From antoine at nagafix.co.uk Thu Jun 1 09:04:34 2017 From: antoine at nagafix.co.uk (Antoine Martin) Date: Thu, 1 Jun 2017 10:04:34 +0200 Subject: [winswitch] xpra 2.0 security questions In-Reply-To: References: Message-ID: <9210e1b4-c9d0-d75d-0e1a-8414a119d602@nagafix.co.uk> On 01/06/17 00:22, Shane Williams via shifter-users wrote: > After using it personally over the yeears, I've suggested my work > install xpra for our users (particularly to replace VNC) and during > our internal staff evaluation everyone has been impressed. We did > come up with a few (mostly security-related) questions. If any of > these would be better addressed as tickets via trac, just let me know. > > > 1. We like that xpra defaults to SSH when you start it on linux and > we'd like to make it impossible or at least harder for users to start > up a server using non-secure protocols. Is there a way to disable > these (or even enable SSH only) via system-wide configs or in some > other way? Even if users could over-ride settings individually, > creating that extra burden would discourage use of non-secure > connections Support for plain TCP sockets is built into the standard libraries, so this would require a new build time switch to disable. Please create a ticket for it. > 2. When saving a "profile" via the launcher, passwords are stored in > plaintext. We could use a more obfuscated format, but ultimately the launcher will need to be able to decipher it with the contents of the file alone.. > At the very least, could the launcher GUI make it clear > that saved passwords will be stored in this way? Please suggest where to make this change. > Or is there a way to > disable that, maybe even by default (not that we have much control > over users' launcher configs)? Not at present, but this could be added. (ticket required) > 3. We also notice that when SSH is selected as the mode, launchers on > some platforms remove the password field from the GUI, but others do > not (MacOS, in particular doesn't seem to). Is this a built in > difference, or is it dependent on the existence of some "ask-pass" > binary? Password support with ssh mode requires "sshpass", except on MS Windows which always supports it using plink's -password command line option. sshpass is shipped on Mac OS, and it is a dependency of most of our Linux packages, so it should generally be available. > 3.5 As a feature request, it seems like the list of "modes" are in > least-secure to most-secure order, with plain TCP as the default. It > seems like reversing this would make it a little harder for users to > unknowingly use the non-secure mode. Done: http://xpra.org/trac/changeset/15984 > 4. One non-security related issue we ran into (on MacOS ad Linux) is > that if you save a SSH profile with the Display Number ("port" in the > config file) field blank, then restart xpra and load that profile, it > properly selects SSH as the mode, but it fills in the Display number > field with 14500. I suspect this might trip up some less-savvy > users. Sounds like an old bug has re-surfaced, I'll take a look. > 5. Is there a way to turn off or disable some of the "extra" features > system-wide? For example, we blacklist a lot of external device > drivers, including webcams, on our managed linux systems, so rather > than have users try to make use of that feature and get frustrated, > we'd rather disable it on those systems. There is a build-time switch for most things. > Thanks for any help or suggestions you might have. Cheers Antoine From shanew at shanew.net Mon Jun 5 21:59:14 2017 From: shanew at shanew.net (shanew at shanew.net) Date: Mon, 5 Jun 2017 15:59:14 -0500 (CDT) Subject: [winswitch] xpra 2.0 security questions In-Reply-To: <9210e1b4-c9d0-d75d-0e1a-8414a119d602@nagafix.co.uk> References: <9210e1b4-c9d0-d75d-0e1a-8414a119d602@nagafix.co.uk> Message-ID: On Thu, 1 Jun 2017, Antoine Martin via shifter-users wrote: > On 01/06/17 00:22, Shane Williams via shifter-users wrote: >> 3. We also notice that when SSH is selected as the mode, launchers on >> some platforms remove the password field from the GUI, but others do >> not (MacOS, in particular doesn't seem to). Is this a built in >> difference, or is it dependent on the existence of some "ask-pass" >> binary? > Password support with ssh mode requires "sshpass", except on MS Windows > which always supports it using plink's -password command line option. > sshpass is shipped on Mac OS, and it is a dependency of most of our > Linux packages, so it should generally be available. I'm not seeing sshpass (or ssh-askpass) installed on the various MacOS systems I have access to, most of which are at 10.12 or 10.11. I'm also seeing references that suggest ssh-askpass was removed by default starting in Lion. But then I also see a lot of posts that seem to think sshpass and ssh-askpass are the same thing, whereas I'm pretty sure they're not. Thanks for the quick response on all my questions. -- Public key #7BBC68D9 at | Shane Williams http://pgp.mit.edu/ | System Admin - UT CompSci =----------------------------------+------------------------------- All syllogisms contain three lines | shanew at shanew.net Therefore this is not a syllogism | www.ischool.utexas.edu/~shanew From antoine at nagafix.co.uk Mon Jun 5 22:03:47 2017 From: antoine at nagafix.co.uk (Antoine Martin) Date: Mon, 5 Jun 2017 23:03:47 +0200 Subject: [winswitch] xpra 2.0 security questions In-Reply-To: References: <9210e1b4-c9d0-d75d-0e1a-8414a119d602@nagafix.co.uk> Message-ID: <598010f4-a41b-51e5-5e66-144c184ee14e@nagafix.co.uk> On 05/06/17 22:59, shanew--- via shifter-users wrote: > On Thu, 1 Jun 2017, Antoine Martin via shifter-users wrote: > >> On 01/06/17 00:22, Shane Williams via shifter-users wrote: >>> 3. We also notice that when SSH is selected as the mode, launchers on >>> some platforms remove the password field from the GUI, but others do >>> not (MacOS, in particular doesn't seem to). Is this a built in >>> difference, or is it dependent on the existence of some "ask-pass" >>> binary? >> Password support with ssh mode requires "sshpass", except on MS Windows >> which always supports it using plink's -password command line option. >> sshpass is shipped on Mac OS, and it is a dependency of most of our >> Linux packages, so it should generally be available. > > I'm not seeing sshpass (or ssh-askpass) installed on the various MacOS > systems I have access to, most of which are at 10.12 or 10.11. I'm > also seeing references that suggest ssh-askpass was removed by default > starting in Lion. But then I also see a lot of posts that seem to > think sshpass and ssh-askpass are the same thing, whereas I'm pretty > sure they're not. You're right, they're not the same. sshpass is shipped in the application bundle, you can find it under: Xpra.app/Contents/Resources/bin/sshpass Cheers Antoine > Thanks for the quick response on all my questions. > From alex at alex-wood.org.uk Wed Jun 7 15:06:26 2017 From: alex at alex-wood.org.uk (Alex Wood) Date: Wed, 7 Jun 2017 15:06:26 +0100 Subject: [winswitch] Problems with recent builds of XPRA Message-ID: <17a5001d2df97$411c86d0$c3559470$@alex-wood.org.uk> Hi, I've noticed a few problems recently with xpra (just xpra, I don't use the full winswitch package) build for both windows and linux (Ubuntu). My setup is I use xpra to run programs from my Ubuntu 17.04 x64 server on my Windows 10 x64 Desktop. I tend to start the program via the cli on the server and then connect to that session via windows. The Ubuntu builds that are giving me problems are the x64 variants of builds 16025/6: 16025 - complains opengl support is missing and bombs out 16026 - says that xpra for python 2.7 is not installed and bombs out. I tried to install xpra for python using pip, but it failed to build (problem linking to ffmpeg). I also notice the deb file for 16026 is quite a bit smaller than usual. I can still get everything to work if I use build 15981 though and use apt-mark hold xpra to stop it updating to the problematic build versions. On Windows I have to use either x64 build 15800, as build 15924 (the one you also use as the main download for x64 Windows) says it is corrupt when I try and run the installer, and is only about 13Mb in size, as opposed the usual 55-60Mb range. I was just wondering if this is just a temporary glitch, or if there is a new dependency or something that I've missed and need to download for these builds? Thanks for your help. Alex From raines at nmr.mgh.harvard.edu Wed Jun 7 17:00:19 2017 From: raines at nmr.mgh.harvard.edu (Paul Raines) Date: Wed, 7 Jun 2017 12:00:19 -0400 (EDT) Subject: [winswitch] yum repo for EL 6.9 is broken Message-ID: The yum repo at http://winswitch.org/dists/CentOS/6.9/x86_64/ is broken missing many packages required like libvpx. I have to use http://winswitch.org/dists/CentOS/6.8/x86_64/ on my 6.9 machines --------------------------------------------------------------- Paul Raines http://help.nmr.mgh.harvard.edu MGH/MIT/HMS Athinoula A. Martinos Center for Biomedical Imaging 149 (2301) 13th Street Charlestown, MA 02129 USA The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. From antoine at nagafix.co.uk Wed Jun 7 21:15:26 2017 From: antoine at nagafix.co.uk (Antoine Martin) Date: Wed, 7 Jun 2017 22:15:26 +0200 Subject: [winswitch] Problems with recent builds of XPRA In-Reply-To: <17a5001d2df97$411c86d0$c3559470$@alex-wood.org.uk> References: <17a5001d2df97$411c86d0$c3559470$@alex-wood.org.uk> Message-ID: On 07/06/17 16:06, Alex Wood via shifter-users wrote: > Hi, > > I've noticed a few problems recently with xpra (just xpra, I don't use the > full winswitch package) build for both windows and linux (Ubuntu). My setup > is I use xpra to run programs from my Ubuntu 17.04 x64 server on my Windows > 10 x64 Desktop. I tend to start the program via the cli on the server and > then connect to that session via windows. The Ubuntu builds that are giving > me problems are the x64 variants of builds 16025/6: I assume that you're using the beta repository. Please always include the full version string. > 16025 - complains opengl support is missing and bombs out Version 2.1 enables the OpenGL support on more chipsets, it is possible that the one you are using is buggy and causes the crash. Please see: https://www.xpra.org/trac/ticket/1367 And add your details here so we can blacklist the driver or chipset if needed. > 16026 - says that xpra for python 2.7 is not installed and bombs out. Please include the actual error message details. (could be an incomplete package) > I > tried to install xpra for python using pip, but it failed to build (problem > linking to ffmpeg). The version of ffmpeg on your system may not be compatible. For more information on building from source on Ubuntu see: https://www.xpra.org/trac/wiki/Building/Debian > I also notice the deb file for 16026 is quite a bit smaller than usual. I > can still get everything to work if I use build 15981 though and use > apt-mark hold xpra to stop it updating to the problematic build versions. Thanks for pointing that out, I have deleted the incomplete upload. > On Windows I have to use either x64 build 15800, as build 15924 (the one > you also use as the main download for x64 Windows) says it is corrupt when > I try and run the installer, and is only about 13Mb in size, as opposed the > usual 55-60Mb range. I was just wondering if this is just a temporary > glitch, or if there is a new dependency or something that I've missed and > need to download for these builds? Same as above, I've deleted the incomplete upload. There is a newer build, but for 32-bit only. Cheers Antoine > > Thanks for your help. > > Alex > > _______________________________________________ > shifter-users mailing list > shifter-users at lists.devloop.org.uk > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > From antoine at nagafix.co.uk Wed Jun 7 21:21:00 2017 From: antoine at nagafix.co.uk (Antoine Martin) Date: Wed, 7 Jun 2017 22:21:00 +0200 Subject: [winswitch] yum repo for EL 6.9 is broken In-Reply-To: References: Message-ID: <08b7a344-4d23-b081-7b87-ef7320e61ed3@nagafix.co.uk> On 07/06/17 18:00, Paul Raines via shifter-users wrote: > > The yum repo at http://winswitch.org/dists/CentOS/6.9/x86_64/ is broken > missing many packages required like libvpx. You're right, libvpx was missing from the 6.9 repository. That's fixed. Please let me know if any other packages are missing as I don't have access to my test CentOS 6.9 virtual machines right now. Cheers Antoine > I have to use > http://winswitch.org/dists/CentOS/6.8/x86_64/ on my 6.9 machines > > --------------------------------------------------------------- > Paul Raines http://help.nmr.mgh.harvard.edu > MGH/MIT/HMS Athinoula A. Martinos Center for Biomedical Imaging > 149 (2301) 13th Street Charlestown, MA 02129 USA > > > > > > The information in this e-mail is intended only for the person to whom > it is > addressed. If you believe this e-mail was sent to you in error and the > e-mail > contains patient information, please contact the Partners Compliance > HelpLine at > http://www.partners.org/complianceline . If the e-mail was sent to you > in error > but does not contain patient information, please contact the sender and > properly > dispose of the e-mail. > > _______________________________________________ > shifter-users mailing list > shifter-users at lists.devloop.org.uk > http://lists.devloop.org.uk/mailman/listinfo/shifter-users From esarmien at g.harvard.edu Thu Jun 15 19:33:26 2017 From: esarmien at g.harvard.edu (Evan Sarmiento) Date: Thu, 15 Jun 2017 14:33:26 -0400 Subject: [winswitch] LXDE start-desktop black screen Message-ID: <55194256-ed7e-47bb-9911-3d195a8f9d20@g.harvard.edu> I noticed this in Chrome and Firefox. When I try to start XPRA with start-desktop using the following command: ["xpra", "start-desktop", "--start=startlxde", "--daemon=off", \ "--bind-tcp=0.0.0.0:8080", "--html=on", "--no-mdns", \ "--no-notifications", "--no-pulseaudio?] and then connect over :8080 using Google Chrome and Firefox I?m greeted with an entirely blank screen. Am I starting lxde incorrectly? It?s also very slow, however when I run it using simply ?start?, rather than start-desktop, it?s much faster and renders somewhat properly. Let me know if you need any further information. root at b08de20996e7:/# xpra --version xpra v2.0.2-r15657 Evan Sarmiento Systems Project Manager Harvard-MIT Data Center