"
+== Password File ==
+
+When used without the [/wiki/ProxyServer Proxy Server], the password file can contain a simple password in plain text.
+[[BR]]
+See [/ProxyServer#FileAuthenticationExtras proxy server file authentication] for more advanced usage.
+}}}
+
+{{{#!div class="box"
+== Security Considerations ==
+
+* the password is never sent in plain text over the wire, the authentication modes that require the password to be sent to the server unhashed ({{{sys}}}: {{{pam}}} and {{{win32}}}) will refuse to run without [/wiki/Encryption Encryption]
+* when used over TCP sockets, password authentication is vulnerable to man-in-the-middle attacks where an attacker could intercept the initial exchange and use the stolen authentication challenge to access the session, [/wiki/Encryption Encryption] prevents that
+* the client does not verify the authenticity of the server, [/wiki/Encryption Encryption] does
+}}}