See also network
With Posix servers already running an SSH server, xpra sessions can be accessed without any extra configuration. ie:
xpra attach ssh://USERNAME@HOST/DISPLAY
(the DISPLAY
value may be omitted if the user only has a
single active session)
Similarly, it is possible to start new sessions and connect to them in one command:
xpra start ssh://USERNAME@HOST/ --start=xterm
The sessions do not require any specific bind
command
line options: the default xpra configuration will already create unix
domain sockets which are forwarded to the client by the SSH transport.
Those sockets can be seen with xpra list
on the server.
This mode can be used to enable SSH connections on servers that do not include an SSH server by default (ie: MS Windows servers), or to use SSH authentication and encryption but without allowing full shell logins via SSH on the server system. (as the connection can only be used to connect to the xpra server)
This mode can be used with plain TCP sockets which end up being
upgraded to SSH. The server also supports the bind-ssh
option: these sockets will only allow SSH connections. ie:
xpra start --bind-ssh=0.0.0.0:10000 --start=xterm
The client can then connect to this port using ssh:
xpra attach ssh://HOST:10000/
The SSH server’s private key must be accessible to the user running
the xpra server. The filenames can be configured using the OpenSSH
IdentityFile
option or the
XPRA_SSH_DEFAULT_KEYFILES
environment variable. Otherwise,
the server will try to open key files found in ~/.ssh/
)
Regular TCP sockets can also be upgraded to SSH.
For details, see #1920, use the
-d ssh
debug logging
flag.
The client can either use the builtin ssh client (based on paramiko), or an external
tool.
This can be configured using the ssh
command line option.
The default setting is auto
which will use
paramiko
if it is present and fallback to the platform’s
default external tool when it is not.
On most platforms the default external tool is the ssh
command, but on MS Windows it is putty plink
.
ssh
This mechanism relies on openssh on Posix systems, optionally using sshpass to supply passwords via the command line or connection files.
plink
On MS Windows, the installer will bundle the tortoisesvn version of PuTTY plink which includes a more user friendly GUI for host key confirmation and password input.
Since this mechanism relies on executing the ssh client program, you
can use the same command line options as you normally would and / or use
the openssh configuration files for using tunnels, restricting ciphers,
etc. ie: --ssh="ssh -x -c blowfish-cbc"
The --exit-ssh
switch controls whether the SSH transport
is killed when the client terminates, this can be useful if openssh is
setup to use connection sharing. (see #203 for
details)
This backend is built into the client connection code and provides
better diagnostics (using the --debug=ssh
switch), and it
provides a GUI for confirming host keys, entering key passphrases or
passwords.
The downside is that since it does not use OpenSSH at all, it does not
have the same flexibility, it may require re-confirmation of known hosts
and it may not support all the configuration options normally used with
OpenSSH.
Paramiko can accept configuration options in the command line. After
--ssh=paramiko
, add a double-colon :
and then
one or more of the available options: * auth
: Specify the
authentication methods used, in the order that they will be used.
Available values: agent
, key
,
password
, none
e.g.:
--ssh=paramiko:auth=agent+key
*
stricthostkeychecking
: See man ssh_config
–> StrictHostKeyChecking
Available values:
yes (default)
, no
e.g.:
--ssh=paramiko:stricthostkeychecking=no
Multiple options can be given as a comma-separated string, e.g.:
--ssh=paramiko:auth=agent+key,stricthostkeychecking=no
You can specify the password to use on the command line URI:
xpra attach ssh://USERNAME:PASSWORD@HOSTNAME/
But this exposes the password in the process list: obfuscate passwords