[winswitch] multifile format

Antoine Martin antoine at nagafix.co.uk
Thu Sep 15 18:24:42 BST 2016 

On 15/09/16 11:39, Mukul Agrawal via shifter-users wrote:
> If I want xpra proxy on machine1 to connect to xpra server on machine2 using ssh with public key authentication and no password, then how should I set it up?
I have not tested this, but SSH connections from the proxy should be
using the public key of the user running the proxy server process and
not the key of the user you authenticate as. (which may not have a user
account at all on the system running the proxy)

> Public keys are already in default locations and xpra is able to attach directly from machine2 to machine 1 using standard format:  xpra attach ssh:username at machine1:display.
I thought the server you wanted to connect to was "machine 2" and not
the other way around?

> But when I try to connect via proxy from client machine3, proxy is not being able to authenticate.
Have you checked your ssh server logs for an answer?

> It sends the challenge but then there is no log after that.
Please share the log sample up to that point to help clarify things.

Note: when using SSH connections, the server does not need to use
another socket authentication module. That's usually just redundant.

> I am using multifile like this :-
> username|pswd|1000|1000|ssh:machine1:display|| 
> and attach command from machine3 like this:-xpra attach tcp:username:pswd at machine2:proxyPORT
> 
> Are the usernames and passwords actually associated with login accounts on the target machine or their significance is only with respect to multifile resolution?
It depends: if the proxy server runs as root, each proxied connection
will run as the uid and gid you defined. (ie: 1000 above)
But the connection to the backend server is made before changing uid, so
the ssh key used will not be the one of the user specified in multifile.

If you don't mind using SSH with passwords, you should be able to use
something like this (untested):
|username|pswd|1000|1000|ssh/username2:password2 at machine2/display||

We could also change the code to:
* add support for ssh options to multifile, so you could specify the
keyfile for each user
* change the ordering so the connection to the backend server happens
after changing uid and gid (but this would only work with the proxy
running as root)
Feel free to create tickets for this.

> Can password be left blank for public key authentication?
That doesn't make sense: the password in multifile is for authentication
to the proxy, not to the backend server.
Unless you're trying to connect via ssh to your proxy? (but why?)

Cheers
Antoine


> 
> Thanks. 
> 
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> http://lists.devloop.org.uk/mailman/listinfo/shifter-users
>

More information about the shifter-users mailing list