[winswitch] xpra 2.0 security questions

Thu Jun 1 09:04:34 BST 2017

On 01/06/17 00:22, Shane Williams via shifter-users wrote:
> After using it personally over the yeears, I've suggested my work
> install xpra for our users (particularly to replace VNC) and during
> our internal staff evaluation everyone has been impressed.  We did
> come up with a few (mostly security-related) questions.  If any of
> these would be better addressed as tickets via trac, just let me know.
> 
> 
> 1. We like that xpra defaults to SSH when you start it on linux and
> we'd like to make it impossible or at least harder for users to start
> up a server using non-secure protocols.  Is there a way to disable
> these (or even enable SSH only) via system-wide configs or in some
> other way?  Even if users could over-ride settings individually,
> creating that extra burden would discourage use of non-secure
> connections
Support for plain TCP sockets is built into the standard libraries, so
this would require a new build time switch to disable.
Please create a ticket for it.

> 2. When saving a "profile" via the launcher, passwords are stored in
> plaintext.
We could use a more obfuscated format, but ultimately the launcher will
need to be able to decipher it with the contents of the file alone..
>  At the very least, could the launcher GUI make it clear
> that saved passwords will be stored in this way?
Please suggest where to make this change.
>  Or is there a way to
> disable that, maybe even by default (not that we have much control
> over users' launcher configs)?
Not at present, but this could be added. (ticket required)

> 3. We also notice that when SSH is selected as the mode, launchers on
> some platforms remove the password field from the GUI, but others do
> not (MacOS, in particular doesn't seem to).  Is this a built in
> difference, or is it dependent on the existence of some "ask-pass"
> binary?
Password support with ssh mode requires "sshpass", except on MS Windows
which always supports it using plink's -password command line option.
sshpass is shipped on Mac OS, and it is a dependency of most of our
Linux packages, so it should generally be available.

> 3.5 As a feature request, it seems like the list of "modes" are in
> least-secure to most-secure order, with plain TCP as the default.  It
> seems like reversing this would make it a little harder for users to
> unknowingly use the non-secure mode.
Done:
http://xpra.org/trac/changeset/15984

> 4. One non-security related issue we ran into (on MacOS ad Linux) is
> that if you save a SSH profile with the Display Number ("port" in the
> config file) field blank, then restart xpra and load that profile, it
> properly selects SSH as the mode, but it fills in the Display number
> field with 14500.  I suspect this might trip up some less-savvy
> users.
Sounds like an old bug has re-surfaced, I'll take a look.

> 5. Is there a way to turn off or disable some of the "extra" features
> system-wide?  For example, we blacklist a lot of external device
> drivers, including webcams, on our managed linux systems, so rather
> than have users try to make use of that feature and get frustrated,
> we'd rather disable it on those systems.
There is a build-time switch for most things.

> Thanks for any help or suggestions you might have.

Cheers
Antoine