Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

request access to session #1690

Closed
totaam opened this issue Nov 15, 2017 · 11 comments
Closed

request access to session #1690

totaam opened this issue Nov 15, 2017 · 11 comments

Comments

@totaam
Copy link
Collaborator

totaam commented Nov 15, 2017

Issue migrated from trac ticket # 1690

component: core | priority: major | resolution: fixed

2017-11-15 10:59:11: antoine created the issue


This ticket was originally meant for all types of sessions, but the scope was changed to support sessions with a display attached. (typically shadow mode)

Generic access request now moved to #1799.

@totaam
Copy link
Collaborator Author

totaam commented Nov 16, 2017

2017-11-16 05:51:15: antoine changed status from new to assigned

@totaam
Copy link
Collaborator Author

totaam commented Nov 16, 2017

2017-11-16 05:51:15: antoine edited the issue description

@totaam
Copy link
Collaborator Author

totaam commented Dec 28, 2017

2017-12-28 12:57:40: antoine commented


Stackable authentication modules moved to #1728

Still TODO: add UI prompt authentication via built-in GTK based prompt, "dialog"?

@totaam
Copy link
Collaborator Author

totaam commented Dec 29, 2017

2017-12-29 17:19:05: antoine commented


Implemented for shadow servers using the new "exec" auth module in r17780.
With platform support for macos added in r17781 + r17825 + r17822, win32 in r17783, and RPM + DEB packaging in r17782.

Usage:

xpra shadow --bind-tcp=0.0.0.0:10000 --tcp-auth=exec

This will popup a dialog asking if the new connection should be allowed or not.

This new auth module has two configuration options:

  • timeout: the delay in seconds before we terminate the command and fail, ie: tcp-auth=exec:timeout=60
  • command, ie: tcp-auth=exec:command=/bin/true. The command will be given the request message (ie: Connection request from ...) and the timeout as arguments. It should return 0 to allow the connection, any other value to reject it. By default, we use the "auth_dialog" tool that we ship. (just a simple yes-no dialog)

As per #1728, this can now be combined with other auth modules. (ie: password + request, or tcp-wrappers + request, etc)

This is only useful for "shadow" sessions since there will be an existing display connected where the user can accept the request.

Still TODO:

  • maybe rename or alias this module? (keep "exec" for generic configurable exec)
  • maybe make this the default for shadow sessions (at least on win32?)
  • rate limiting: we don't want to flood the user's display with requests
  • deal with regular servers (non-shadow): probably not using authentication modules but client-server messages

We could piggyback onto #1735

@totaam
Copy link
Collaborator Author

totaam commented Apr 1, 2018

2018-04-01 10:50:20: antoine changed status from assigned to new

@totaam
Copy link
Collaborator Author

totaam commented Apr 1, 2018

2018-04-01 10:50:20: antoine changed owner from antoine to maxmylyn

@totaam
Copy link
Collaborator Author

totaam commented Apr 1, 2018

2018-04-01 10:50:20: antoine edited the issue description

@totaam
Copy link
Collaborator Author

totaam commented Apr 1, 2018

2018-04-01 10:50:20: antoine commented


Mostly a FYI, see comment:4.

@totaam
Copy link
Collaborator Author

totaam commented Apr 3, 2018

2018-04-03 18:52:08: maxmylyn changed status from new to closed

@totaam
Copy link
Collaborator Author

totaam commented Apr 3, 2018

2018-04-03 18:52:08: maxmylyn set resolution to fixed

@totaam
Copy link
Collaborator Author

totaam commented Apr 3, 2018

2018-04-03 18:52:08: maxmylyn commented


Noted and closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant