[winswitch] xpra 2.0 security questions

Shane Williams shanew at shanew.net
Wed May 31 23:22:34 BST 2017

After using it personally over the yeears, I've suggested my work
install xpra for our users (particularly to replace VNC) and during
our internal staff evaluation everyone has been impressed.  We did
come up with a few (mostly security-related) questions.  If any of
these would be better addressed as tickets via trac, just let me know.

1. We like that xpra defaults to SSH when you start it on linux and
we'd like to make it impossible or at least harder for users to start
up a server using non-secure protocols.  Is there a way to disable
these (or even enable SSH only) via system-wide configs or in some
other way?  Even if users could over-ride settings individually,
creating that extra burden would discourage use of non-secure

2. When saving a "profile" via the launcher, passwords are stored in
plaintext.  At the very least, could the launcher GUI make it clear
that saved passwords will be stored in this way?  Or is there a way to
disable that, maybe even by default (not that we have much control
over users' launcher configs)?

3. We also notice that when SSH is selected as the mode, launchers on
some platforms remove the password field from the GUI, but others do
not (MacOS, in particular doesn't seem to).  Is this a built in
difference, or is it dependent on the existence of some "ask-pass"

3.5 As a feature request, it seems like the list of "modes" are in
least-secure to most-secure order, with plain TCP as the default.  It
seems like reversing this would make it a little harder for users to
unknowingly use the non-secure mode.

4. One non-security related issue we ran into (on MacOS ad Linux) is
that if you save a SSH profile with the Display Number ("port" in the
config file) field blank, then restart xpra and load that profile, it
properly selects SSH as the mode, but it fills in the Display number
field with 14500.  I suspect this might trip up some less-savvy

5. Is there a way to turn off or disable some of the "extra" features
system-wide?  For example, we blacklist a lot of external device
drivers, including webcams, on our managed linux systems, so rather
than have users try to make use of that feature and get frustrated,
we'd rather disable it on those systems.

Thanks for any help or suggestions you might have.

Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT CompSci
All syllogisms contain three lines |              shanew at shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

More information about the shifter-users mailing list