Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

multiple authentication modules per socket type #1728

Closed
totaam opened this issue Dec 29, 2017 · 9 comments
Closed

multiple authentication modules per socket type #1728

totaam opened this issue Dec 29, 2017 · 9 comments

Comments

@totaam
Copy link
Collaborator

totaam commented Dec 29, 2017

Split from #1690.

This will give us more flexibility, including the ability to authenticate with two passwords, password and dialog, etc.

@totaam
Copy link
Collaborator Author

totaam commented Dec 29, 2017

Done in r17775, r17777 + r17890 for proxy server. Minor fix in r17824.

Examples:

echo -n 1234 > pass1.txt
echo -n 5678 > pass2.txt
xpra start --start=xterm :10 -d auth \
    --bind-tcp=0.0.0.0:10000
    --tcp-auth=file:filename=pass1.txt
    --tcp-auth=file:filename=pass2.txt
xpra attach tcp://localhost:10000/

The client should prompt for the password twice.

Also added in r17776 is the ability to tell the client what we are prompting for:

xpra start --bind-tcp=0.0.0.0:10000 --tcp-auth=file:filename=password.txt,prompt='secret no 1'

@totaam
Copy link
Collaborator Author

totaam commented Dec 29, 2017

See also tcp wrappers: #1730

@totaam
Copy link
Collaborator Author

totaam commented Dec 30, 2017

2017-12-30 00:03:04: maxmylyn commented


Noted, did some quick tests with the tcp-auth:

Both machines in question are Fedora 26, client and server are 2.X r17783

  • I started a server with xpra start :12 --no-daemon --bind-tcp=0.0.0.0:2200 --start-child=xterm --tcp-auth=file:/home/max/pass1.txt --tcp-auth=file:/home/max/pass2.txt --tcp-auth=file:/home/max/pass3.txt -d auth

and attached with xpra attach tcp:ip:2200 --tcp-auth=file:/home/max/pass1.txt --tcp-auth=file:/home/max/pass2.txt --tcp-auth=file:/home/max/pass3.txt

and the connection failed after it prompted me for a password. Is this expected behavior? I find it odd that it would ask me for a password even though I gave it the auth files it asked for, and even in the right order.

@totaam
Copy link
Collaborator Author

totaam commented Dec 30, 2017

I started a server with ...

That syntax is invalid and this is immediately obvious when you look at the server output:

Warning: failed to parse dictionary option '/home/max/pass1.txt':
 need more than 1 value to unpack

The correct syntax is auth=file,filename=/path/to/file. This is documented everywhere, including the comment:1 just above, and also in the manual, and authentication documentation page.

and attached with ...

Again, that doesn't make sense, see the man page and password-file.

@totaam
Copy link
Collaborator Author

totaam commented Jan 4, 2018

2018-01-04 18:47:47: maxmylyn commented


Okay I finally figured this out after like 45 minutes of reading.

I started my server with:

xpra start --start=xterm :10 -d auth --bind-tcp=0.0.0.0:2200 --auth=file,filename=pass1.txt,prompt='pass1' --auth=file,filename=pass4.txt,prompt='pass4' --no-daemon --start-via-proxy=no

And attached with:

xpra attach tcp:192.168.1.138:2200 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth

Turns out it's --auth=file,filename=/path/to/file and NOT --tcp-auth=file,filename=/path/to/file. Note the lack of a tcp-.

Now that I've got the syntax sorted it works.

However I have to bother you with this ticket again.

BUT, I typed "exit" into the wrong xterm and as such lost my only xterm in the connected session. Trying to run xpra stop :10 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt in another terminal that was SSH'd into the server in question failed with the output (from -d auth via a second attempt)

[max@Vorfuehreffekt ~]$ xpra stop :10 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth
processing challenge: ['&\xad\xf3\xc8\xdaXBK\x07^\xab\xea1\xec\xde\t`\x0e]\x02\x95\x05\xdb\x1ap\xbe\x0c\xc2@<\x9e,\xdd\xe3\x14\xaf\xf7f;z\xd7\x89\xd4&=\xd7\xad\x96\x87}\xa5S\x06\x10\xf0\x93\xd3\xb2?%\xc0\xde\xa7\xe1', '', 'hmac+sha512', 'hmac+sha512', 'pass1']
load_password() existing value found: False
load_password() PASSWORD_PROMPT=True, isatty=True
stdin isatty, using password prompt

Is there a typo there?

Also of note, when I do a Control + C the prompt, the terminal becomes unresponsive afterwards - I can't see anything I type, and a Control + L appears to do nothing.


I'd also like to note:

wiki/Authentication and comment:1 both have --auth=file:filename=/path/to/mypasswordfile.txt listed - note the : not the , as noted in comment:4

@totaam
Copy link
Collaborator Author

totaam commented Jan 5, 2018

xpra attach tcp:192.168.1.138:2200 --auth=file,filename=pass1.txt --auth=file,filename=pass4.txt -d auth

That still does not make any sense. As per the examples and documentation,
the [xxx-]auth command line options only apply to bind[-xxx] options. As per comment:4, for the client you want (multiple?) password-file instead.

Turns out it's --auth=file,filename=/path/to/file and NOT --tcp-auth=file,filename=/path/to/file

No, it's not. Neither option makes any difference whatsoever to a client.

Now that I've got the syntax sorted it works.

You don't.

Also of note, when I do a Control + C the prompt, the terminal becomes unresponsive afterwards - I can't see anything I type, and a Control + L appears to do nothing.

How do I restore input echoing in the terminal?

​note the : not the , as noted in comment:4

Both should work.

@totaam
Copy link
Collaborator Author

totaam commented Jan 9, 2018

2018-01-09 17:04:58: maxmylyn commented


I thought I had closed this last week, but I guess I forgot to hit Submit.

Firstly, I apologize for getting confused on the command string, I somehow got it in my head that we were deprecating --password-file in favor of something more modular --auth=. That was not the case. Now that I've got it figured out, the multiple auth modules is working fine for me - I've tested it with up to 4 password files, and it all works together nicely, once you feed it the correct commands.

I also double checked and --auth=file,filename= AND --auth=file:filename= both work, even when mixing them in the same command string. Probably not a fantastic idea, but it will work just fine.

Now that I've checked that and there aren't any issues other than me, I'm going to go ahead and close this ticket.

@totaam totaam closed this as completed Jan 9, 2018
@totaam
Copy link
Collaborator Author

totaam commented Jan 13, 2018

Caused #1740

@totaam
Copy link
Collaborator Author

totaam commented Mar 24, 2018

See also: #1691, #1789, #1728, #1791.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant