[winswitch] Unable to authenticate to xpra proxy

Antoine Martin antoine at nagafix.co.uk
Thu Jul 28 15:54:46 BST 2016


On 28/07/16 21:17, Eric Grammatico wrote:
> Hi Antoine,
> 
> I have followed your suggestion to make a test with the last Beta for Centos 7. Thanks to this I made some progress. Now the server sees client connexion attempt.
> 
> Please find below logs from client side:
> $> xpra attach --username=eric --auth=env tcp:xspice.local:10000
As per my previous reply: "--auth" does not do anything for the client.

> 2016-07-28 15:23:23,425 Xpra gtk2 client version 1.0-r13105 64-bit
> 2016-07-28 15:23:23,425  running on Linux Fedora 23 TwentyThree
> 2016-07-28 15:23:23,426 Warning: failed to import opencv:
> 2016-07-28 15:23:23,426  No module named cv2
> 2016-07-28 15:23:23,426  webcam forwarding is disabled
> 2016-07-28 15:23:23,623 GStreamer version 1.6 for Python 2.7 64-bit
> -:6: error: unexpected character ':', expected character '}'
> -:6: error: unexpected character ':', expected character '}'
Still not sure where this is from.
The output "xpra _sound_query" that you sent doesn't contain it, so this
must be coming from somewhere else.

(snip)
> 2016-07-28 13:23:24,482 Authentication required by multi password file authenticator module
> 2016-07-28 13:23:24,485  sending challenge for 'eric' using hmac digest
> Warning: invalid option: 'shadow-fullscreen'
This warning is probably due to an old /etc/xpra/xpra.conf laying
around. Make sure to install the latest one that comes with the RPM
package. (maybe it was installed as rpmnew?)

> desc={'local': False, 'host': '172.19.0.2', 'display_name': 'tcp:172.19.0.2:10000', 'port': 10000, 'type': 'tcp'}
> 2016-07-28 13:23:25,577 read thread of None has not yet exited (timeout=0.6)
> 2016-07-28 13:23:25,578 some network IO threads have failed to terminate!
> Traceback (most recent call last):
>   File "/usr/lib64/python2.7/multiprocessing/queues.py", line 266, in _feed
>     send(obj)
> IOError: [Errno 32] Broken pipe
There was a problem with the naming of the RPM packages in the beta
area, so you may have ended up downloading an older build. Sorry about that.
The latest version does include the fix for this particular bug,
included right at the top:
http://xpra.org/trac/ticket/1264

Please try downloading again, you may have to:
yum remove xpra xpra-common
yum clean all
Before you yum install again.
The package file should have today's date in the filename.

(snip)
> Regarding the new URL format to attach from the client (eg: tcp/username:password at IPADDRESS:PORT), will it be supported in the multifile authentication module ?
Not yet, but this could be added. Please file a ticket.

> the auth file could looks like this:
> eric|bonjour|1000|1000|tcp/eric:bonjour at 172.19.0.2:10000|EXAMPLE_ENV=VALUE|compression=0
> This way, the servers are proxied, but still secured with password to avoid direct connexion from the local area.
You can achieve this already by adding your username and password to the
session options (where compression=0 is set). ie:
eric|bonjour|1000|1000|172.19.0.2:10000|EXAMPLE_ENV=VALUE|username=eric,password=bonjour,compression=0

Cheers
Antoine

> Thanks and best regards,
> 
> -
> _/) Eric Grammatico.
> 27 juillet 2016 17:09 "Antoine Martin" <antoine at nagafix.co.uk> a écrit:
>> On 27/07/16 21:08, Eric Grammatico wrote:
>>
>>> Hello There,
>>>
>>> I am evaluating xpra proxy feature, and I am desperately trying to setup authentication. Here is
>>> commands launch from client side and logs:
>>>
>>> [eric at lys ~]$ export XPRA_PASSWORD="bonjour"
>>> [eric at lys ~]$ xpra attach --username=eric --tcp-auth=env tcp:192.168.122.125:10000
>>
>> FYI: authentication modules are used to verify client authentication
>> tokens, they are not used by the client.
>> Client side, use the "password-file" option, or the XPRA_PASSWORD
>> environment variable.
>>
>> Newer versions will also support this form:
>> xpra attach tcp/username:password at IPADDRESS:PORT
>>
>>> 2016-07-27 16:01:37,203 Xpra gtk2 client version 0.17.4-r12942
>>> 2016-07-27 16:01:37,203 running on Linux Fedora 23 Twenty Three
>>> 2016-07-27 16:01:37,203 Warning: failed to import opencv:
>>> 2016-07-27 16:01:37,204 No module named cv2
>>> 2016-07-27 16:01:37,204 webcam forwarding is disabled
>>> 2016-07-27 16:01:37,389 GStreamer version 1.6 for Python 2.7
>>> -:6: error: unexpected character ':', expected character '}'
>>> -:6: error: unexpected character ':', expected character '}'
>>
>> That's odd, can you please post the output of:
>> xpra _sound_query
>>
>>> 2016-07-27 16:01:37,894 OpenGL_accelerate module loaded
>>> 2016-07-27 16:01:37,901 Warning: OpenGL windows will be clamped to the maximum texture size
>>> 8192x8192
>>> 2016-07-27 16:01:37,901 for OpenGL 3.0 renderer 'Gallium 0.4 on NV96'
>>> 2016-07-27 16:01:37,901 OpenGL enabled with Gallium 0.4 on NV96
>>> 2016-07-27 16:01:41,744 detected keyboard: rules=evdev, model=pc105, layout=fr
>>> 2016-07-27 16:01:41,745 desktop size is 1680x1050 with 1 screen:
>>> 2016-07-27 16:01:41,745 :0.0 (444x277 mm - DPI: 96x96) workarea: 1680x1016
>>> 2016-07-27 16:01:41,745 monitor 1 (474x296 mm - DPI: 90x90)
>>> 2016-07-27 16:01:42,221 server failure: disconnected before the session could be established
>>> 2016-07-27 16:01:42,221 server requested disconnect: session not found error (no sessions found)
>>
>> "no sessions found" is quite likely to be caused by this bug:
>> http://xpra.org/trac/ticket/1264
>>
>>> 2016-07-27 16:01:42,241 Connection lost
>>> And commands from proxy side and logs:
>>> [root at xpra_proxy /]# cat /home/proxy/.xpra/proxy_auth
>>> eric|bonjour|1000|1000|tcp:172.19.0.3:10000|EXAMPLE_ENV=VALUE|compression=0
>>> [root at xpra_proxy /]# /home/proxy/.xpra/start_xpra.sh
>>> 2016-07-27 14:00:41,225 created unix domain socket: /root/.xpra/xpra_proxy-100
>>> 2016-07-27 14:00:42,604 xpra proxy version 0.17.4-r12942
>>> 2016-07-27 14:00:42,605 running with pid 42 on Linux CentOS Linux 7.2.1511 Core
>>> 2016-07-27 14:00:42,606 on display :100
>>> 2016-07-27 14:00:42,607 xpra is ready.
>>> 2016-07-27 14:01:40,725 New tcp connection received from 192.168.122.1:48496
>>> 2016-07-27 14:01:40,740 Authentication required by multi password file authenticator module
>>> 2016-07-27 14:01:40,744 sending challenge for 'eric' using hmac digest
>>>
>>> If I try to type a stupid password on client side:
>>> [eric at lys ~]$ export XPRA_PASSWORD="stupid"
>>> [eric at lys ~]$ xpra attach --username=eric --tcp-auth=env tcp:192.168.122.125:10000
>>> 2016-07-27 16:05:52,185 Xpra gtk2 client version 0.17.4-r12942
>>> 2016-07-27 16:05:52,185 running on Linux Fedora 23 Twenty Three
>>> 2016-07-27 16:05:52,185 Warning: failed to import opencv:
>>> 2016-07-27 16:05:52,185 No module named cv2
>>> 2016-07-27 16:05:52,185 webcam forwarding is disabled
>>> 2016-07-27 16:05:52,413 GStreamer version 1.6 for Python 2.7
>>> -:6: error: unexpected character ':', expected character '}'
>>> -:6: error: unexpected character ':', expected character '}'
>>> 2016-07-27 16:05:53,234 OpenGL_accelerate module loaded
>>> 2016-07-27 16:05:53,240 Warning: OpenGL windows will be clamped to the maximum texture size
>>> 8192x8192
>>> 2016-07-27 16:05:53,240 for OpenGL 3.0 renderer 'Gallium 0.4 on NV96'
>>> 2016-07-27 16:05:53,241 OpenGL enabled with Gallium 0.4 on NV96
>>> 2016-07-27 16:05:57,209 detected keyboard: rules=evdev, model=pc105, layout=fr
>>> 2016-07-27 16:05:57,210 desktop size is 1680x1050 with 1 screen:
>>> 2016-07-27 16:05:57,211 :0.0 (444x277 mm - DPI: 96x96) workarea: 1680x1016
>>> 2016-07-27 16:05:57,211 monitor 1 (474x296 mm - DPI: 90x90)
>>> 2016-07-27 16:05:58,688 server failure: disconnected before the session could be established
>>> 2016-07-27 16:05:58,689 server requested disconnect: invalid challenge response
>>> 2016-07-27 16:05:58,725 Connection lost
>>
>> Good debugging. Changing the password does make a difference.
>>
>>> And form proxy side:
>>> 2016-07-27 14:05:56,188 New tcp connection received from 192.168.122.1:48528
>>> 2016-07-27 14:05:56,210 Authentication required by multi password file authenticator module
>>> 2016-07-27 14:05:56,210 sending challenge for 'eric' using hmac digest
>>> 2016-07-27 14:05:56,683 Error: hmac password challenge for 'eric' does not match
>>> 2016-07-27 14:05:56,684 Error: authentication failed
>>> 2016-07-27 14:05:56,685 invalid challenge response
>>> 2016-07-27 14:05:57,687 Disconnecting client 192.168.122.1:48528:
>>> 2016-07-27 14:05:57,688 invalid challenge response
>>> 2016-07-27 14:05:57,691 Connection lost
>>>
>>> The xpra server 172.19.0.3 has never seen any connexion attempt.... any support welcome.
>>
>> So, this bug:
>> http://xpra.org/trac/ticket/1264
>> was fixed a few days ago and has already been applied to the v0.17.x
>> branch, it will be included in the 0.17.5 release.
>>
>> In the meantime, you can try a newer beta build:
>> http://xpra.org/beta
>> or downgrade to the 0.14.x LTS branch, which should be immune to this
>> particular regression.
>>
>> Cheers
>> Antoine
>>
>>> thanks and best regards,
>>>
>>> -
>>> _/) Eric Grammatico.
>>> _______________________________________________
>>> shifter-users mailing list
>>> shifter-users at lists.devloop.org.uk
>>> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>
>> _______________________________________________
>> shifter-users mailing list
>> shifter-users at lists.devloop.org.uk
>> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 




More information about the shifter-users mailing list