[winswitch] unix authentication for TCP sessions?

Thomas Esposito tmesposito00 at gmail.com
Mon Nov 21 16:22:44 GMT 2016


Ok, so it looks like I need an AES keyfile. I tried omitting
"--tcp-encryption-keyfile" from the command line, but I get a "missing
encryption tokens" error in the log. How can I generate a keyfile? Also,
how do I launch the win32 client with this keyfile (there doesn't seem to
be a way to do this in the GUI).

On Mon, Nov 21, 2016 at 10:53 AM, Antoine Martin via shifter-users <
shifter-users at lists.devloop.org.uk> wrote:

> On 21/11/16 22:45, Thomas Esposito via shifter-users wrote:
> > First some background info...
> >
> > I've been using Xpra at work. I have a RHEL 6.6 virtual machine, which I
> > believe uses LDAP for login authentication. I don't have root/admin
> > privileges, so in order to use Xpra, I have manually extracted the
> contents
> > of all of the required RPMs and modified my PYTHONPATH, PATH,
> > LD_LIBRARY_PATH, and MANPATH variables to point to where the RPMs are
> > extracted.
> >
> > Since I obviously can't install anything to "/etc", I have all of the
> > config files in "${HOME}/.xpra". For the beta version of xpra, this means
> > that I can't install any of the files in "/etc/pam.d" (which is new to
> the
> > 1.0 beta).
> >
> > In order to get good performance on my corporate intranet, I need to use
> > raw TCP with a port in the range 5900 5909 (i.e the ports used by VNC),
> > because this is prioritized on the network vs. ssh, which has very
> > inconsistent network performance. I'd like to use LDAP authentication for
> > my TCP sessions, but I'm not sure how to do this. I've tried setting
> > "--tcp-auth=pam" on the xpra command line, but the Win32 launcher reports
> > "Connection lost" when I try to connect. I get the following output in
> the
> > server-side log file (edited to remove IP addresses and user name):
> >
> > 2016-11-21 10:29:00,367 New tcp connection received from x.x.x.x:x
> > 2016-11-21 10:29:00,369 Authentication required by PAM authenticator
> module
> > 2016-11-21 10:29:00,369  sending challenge for username '<username>'
> using
> > xor digest
> > 2016-11-21 10:29:00,511 client has requested disconnection: invalid
> digest
> > 2016-11-21 10:29:00,512 Disconnecting client x.x.x.x:x:
> > 2016-11-21 10:29:00,512  client request
> The client and server will refuse to send unencrypted passwords over
> TCP, unfortunately PAM requires the actual password rather than a hash -
> unlike the other plugins which can happily use HMAC.
>
> > Any idea how to get this working, keeping in mind the fact that I can't
> do
> > a normal install (i.e. write to "/etc") on the server side?
> If you must use PAM, use SSL or AES encryption. (see wiki for details)
> If not, use a different authentication module.
>
> Cheers
> Antoine
>
> PS: there is a magic environment variable which can be used to force
> xpra to use unencrypted passwords over TCP, but I am not posting it here
> as this is not a good solution.
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>



More information about the shifter-users mailing list