Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

more generic command for the exec authentication module #3790

Closed
totaam opened this issue Mar 14, 2023 · 6 comments
Closed

more generic command for the exec authentication module #3790

totaam opened this issue Mar 14, 2023 · 6 comments
Labels
authentication enhancement New feature or request server

Comments

@totaam
Copy link
Collaborator

totaam commented Mar 14, 2023

So that we can generate more useful commands based on the username specified:
#3781 (comment)

Obviously, we want to be careful here and not allow just any string substitution as this would be ripe for exploitation.
totaam added a commit that referenced this issue Mar 14, 2023
@totaam
#3790 generic exec authentication module
25e084c 
the full command is now configurable including arguments,
and those arguments can use authentication attributes like 'username', 'info' and 'prompt'
totaam added a commit that referenced this issue Mar 15, 2023
@totaam
#3790 add 'require-challenge' option for using the password in the co…
85e3adb 
…mmand
@totaam
Copy link
Collaborator Author

totaam commented Mar 15, 2023

It is now also possible to use the challenge (aka password) in the exec command:

xpra shadow -d auth --no-daemon \
    --bind-tcp=0.0.0.0:10000 \
    --tcp-auth=exec:require-challenge=yes,client-username=yes,command='touch /tmp/HELLO-${username}-${password}'

Obviously, this should not be used with system passwords but this could be quite useful for delegating token validation to external command line tools.

@totaam totaam closed this as completed Mar 15, 2023
@totaam
Copy link
Collaborator Author

totaam commented Mar 17, 2023

Tested with the defaults and a shadow server:

xpra shadow --bind-tcp=0.0.0.0:10000,auth=exec \
    -d auth --no-daemon

Which ends up calling:

/usr/libexec/xpra/auth_dialog 'Connection request from tcp socket: IP:10000 <- IP:53168' '600'

Another example:

xpra shadow --bind-tcp=0.0.0.0:10000,auth=exec,client-username=yes,command='touch /tmp/HELLO-${username}' \
    -d auth --no-daemon

Then connecting with:

xpra attach --sharing=yes 'tcp://foo:bar@localhost:10000/'

And the /tmp/HELLO-foo file has been created.

@walakee this should be useful to you. You can chain this pseudo-authentication module after the ldap one.

@walakee
Copy link

walakee commented Mar 21, 2023

@totaam, many thanks for this. Would these changes work in Xpra for CentOS 7.9? I was able to apply the deed568 changes to CentOS 7.9, but I'm not sure about this one.

Many thanks,
Walakee

@totaam
Copy link
Collaborator Author

totaam commented Mar 21, 2023

@walakee no, this would be difficult to port - for a start, the authentication module interface has changed.

@walakee
Copy link

walakee commented Mar 21, 2023

@totaam thanks for the immediate reply. Unfortunately CentOS Stream 8 seems to have an earlier EOL than CentOS 7.9. For this reason it is hard to justify the upgrade. Especially since it is not really a straight-forward process. Is there any workaround perhaps that could be used in CentOS 7.9 for the same purpose (custom script to be executed after successful LDAP authentication, with username as the parameter)?

Thanks again,
Walakee

@totaam
Copy link
Collaborator Author

totaam commented Mar 21, 2023

CentOS Stream 8 seems to have an earlier EOL than CentOS 7.9

@walakee CentOS 8 is already EOLed, use RockyLinux or AlmaLinux instead. We have builds for both.
I would recommend switching to a distro that is going to be supported long-term, and CentOS 7.x with xpra 3.1.x is not it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
authentication enhancement New feature or request server
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@totaam @walakee