attach via proxy multifile auth

[totaam]

Issue migrated from trac ticket # 1498

component: server | priority: major | resolution: fixed | keywords: proxy

2017-04-12 17:35:20: Denis01 created the issue

---

Hello,
trying to connect via PROXY. (Centos 7.3, xpra test 2.0)
One server, and proxy and server run under Root account. Client=html
so the commands:

xpra proxy :100 --bind-tcp=0.0.0.0:443 --auth=multifile:filename=/root/xpra-auth.txt -d auth -d proxy

xpra start :10 --exit-with-children --bind-tcp:0.0.0.0:10000 --start-child=/bin/gedit

and then

xpra attach --username=111 --password-file=/root/password.txt $0.0.0.0:443

gives xpra initialization error: no such option: -b

xpra attach --username=111 --password-file=/root/password.txt $PROXYHOST:443

gives "Warning: running as root. xpra initialization error: could open display"

what is wrong?
and multifile and password file are available. In logs - nothing special (:10 and :100)
Multifile content:

111|111|1000|1000|tcp:0.0.0.0:10000|EXAMPLE_ENV=VALUE

Thank you

[totaam]

2017-04-13 06:34:50: antoine changed owner from antoine to Denis01

[totaam]

2017-04-13 06:34:50: antoine edited the issue description

[totaam]

2017-04-13 06:34:50: antoine commented

---

xpra test 2.0
Please always specify the FULL version. I don't know what "xpra test 2.0" is.

xpra attach --username=111 --password-file=/root/password.txt $0.0.0.0:443
Looks like a syntax error: why is "$" in there?

Multifile content:
111|111|1000|1000|tcp:0.0.0.0:10000|EXAMPLE_ENV=VALUE
"tcp:0.0.0.0:10000" is not a valid connection string because "0.0.0.0" is not a valid TCP address.
FYI: if running the server on the same system, you don't even need TCP and you can use ":10" for the display string.

PS: please learn to use wiki WikiFormatting so I don't have to edit all your tickets.

[totaam]

2017-04-13 06:56:30: Denis01 commented

---

1. version xpra beta -2.1-0.20170403r15507
2. i followed the wiki-proxy and copied the command "xpra attach --username=myusername --password-file=./password.txt $PROXYHOST:443"
3. ok

P.s. ok

[totaam]

2017-04-13 09:01:10: Denis01 commented

---

And another strage point which might an idea of the cause.
If i try to login through HTML client to proxy using client name =111 (which was defined in multifile) auth and proxy log says:

Athentication required by multi password file ahtbentication module
Sending challenge for username '111' using hmac+sha256 digest
start_proxy (.....found sessions: (1000,1000,....)

that seems to be properly uploaded from multifile in auth py module and then

Error: user 'xxx1235' {uid=1000} is not in the xpra group
it belongs to: None

This message is from proxy py. So could it be that system keeps somehow the data from previous connections rather the update the i fo on connection string and screen each time?

The user 'xxx12345' i used for direct session creation (without proxy) on the same port 10000 and it might be with the same uid-1000 ( don't remember well).
But after that i killed all xpra sessions and even rebooted server several times.

[totaam]

2017-04-13 09:16:08: antoine commented

---

Error: user 'xxx1235' {uid=1000} is not in the xpra group
could it be that system keeps somehow the data from previous connections
No.
Just like it says, your user is not a member of the "xpra" unix group, so it is warning you that the group socket cannot be created. Either add the user to the xpra group or remove "/var/run/xpra" from the socket bind locations.

I assume that your original problem was because of syntax errors, right?
If so, please close this ticket and open a new one if you have other issues.

[totaam]

2017-04-13 09:36:22: Denis01 commented

---

Hm..
but there is no such user 'xxx12345' in multifile. There is a new one - '111'
And mulfifile_auth.py sees properly new one in def authenticate_hmac self.username='111' but proxy_server.py in user=get_username_for_uid(uid) returns 'xxx12345'

[totaam]

2017-04-13 09:47:10: antoine commented

---

but there is no such user 'xxx12345' in multifile. There is a new one - '111'

Yes, there is:

• '111' is the authentication username, it can be any string and does not have to be a in your unix password database
• uid=1000 must point to a real unix user, otherwise the proxy server won't be able to change uid. (and by the looks of things, the username for uid=1000 is 'xxx12345')

[totaam]

2017-04-13 12:49:08: Denis01 commented

---

:-) Linux for dummies :-)
Now the user created in Linux and attached to xpra group with the correct UID given by Linux.
Proxy can indentify the user.
But still xpra attach doesn't work - "xpra initialization error:could not open display"

Tried to start by root and by user and many commands from Wiki

Xpra attach tcp:111@'real ip address':443

Or

Xpda attach --username=111 --auth=multifile:filename=/root/xpra-auth.txt@'real ip address':443

But results are the same :-(

[totaam]

2017-04-13 12:54:33: antoine commented

---

• "--auth=" doesn't make any sense for "xpra attach"
• since you require authentication, I believe, you would be better off using this form which is clearer: "xpra attach tcp/username:password@host:port/"

Whatever the problem is, there will be more details than "could not open display" in your "-d proxy" server log.
If the display string you specify in multifile is correct, then you should be able to use it directly from a terminal where the proxy is running, ie:

xpra info tcp:HOST:PORT

Check that first.

[totaam]

2017-04-13 14:08:13: Denis01 commented

---

Amazing....
Command "xpra attach" is not needed...
It works only with "xpra proxy --auth multi..." on proxy side and "xpra start" without any --auth command at target side.

But FYI

Xpra info tcp:HOST:PORT

Under root account in the Terminal at Proxy side says

Warning:running as root
Error: authentication failed:
This server requires authentication, please provide a password"

So if you confirm that running Proxy without "xpra attach..." is normal way - i'll close thw tichet

[totaam]

2017-04-13 14:18:33: antoine commented

---

Under root account in the Terminal at Proxy side says
(..)
This server requires authentication, please provide a password"

Obviously, if you start your server with authentication, then you'll need to provide a password.
Right at the top of this ticket description, your server (not the proxy) start command does not use one, so you would not need any authentication to connect to THAT server. Connecting to the proxy URI however, you would since you used "multifile" auth for THAT one.

Please make you sure you understand what each command does and close this ticket.

[totaam]

2017-04-13 14:37:24: Denis01 commented

---

Ok, clear.
And for "xpra attach" command should be executed on NON html but thick client, right?

[totaam]

2017-04-13 14:39:02: antoine commented

---

And for "xpra attach" command should be executed on NON html but thick client, right?
"xpra attach" is the xpra client.
Not sure why you're even talking about the HTML client in this context.

[totaam]

2017-04-13 14:49:38: Denis01 commented

---

As the WIKI says that the last operation to start the session should be command "xpra attach..." (in fact the main original issue of the topic).
But for HTML connection it is not simple needed - started 'xpra proxy' on the proxy nod, 'xpra start' on the target host and entered by HTML client. It works.
So i thought that probably this 'xpra attach' command should be done on in normal client (not html one). And in the case of html it is needed nowhere...

[totaam]

2017-04-13 15:08:22: Denis01 changed status from new to closed

[totaam]

2017-04-13 15:08:22: Denis01 set resolution to fixed

[totaam]

2017-04-13 15:08:22: Denis01 commented

---

Yes, wiki says "users can connect as USUAL with: xpra attach.." so it has to be the cmd to start on client PC (not the case of html client)
Close this ticket.

[totaam]

2017-07-14 18:59:36: antoine changed title from Proxy. Attach to attach via proxy multifile auth

[totaam]

2017-07-14 18:59:36: antoine commented

---

(editing ticket title)