[winswitch] Unable to authenticate to xpra proxy
Eric Grammatico
e.grammatico at gmail.com
Thu Jul 28 15:17:33 BST 2016
Hi Antoine,
I have followed your suggestion to make a test with the last Beta for Centos 7. Thanks to this I made some progress. Now the server sees client connexion attempt.
Please find below logs from client side:
$> xpra attach --username=eric --auth=env tcp:xspice.local:10000
2016-07-28 15:23:23,425 Xpra gtk2 client version 1.0-r13105 64-bit
2016-07-28 15:23:23,425 running on Linux Fedora 23 TwentyThree
2016-07-28 15:23:23,426 Warning: failed to import opencv:
2016-07-28 15:23:23,426 No module named cv2
2016-07-28 15:23:23,426 webcam forwarding is disabled
2016-07-28 15:23:23,623 GStreamer version 1.6 for Python 2.7 64-bit
-:6: error: unexpected character ':', expected character '}'
-:6: error: unexpected character ':', expected character '}'
2016-07-28 15:23:24,180 PyOpenGL warning: missing accelerate module
2016-07-28 15:23:24,184 OpenGL enabled with Gallium 0.4 on NV96
2016-07-28 15:23:24,726 detected keyboard: rules=evdev, model=pc105, layout=fr
2016-07-28 15:23:24,728 desktop size is 1680x1050 with 1 screen:
2016-07-28 15:23:24,728 :0.0 (444x277 mm - DPI: 96x96) workarea: 1680x1016
2016-07-28 15:23:24,728 monitor 1 (474x296 mm - DPI: 90x90)
2016-07-28 15:23:44,703 connection timed out
2016-07-28 15:23:44,716 Connection lost
logs from poxy:
$> xpra proxy :100 --daemon=no --bind-tcp=0.0.0.0:10000 --tcp-auth=multifile:filename=/home/proxy/.xpra/proxy_auth
Warning: invalid option: 'shadow-fullscreen'
2016-07-28 13:23:16,914 created unix domain socket: /root/.xpra/xpra_proxy-100
2016-07-28 13:23:18,187 html server unavailable, cannot find websockify module
2016-07-28 13:23:18,234 xpra proxy version 1.0-runknown 64-bit
2016-07-28 13:23:18,235 running with pid 22 on Linux 4.4.6-300.fc23.x86_64
2016-07-28 13:23:18,235 connected to X11 display :100
2016-07-28 13:23:18,236 xpra is ready.
2016-07-28 13:23:24,474 New tcp connection received from 192.168.122.1:52220
2016-07-28 13:23:24,482 Authentication required by multi password file authenticator module
2016-07-28 13:23:24,485 sending challenge for 'eric' using hmac digest
Warning: invalid option: 'shadow-fullscreen'
desc={'local': False, 'host': '172.19.0.2', 'display_name': 'tcp:172.19.0.2:10000', 'port': 10000, 'type': 'tcp'}
2016-07-28 13:23:25,577 read thread of None has not yet exited (timeout=0.6)
2016-07-28 13:23:25,578 some network IO threads have failed to terminate!
Traceback (most recent call last):
File "/usr/lib64/python2.7/multiprocessing/queues.py", line 266, in _feed
send(obj)
IOError: [Errno 32] Broken pipe
Logs from the server:
xpra --daemon=no start :100 --bind-tcp=0.0.0.0:10000 --exit-with-children --start-child=${XPRADIR}/xpra_child.sh
Warning: invalid option: 'shadow-fullscreen'
X.Org X Server 1.17.2
Release Date: 2015-06-16
X Protocol Version 11, Revision 0
Build Operating System: 2.6.32-220.17.1.el6.x86_64
Current Operating System: Linux rdisp_eric 4.4.6-300.fc23.x86_64 #1 SMP Wed Mar 16 22:10:37 UTC 2016 x86_64
Kernel command line: BOOT_IMAGE=/vmlinuz-4.4.6-300.fc23.x86_64 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/root rd.lvm.lv=fedora/swap rhgb quiet LANG=fr_FR.UTF-8
Build Date: 20 November 2015 02:44:25PM
Build ID: xorg-x11-server 1.17.2-10.el7
Current version of pixman: 0.32.6
Before reporting problems, check http://wiki.x.org
to make sure that you have the latest version.
Markers: (--) probed, (**) from config file, (==) default setting,
(++) from command line, (!!) notice, (II) informational,
(WW) warning, (EE) error, (NI) not implemented, (??) unknown.
(++) Log file: "/home/rdisp/.xpra/Xorg.:100.log", Time: Thu Jul 28 13:57:48 2016
(++) Using config file: "/etc/xpra/xorg.conf"
(==) Using system config directory "/usr/share/X11/xorg.conf.d"
2016-07-28 13:57:49,298 created unix domain socket: /home/rdisp/.xpra/rdisp_eric-100
2016-07-28 13:57:57,254 html server unavailable, cannot find websockify module
2016-07-28 13:57:57,698 started command '/home/rdisp/.xpra/xpra_child.sh' with pid 391
2016-07-28 13:57:57,701 xpra X11 version 1.0-runknown 64-bit
2016-07-28 13:57:57,702 running with pid 364 on Linux 4.4.6-300.fc23.x86_64
2016-07-28 13:57:57,702 connected to X11 display :100
2016-07-28 13:57:57,789 xpra is ready.
2016-07-28 13:58:49,931 New tcp connection received from 172.19.0.3:38970
Regarding the new URL format to attach from the client (eg: tcp/username:password at IPADDRESS:PORT), will it be supported in the multifile authentication module ? the auth file could looks like this:
eric|bonjour|1000|1000|tcp/eric:bonjour at 172.19.0.2:10000|EXAMPLE_ENV=VALUE|compression=0
This way, the servers are proxied, but still secured with password to avoid direct connexion from the local area.
Thanks and best regards,
-
_/) Eric Grammatico.
27 juillet 2016 17:09 "Antoine Martin" <antoine at nagafix.co.uk> a écrit:
> On 27/07/16 21:08, Eric Grammatico wrote:
>
>> Hello There,
>>
>> I am evaluating xpra proxy feature, and I am desperately trying to setup authentication. Here is
>> commands launch from client side and logs:
>>
>> [eric at lys ~]$ export XPRA_PASSWORD="bonjour"
>> [eric at lys ~]$ xpra attach --username=eric --tcp-auth=env tcp:192.168.122.125:10000
>
> FYI: authentication modules are used to verify client authentication
> tokens, they are not used by the client.
> Client side, use the "password-file" option, or the XPRA_PASSWORD
> environment variable.
>
> Newer versions will also support this form:
> xpra attach tcp/username:password at IPADDRESS:PORT
>
>> 2016-07-27 16:01:37,203 Xpra gtk2 client version 0.17.4-r12942
>> 2016-07-27 16:01:37,203 running on Linux Fedora 23 Twenty Three
>> 2016-07-27 16:01:37,203 Warning: failed to import opencv:
>> 2016-07-27 16:01:37,204 No module named cv2
>> 2016-07-27 16:01:37,204 webcam forwarding is disabled
>> 2016-07-27 16:01:37,389 GStreamer version 1.6 for Python 2.7
>> -:6: error: unexpected character ':', expected character '}'
>> -:6: error: unexpected character ':', expected character '}'
>
> That's odd, can you please post the output of:
> xpra _sound_query
>
>> 2016-07-27 16:01:37,894 OpenGL_accelerate module loaded
>> 2016-07-27 16:01:37,901 Warning: OpenGL windows will be clamped to the maximum texture size
>> 8192x8192
>> 2016-07-27 16:01:37,901 for OpenGL 3.0 renderer 'Gallium 0.4 on NV96'
>> 2016-07-27 16:01:37,901 OpenGL enabled with Gallium 0.4 on NV96
>> 2016-07-27 16:01:41,744 detected keyboard: rules=evdev, model=pc105, layout=fr
>> 2016-07-27 16:01:41,745 desktop size is 1680x1050 with 1 screen:
>> 2016-07-27 16:01:41,745 :0.0 (444x277 mm - DPI: 96x96) workarea: 1680x1016
>> 2016-07-27 16:01:41,745 monitor 1 (474x296 mm - DPI: 90x90)
>> 2016-07-27 16:01:42,221 server failure: disconnected before the session could be established
>> 2016-07-27 16:01:42,221 server requested disconnect: session not found error (no sessions found)
>
> "no sessions found" is quite likely to be caused by this bug:
> http://xpra.org/trac/ticket/1264
>
>> 2016-07-27 16:01:42,241 Connection lost
>> And commands from proxy side and logs:
>> [root at xpra_proxy /]# cat /home/proxy/.xpra/proxy_auth
>> eric|bonjour|1000|1000|tcp:172.19.0.3:10000|EXAMPLE_ENV=VALUE|compression=0
>> [root at xpra_proxy /]# /home/proxy/.xpra/start_xpra.sh
>> 2016-07-27 14:00:41,225 created unix domain socket: /root/.xpra/xpra_proxy-100
>> 2016-07-27 14:00:42,604 xpra proxy version 0.17.4-r12942
>> 2016-07-27 14:00:42,605 running with pid 42 on Linux CentOS Linux 7.2.1511 Core
>> 2016-07-27 14:00:42,606 on display :100
>> 2016-07-27 14:00:42,607 xpra is ready.
>> 2016-07-27 14:01:40,725 New tcp connection received from 192.168.122.1:48496
>> 2016-07-27 14:01:40,740 Authentication required by multi password file authenticator module
>> 2016-07-27 14:01:40,744 sending challenge for 'eric' using hmac digest
>>
>> If I try to type a stupid password on client side:
>> [eric at lys ~]$ export XPRA_PASSWORD="stupid"
>> [eric at lys ~]$ xpra attach --username=eric --tcp-auth=env tcp:192.168.122.125:10000
>> 2016-07-27 16:05:52,185 Xpra gtk2 client version 0.17.4-r12942
>> 2016-07-27 16:05:52,185 running on Linux Fedora 23 Twenty Three
>> 2016-07-27 16:05:52,185 Warning: failed to import opencv:
>> 2016-07-27 16:05:52,185 No module named cv2
>> 2016-07-27 16:05:52,185 webcam forwarding is disabled
>> 2016-07-27 16:05:52,413 GStreamer version 1.6 for Python 2.7
>> -:6: error: unexpected character ':', expected character '}'
>> -:6: error: unexpected character ':', expected character '}'
>> 2016-07-27 16:05:53,234 OpenGL_accelerate module loaded
>> 2016-07-27 16:05:53,240 Warning: OpenGL windows will be clamped to the maximum texture size
>> 8192x8192
>> 2016-07-27 16:05:53,240 for OpenGL 3.0 renderer 'Gallium 0.4 on NV96'
>> 2016-07-27 16:05:53,241 OpenGL enabled with Gallium 0.4 on NV96
>> 2016-07-27 16:05:57,209 detected keyboard: rules=evdev, model=pc105, layout=fr
>> 2016-07-27 16:05:57,210 desktop size is 1680x1050 with 1 screen:
>> 2016-07-27 16:05:57,211 :0.0 (444x277 mm - DPI: 96x96) workarea: 1680x1016
>> 2016-07-27 16:05:57,211 monitor 1 (474x296 mm - DPI: 90x90)
>> 2016-07-27 16:05:58,688 server failure: disconnected before the session could be established
>> 2016-07-27 16:05:58,689 server requested disconnect: invalid challenge response
>> 2016-07-27 16:05:58,725 Connection lost
>
> Good debugging. Changing the password does make a difference.
>
>> And form proxy side:
>> 2016-07-27 14:05:56,188 New tcp connection received from 192.168.122.1:48528
>> 2016-07-27 14:05:56,210 Authentication required by multi password file authenticator module
>> 2016-07-27 14:05:56,210 sending challenge for 'eric' using hmac digest
>> 2016-07-27 14:05:56,683 Error: hmac password challenge for 'eric' does not match
>> 2016-07-27 14:05:56,684 Error: authentication failed
>> 2016-07-27 14:05:56,685 invalid challenge response
>> 2016-07-27 14:05:57,687 Disconnecting client 192.168.122.1:48528:
>> 2016-07-27 14:05:57,688 invalid challenge response
>> 2016-07-27 14:05:57,691 Connection lost
>>
>> The xpra server 172.19.0.3 has never seen any connexion attempt.... any support welcome.
>
> So, this bug:
> http://xpra.org/trac/ticket/1264
> was fixed a few days ago and has already been applied to the v0.17.x
> branch, it will be included in the 0.17.5 release.
>
> In the meantime, you can try a newer beta build:
> http://xpra.org/beta
> or downgrade to the 0.14.x LTS branch, which should be immune to this
> particular regression.
>
> Cheers
> Antoine
>
>> thanks and best regards,
>>
>> -
>> _/) Eric Grammatico.
>> _______________________________________________
>> shifter-users mailing list
>> shifter-users at lists.devloop.org.uk
>> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
More information about the shifter-users
mailing list