[winswitch] unix authentication for TCP sessions?

Antoine Martin antoine at nagafix.co.uk
Mon Nov 21 15:53:00 GMT 2016

On 21/11/16 22:45, Thomas Esposito via shifter-users wrote:
> First some background info...
> I've been using Xpra at work. I have a RHEL 6.6 virtual machine, which I
> believe uses LDAP for login authentication. I don't have root/admin
> privileges, so in order to use Xpra, I have manually extracted the contents
> of all of the required RPMs and modified my PYTHONPATH, PATH,
> LD_LIBRARY_PATH, and MANPATH variables to point to where the RPMs are
> extracted.
> Since I obviously can't install anything to "/etc", I have all of the
> config files in "${HOME}/.xpra". For the beta version of xpra, this means
> that I can't install any of the files in "/etc/pam.d" (which is new to the
> 1.0 beta).
> In order to get good performance on my corporate intranet, I need to use
> raw TCP with a port in the range 5900 5909 (i.e the ports used by VNC),
> because this is prioritized on the network vs. ssh, which has very
> inconsistent network performance. I'd like to use LDAP authentication for
> my TCP sessions, but I'm not sure how to do this. I've tried setting
> "--tcp-auth=pam" on the xpra command line, but the Win32 launcher reports
> "Connection lost" when I try to connect. I get the following output in the
> server-side log file (edited to remove IP addresses and user name):
> 2016-11-21 10:29:00,367 New tcp connection received from x.x.x.x:x
> 2016-11-21 10:29:00,369 Authentication required by PAM authenticator module
> 2016-11-21 10:29:00,369  sending challenge for username '<username>' using
> xor digest
> 2016-11-21 10:29:00,511 client has requested disconnection: invalid digest
> 2016-11-21 10:29:00,512 Disconnecting client x.x.x.x:x:
> 2016-11-21 10:29:00,512  client request
The client and server will refuse to send unencrypted passwords over
TCP, unfortunately PAM requires the actual password rather than a hash -
unlike the other plugins which can happily use HMAC.

> Any idea how to get this working, keeping in mind the fact that I can't do
> a normal install (i.e. write to "/etc") on the server side?
If you must use PAM, use SSL or AES encryption. (see wiki for details)
If not, use a different authentication module.


PS: there is a magic environment variable which can be used to force
xpra to use unencrypted passwords over TCP, but I am not posting it here
as this is not a good solution.

More information about the shifter-users mailing list