22 | | Note: if you run this command as root, all the user sessions will be exposed. If you run it a normal user, only this user's session will be exposed. |
23 | | Once authenticated, the proxy server spawns a new process and no longer runs as root. |
| 22 | Notes: |
| 23 | * if you run this command as root, all the user sessions will be exposed |
| 24 | * if you run it a normal user, only this user's session will be exposed |
| 25 | * once authenticated, the proxy server spawns a new process and no longer runs as root |
| 26 | * the display number chosen for the proxy server is only used for identifying the proxy server and interacting with it using the regular tools ("{{{xpra info}}}", etc) |
| 60 | |
| 61 | {{{#!div class="box" |
| 62 | == File Authentication Example == |
| 63 | |
| 64 | * Start a proxy server on port 443 using {{{file}}} authentication (we will call this server {{{PROXYHOST}}}): |
| 65 | {{{ |
| 66 | xpra proxy :100 --bind-tcp=0.0.0.0:443 --auth=file --password-file=./xpra-auth |
| 67 | }}} |
| 68 | * Start the session we wish to access via the {{{PROXYHOST}}} (we call this {{{TARGETHOST}}} - for testing, this can be the same host as {{{PROXYHOST}}}): |
| 69 | {{{ |
| 70 | xpra start :10 --bind-tcp=0.0.0.0:10000 |
| 71 | }}} |
| 72 | * on {{{PROXYHOST}}}, add a user to the auth file pointing to {{{TARGETHOST}}} (ie: {{{192.168.1.200}}} should be {{{TARGETHOST}}}'s IP): |
| 73 | {{{ |
| 74 | echo "john|secretpassword|1000|1000|tcp:192.168.1.200:10000|EXAMPLE_ENV=VALUE|compression=0" >> ./xpra-auth |
| 75 | }}} |
| 76 | * create the password file on the client: |
| 77 | {{{ |
| 78 | echo "secretpassword" >> password.txt |
| 79 | }}} |
| 80 | * connect from the client: |
| 81 | {{{ |
| 82 | xpra attach --username=myusername --password-file=./password.txt $PROXYHOST:20000 |
| 83 | }}} |
| 84 | |
| 85 | What happens: |
| 86 | * the client connects to the proxy server |
| 87 | * the proxy server asks the client to authenticate and sends it a challenge |
| 88 | * the client responds to the challenge (see [/wiki/Authentication]) |
| 89 | * the proxy server verifies the challenge (and disconnects the user if needed) |
| 90 | * the proxy server identifies the session desired (ie: the one on {{{TARGETHOST}}}) |
| 91 | * the proxy server creates a new connection to the real server ({{{TARGETHOST}}}), applying any options specified (ie: "{{{compression=0}}}" will disable compression between the proxy and server) |
| 92 | * the proxy server spawns a new process |
| 93 | * the new proxy process changes its uid and gid to non-root (if needed) |
| 94 | * the packets should now flow through between the client and the real server |
| 95 | }}} |