xpra icon
Bug tracker and wiki

Version 5 (modified by Antoine Martin, 6 years ago) (diff)

--

Authentication

The documentation here applies to version 0.11 and later. Older versions only support the "--password-file" authentication.

When using ssh to connect to a server, wiki/Encryption and authentication can be skipped.

Xpra's authentication modules can be useful for:

  • when using TCP sockets
  • when making the unix domain socket accessible to other users
  • when using the Proxy Server mode

Modules

The authentication module used is specified using the "--auth=MODULE" switch.
Here are the modules that can be used:

  • allow: always allows the user to login - dangerous / only for testing
  • fail: always fails authentication - useful for testing
  • file: looks up usernames and password in the password file (more on that below)
  • pam: linux PAM authentication
  • win32: win32security authentication
  • sys is a virtual module which will choose win32 or pam

File Authentication

When using the "file_auth" module, one must specify the extra command line argument "--password-file=FILENAME" to point to the authentication data.

When this file is used without the Proxy Server, one can simply place the password to use directly in that file.

File Authentication with the Proxy Server

When used with the proxy server, the password file should contain one user per line using the format:

USERNAME|PASSWORD|UID|GID|SESSION_URI|ENV_VARS|SESSION_OPTIONS

Details:

  • USERNAME and PASSWORD are used for authentication
  • UID and GID are used for the new proxy process (and can be set to nobody)
  • SESSION_URI is the usual xpra connection string of the actual target session, ie:
    tcp:HOST:PORT
    
    or
    ssh:HOST:DISPLAY
    
  • ENV_VARS is an optional attribute which can contain ";" separated name-value pairs which will affect the environment of the new process spawned after authentication.
  • SESSION_OPTIONS is an optional attribute which can contain ";" separated name-value pairs which will override the client's connection settings and apply to the connection between the proxy and the real server only.