Ok, so it looks like I need an AES keyfile. I tried omitting "--tcp-encryption-keyfile" from the command line, but I get a "missing encryption tokens" error in the log. How can I generate a keyfile? Also, how do I launch the win32 client with this keyfile (there doesn't seem to be a way to do this in the GUI).
On Mon, Nov 21, 2016 at 10:53 AM, Antoine Martin via shifter-users < [email protected]> wrote: > On 21/11/16 22:45, Thomas Esposito via shifter-users wrote: > > First some background info... > > > > I've been using Xpra at work. I have a RHEL 6.6 virtual machine, which I > > believe uses LDAP for login authentication. I don't have root/admin > > privileges, so in order to use Xpra, I have manually extracted the > contents > > of all of the required RPMs and modified my PYTHONPATH, PATH, > > LD_LIBRARY_PATH, and MANPATH variables to point to where the RPMs are > > extracted. > > > > Since I obviously can't install anything to "/etc", I have all of the > > config files in "${HOME}/.xpra". For the beta version of xpra, this means > > that I can't install any of the files in "/etc/pam.d" (which is new to > the > > 1.0 beta). > > > > In order to get good performance on my corporate intranet, I need to use > > raw TCP with a port in the range 5900 5909 (i.e the ports used by VNC), > > because this is prioritized on the network vs. ssh, which has very > > inconsistent network performance. I'd like to use LDAP authentication for > > my TCP sessions, but I'm not sure how to do this. I've tried setting > > "--tcp-auth=pam" on the xpra command line, but the Win32 launcher reports > > "Connection lost" when I try to connect. I get the following output in > the > > server-side log file (edited to remove IP addresses and user name): > > > > 2016-11-21 10:29:00,367 New tcp connection received from x.x.x.x:x > > 2016-11-21 10:29:00,369 Authentication required by PAM authenticator > module > > 2016-11-21 10:29:00,369 sending challenge for username '<username>' > using > > xor digest > > 2016-11-21 10:29:00,511 client has requested disconnection: invalid > digest > > 2016-11-21 10:29:00,512 Disconnecting client x.x.x.x:x: > > 2016-11-21 10:29:00,512 client request > The client and server will refuse to send unencrypted passwords over > TCP, unfortunately PAM requires the actual password rather than a hash - > unlike the other plugins which can happily use HMAC. > > > Any idea how to get this working, keeping in mind the fact that I can't > do > > a normal install (i.e. write to "/etc") on the server side? > If you must use PAM, use SSL or AES encryption. (see wiki for details) > If not, use a different authentication module. > > Cheers > Antoine > > PS: there is a magic environment variable which can be used to force > xpra to use unencrypted passwords over TCP, but I am not posting it here > as this is not a good solution. > _______________________________________________ > shifter-users mailing list > [email protected] > http://lists.devloop.org.uk/mailman/listinfo/shifter-users > _______________________________________________ shifter-users mailing list [email protected] http://lists.devloop.org.uk/mailman/listinfo/shifter-users
