[winswitch] SSH wrapper, was: Hi List, Quick Xpra question

Mon Dec 23 19:58:48 GMT 2019

On 23/12/2019 01:10, Celeste Weingartner via shifter-users wrote:
> I had considered tying it to user ID and that's a good idea. While changing
> the remote xpra command is certainly an option I could write into the
> frontend, I want this to be a bit more secure and not rely on the frontend
> to do the right thing, is there a easy way to specify a new command server
> side and system wide?or user group wide?
No.
The remote command is requested by the SSH transport (ie: paramiko 
openssh or plink), it is always specified by the client - that's just 
how SSH works.

xpra's builtin SSH server already intercepts the 'xpra _proxy' command 
to avoid spawning a new subprocess unnecessarily. But modifying this 
behaviour is likely way too complicated for what you are trying to 
achieve. (and this would only work with xpra running as ssh server)

If you want to limit what your users can execute via ssh logins then you 
should look into OpenSSH command restrictions and you can then place 
your override script in a whitelisted location, ie:
/usr/local/bin/xpra
To see which remote commands your clients will attempt to run, see:
xpra showconfig | grep remote-xpra

Cheers,
Antoine

> 
> Sorry for the double email Antoine
> 
> 
> On Fri, Dec 20, 2019, 6:59 AM Antoine Martin via shifter-users <
> shifter-users at lists.devloop.org.uk> wrote:
> 
>> On 19/12/2019 16:19, Celeste Weingartner via shifter-users wrote:
>>> im writing a frontend for Xpra that will use ssh to connect. I would like
>>> to make a ultra persistant chrome session be remotely served..
>> Running browsers through xpra seems to be a popular use case.
>> Are you using xpra's builtin ssh server or are you allowing those users
>> shell access on your server? (and restricting what commands they are
>> allowed to run?)
>>
>>> Ive got
>>> firejail working for chrome, and i can manually connect with xpra start
>>> someuser at apphost.com --start-child='google-chrome' and that works.. and
>> i
>>> can reattach to it no problem but if i reisssue another start, it starts
>>> another x session, which i do not want.. I want it limited to one per
>> user.
>> An easy way to achieve that would be to derive the X11 display for each
>> user from their user id. That way a user would only ever be able to
>> start a single session.
>> FYI: most browsers, including chrome, are limited to a single instance
>> per user account.
>>
>> To make things easier to manage, we could add a new subcommand:
>> "xpra attach-or-start"
>> Or maybe a new flag:
>> "xpra attach --create=yes"
>> Or even:
>> "xpra start --reuse-session=yes"
>> Ideas and suggestions welcome.
>>
>> When connecting over ssh, the xpra client will run "xpra _proxy",
>> potentially with extra arguments, and this is what connects the xpra
>> server to the ssh channel.
>> The remote xpra command can be changed using the "--remote-xpra="
>> command line option.
>> This would be a decent place to override the default behaviour and start
>> a new server instance if one is not found, before trying to connect to it.
>>
>> Cheers,
>> Antoine
>>
>>
>>
>>
>>> max.
>>>
>>>
>>> On Mon, Dec 16, 2019 at 6:06 AM Antoine Martin via shifter-users <
>>> shifter-users at lists.devloop.org.uk> wrote:
>>>
>>>> On 16/12/2019 07:59, Celeste Weingartner via shifter-users wrote:
>>>>> Hi Everyone, im not sure if the devel list would be the place for this
>> or
>>>>> not.. So i'll ask.
>>>>>
>>>>> Im trying to use Xpra to create an application server. For a specific
>>>>> application. I do not want users to be able to spawn more than 1 xpra
>>>>> server process. I want them to be limited to 1. Short of disabling
>> server
>>>>> commands, and using firejail which im already doing, how can I further
>>>>> limit it to one server per user?  Im willing to be there's some sort of
>>>>> bash magic that can be done in the xpra startup, but im unsure where to
>>>>> even begin there, im not a python coder... Bash I can do..  But can
>>>> anyone
>>>>> provide some pointers or tips?
>>>> How are you going to start the sessions? Is it going to be on demand for
>>>> each user?
>>>> How are they connecting to the server? ssh?
>>>> Are you going to give them a command line to run or an xpra URI they
>>>> just click on?
>>>>
>>>> This is not the first time something like this has been requested, so
>>>> maybe we can make it easier to setup.
>>>>
>>>> Cheers,
>>>> Antoine
>>>>
>>>>>
>>>>> Thanks in advance,
>>>>>
>>>>> Celeste
>>>>> _______________________________________________
>>>>> shifter-users mailing list
>>>>> shifter-users at lists.devloop.org.uk
>>>>> https://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>>>>
>>>>
>>>> _______________________________________________
>>>> shifter-users mailing list
>>>> shifter-users at lists.devloop.org.uk
>>>> https://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>>>
>>> _______________________________________________
>>> shifter-users mailing list
>>> shifter-users at lists.devloop.org.uk
>>> https://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>>
>>
>> _______________________________________________
>> shifter-users mailing list
>> shifter-users at lists.devloop.org.uk
>> https://lists.devloop.org.uk/mailman/listinfo/shifter-users
>>
> _______________________________________________
> shifter-users mailing list
> shifter-users at lists.devloop.org.uk
> https://lists.devloop.org.uk/mailman/listinfo/shifter-users
> 