On 15/09/16 11:39, Mukul Agrawal via shifter-users wrote: > If I want xpra proxy on machine1 to connect to xpra server on machine2 using > ssh with public key authentication and no password, then how should I set it > up? I have not tested this, but SSH connections from the proxy should be using the public key of the user running the proxy server process and not the key of the user you authenticate as. (which may not have a user account at all on the system running the proxy)
> Public keys are already in default locations and xpra is able to attach > directly from machine2 to machine 1 using standard format: xpra attach > ssh:username@machine1:display. I thought the server you wanted to connect to was "machine 2" and not the other way around? > But when I try to connect via proxy from client machine3, proxy is not being > able to authenticate. Have you checked your ssh server logs for an answer? > It sends the challenge but then there is no log after that. Please share the log sample up to that point to help clarify things. Note: when using SSH connections, the server does not need to use another socket authentication module. That's usually just redundant. > I am using multifile like this :- > username|pswd|1000|1000|ssh:machine1:display|| > and attach command from machine3 like this:-xpra attach > tcp:username:pswd@machine2:proxyPORT > > Are the usernames and passwords actually associated with login accounts on > the target machine or their significance is only with respect to multifile > resolution? It depends: if the proxy server runs as root, each proxied connection will run as the uid and gid you defined. (ie: 1000 above) But the connection to the backend server is made before changing uid, so the ssh key used will not be the one of the user specified in multifile. If you don't mind using SSH with passwords, you should be able to use something like this (untested): |username|pswd|1000|1000|ssh/username2:password2@machine2/display|| We could also change the code to: * add support for ssh options to multifile, so you could specify the keyfile for each user * change the ordering so the connection to the backend server happens after changing uid and gid (but this would only work with the proxy running as root) Feel free to create tickets for this. > Can password be left blank for public key authentication? That doesn't make sense: the password in multifile is for authentication to the proxy, not to the backend server. Unless you're trying to connect via ssh to your proxy? (but why?) Cheers Antoine > > Thanks. > > _______________________________________________ > shifter-users mailing list > shifter-users@lists.devloop.org.uk > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > _______________________________________________ shifter-users mailing list shifter-users@lists.devloop.org.uk http://lists.devloop.org.uk/mailman/listinfo/shifter-users
