[winswitch] unix authentication for TCP sessions?

Antoine Martin antoine at nagafix.co.uk
Mon Nov 21 16:30:20 GMT 2016


On 21/11/16 23:22, Thomas Esposito wrote:
> Ok, so it looks like I need an AES keyfile. I tried omitting
> "--tcp-encryption-keyfile" from the command line, but I get a "missing
> encryption tokens" error in the log. How can I generate a keyfile? Also,
> how do I launch the win32 client with this keyfile (there doesn't seem
> to be a way to do this in the GUI).
Please don't top-post.

The AES key file is just binary data, of any length. Longer and more
random is better / stronger.
Unlike SSL which relies on a chain of trust, with AES you will need to
copy the same keyfile to both client and server.

The launcher GUI does not support setting the AES keyfile, but you can
specify it in the connection file it generates. (to create one just
click save, then you can just double click on that file)

IMO: it's probably easier to go with SSL if you're not too worried about
MITM attacks and trust the self signed certificate.

Cheers
Antoine


> 
> On Mon, Nov 21, 2016 at 10:53 AM, Antoine Martin via shifter-users
> <shifter-users at lists.devloop.org.uk
> <mailto:shifter-users at lists.devloop.org.uk>> wrote:
> 
>     On 21/11/16 22:45, Thomas Esposito via shifter-users wrote:
>     > First some background info...
>     >
>     > I've been using Xpra at work. I have a RHEL 6.6 virtual machine,
>     which I
>     > believe uses LDAP for login authentication. I don't have root/admin
>     > privileges, so in order to use Xpra, I have manually extracted the
>     contents
>     > of all of the required RPMs and modified my PYTHONPATH, PATH,
>     > LD_LIBRARY_PATH, and MANPATH variables to point to where the RPMs are
>     > extracted.
>     >
>     > Since I obviously can't install anything to "/etc", I have all of the
>     > config files in "${HOME}/.xpra". For the beta version of xpra,
>     this means
>     > that I can't install any of the files in "/etc/pam.d" (which is
>     new to the
>     > 1.0 beta).
>     >
>     > In order to get good performance on my corporate intranet, I need
>     to use
>     > raw TCP with a port in the range 5900 5909 (i.e the ports used by
>     VNC),
>     > because this is prioritized on the network vs. ssh, which has very
>     > inconsistent network performance. I'd like to use LDAP
>     authentication for
>     > my TCP sessions, but I'm not sure how to do this. I've tried setting
>     > "--tcp-auth=pam" on the xpra command line, but the Win32 launcher
>     reports
>     > "Connection lost" when I try to connect. I get the following
>     output in the
>     > server-side log file (edited to remove IP addresses and user name):
>     >
>     > 2016-11-21 10:29:00,367 New tcp connection received from x.x.x.x:x
>     > 2016-11-21 10:29:00,369 Authentication required by PAM
>     authenticator module
>     > 2016-11-21 10:29:00,369  sending challenge for username
>     '<username>' using
>     > xor digest
>     > 2016-11-21 10:29:00,511 client has requested disconnection:
>     invalid digest
>     > 2016-11-21 10:29:00,512 Disconnecting client x.x.x.x:x:
>     > 2016-11-21 10:29:00,512  client request
>     The client and server will refuse to send unencrypted passwords over
>     TCP, unfortunately PAM requires the actual password rather than a hash -
>     unlike the other plugins which can happily use HMAC.
> 
>     > Any idea how to get this working, keeping in mind the fact that I can't do
>     > a normal install (i.e. write to "/etc") on the server side?
>     If you must use PAM, use SSL or AES encryption. (see wiki for details)
>     If not, use a different authentication module.
> 
>     Cheers
>     Antoine
> 
>     PS: there is a magic environment variable which can be used to force
>     xpra to use unencrypted passwords over TCP, but I am not posting it here
>     as this is not a good solution.
>     _______________________________________________
>     shifter-users mailing list
>     shifter-users at lists.devloop.org.uk
>     <mailto:shifter-users at lists.devloop.org.uk>
>     http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>     <http://lists.devloop.org.uk/mailman/listinfo/shifter-users>
> 
> 




More information about the shifter-users mailing list