X2Go Bug report logs - #141
X2Gobroker: session autologin does not work

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Anders Bruun Olsen <abo@dsl.dk>

To: submit@bugs.x2go.org

Subject: X2Gobroker: session autologin does not work

Date: Thu, 7 Mar 2013 10:50:13 +0100

[Message part 1 (text/plain, inline)]

Package: x2gobroker
Version: 0.0.0.7

When broker-session-autologin=true is set for a profile, a temp
ssh-key-pair is generated. The pubkey is added to %h/.x2go/authorized_keys
on the term-server and the private key is given to x2goclient.
Unfortunately this does not seem to work for us. When we try to login this
way, a dialog box is shown, asking for a "passphrase to decrypt a key".
At first in our test-setup we thought this worked, because I already had
password-less login to the terminal-servers using ssh-keys. As soon as I
move my .ssh dir, this other problem occurs. It also occurs for for users
without any ssh-keys setup. I can see that the pubkey is successfully added
(and removed after 20 seconds) on the term-server in
$HOME/.x2go/authorized_keys. The sshd on the term-server is set to also
look in %h/.x2go/authorized_keys.

-- 
Anders Bruun Olsen
It-ansvarlig
Det Danske Sprog- og Litteraturselskab
(Society for Danish Language and Literature)

[Message part 2 (text/html, inline)]

Message #10 received at 141@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Anders Bruun Olsen <abo@dsl.dk>, 141@bugs.x2go.org

Cc: control@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#141: X2Gobroker: session autologin does not work

Date: Thu, 07 Mar 2013 11:55:59 +0100

[Message part 1 (text/plain, inline)]

reassign #141 x2goclient
found #141 4.0.0.4
tag #141 moreinfo
thanks

Hi Anders,

I suspect that this is not a broker issue.

On Do 07 Mär 2013 10:50:13 CET Anders Bruun Olsen wrote:

> When broker-session-autologin=true is set for a profile, a temp
> ssh-key-pair is generated. The pubkey is added to %h/.x2go/authorized_keys
> on the term-server and the private key is given to x2goclient.
> Unfortunately this does not seem to work for us. When we try to login this
> way, a dialog box is shown, asking for a "passphrase to decrypt a key".
> At first in our test-setup we thought this worked, because I already had
> password-less login to the terminal-servers using ssh-keys.

ACK.

> As soon as I
> move my .ssh dir, this other problem occurs. It also occurs for for users

What do you mean by ,,as soon as I move my .ssh dir''. I think that  
this point may be crucial to fix this bug.

> without any ssh-keys setup. I can see that the pubkey is successfully added
> (and removed after 20 seconds) on the term-server in
> $HOME/.x2go/authorized_keys. The sshd on the term-server is set to also
> look in %h/.x2go/authorized_keys.

Ack.

Mike



-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #23 received at 141@bugs.x2go.org (full text, mbox, reply):

From: Anders Bruun Olsen <abo@dsl.dk>

To: 141@bugs.x2go.org

Subject: Bug#141: X2Gobroker: session autologin does not work

Date: Thu, 7 Mar 2013 13:42:08 +0100

[Message part 1 (text/plain, inline)]

This problem was partially fixed by clearing my .x2go and .x2goclient dirs,
meaning it might be a combination of ecdsa keys in .ssh and something in
.x2go*.

There is still the problem where x2goclient asks for a passphrase and you
have to click cancel (pressing escape will result in an "authentication
failed" dialog).

-- 
Anders Bruun Olsen
It-ansvarlig
Det Danske Sprog- og Litteraturselskab
(Society for Danish Language and Literature)

[Message part 2 (text/html, inline)]

Message #28 received at 141@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 141@bugs.x2go.org

Cc: control@bugs.x2go.org

Subject: Fwd: [X2Go-Dev] autologin with x2goclient in broker-mode: analysis and fix for "enter passphrase"-bug

Date: Sat, 20 Apr 2013 20:52:39 +0200

[Message part 1 (text/plain, inline)]

tag #141 - moreinfo
thanks

Detailed analysis from Anders below...

----- Weitergeleitete Nachricht von abo@dsl.dk -----
     Datum: Fri, 19 Apr 2013 16:16:47 +0200
       Von: Anders Bruun Olsen <abo@dsl.dk>
Antwort an: x2go-dev@lists.berlios.de
   Betreff: [X2Go-Dev] autologin with x2goclient in broker-mode:  
analysis and fix for "enter passphrase"-bug
        An: x2go-dev <x2go-dev@lists.berlios.de>

Hi guys,

I just spent most of the day digging through source code for x2goclient
(reminds my why I code Python rather than C++ :) ), trying to understand
why the "enter passphrase" dialog box appears when the broker is set to do
autologin.

Summary of the bug:
x2gobroker can be setup to do autologin of users, to avoid users having to
enter their credentials twice. This is accomplished by the broker placing a
temporary SSH public key in $HOME/.x2go/authorized_keys and handing the
matching private key to the client. This temporary key is then removed
after a short while. Unfortunately, on all machines I have tested with,
including thinclients, x2goclient pops up a dialog box with the text "Enter
passphrase to decrypt a key" after authenticating against the broker and
choosing a session with autologin enabled. Pressing cancel on this dialog
box will on my desktop machine result in the autologin completing and
getting logged in. However on the x2gothinclient I tested with, the dialog
box would just pop up again and again and login would never occur.

Analysis of the bug:
When autologin is enabled, SshMasterConnection::userAuth() will react by
calling userAuthAuto(), which will look for ssh keys and if you, like me,
have an ssh key with a passphrase, it will want to try out this key by
asking for the passphrase (despite having ssh-agent running). If it does
not find a key, it also asks for a passphrase, at least on my system. The
reasons for this aren't really important here, in my oppinion. The
important question here is why it even looks for other keys when the nice
broker has provided a key. Further analysis and testing showed me that
after userAuthAuto() exists without having gotten a proper key loaded (by
pressing Cancel on the dialog box), userAuth() will then test if a key is
loaded. And because httpbrokerclient has recieved a key and put it into the
config-variable, a key IS available. This key is then used for login and
all is good. Looking closer at the code revealed that setting
config->autologin to true was actually not needed at all, and is the
culprit here. If autologin is false, then userAuth() will still see that
there is a key loaded, and happily log in the user.

My naive fix for this bug:
In ONMainWindow::startSession(), make setting the autologin variable
dependent upon not being in brokerMode:

diff --git a/onmainwindow.cpp b/onmainwindow.cpp
index 31dbc17..bc2b70f 100644
--- a/onmainwindow.cpp
+++ b/onmainwindow.cpp
@@ -3249,8 +3249,9 @@ bool ONMainWindow::startSession ( const QString& sid )

     QString cmd=st->setting()->value ( sid+"/command",
                                        ( QVariant ) QString::null
).toString();
-    autologin=st->setting()->value ( sid+"/autologin",
-                                     ( QVariant ) false ).toBool();
+    if (!brokerMode)
+        autologin=st->setting()->value ( sid+"/autologin",
+                                         ( QVariant ) false ).toBool();
     krblogin=st->setting()->value ( sid+"/krblogin",
                                     ( QVariant ) false ).toBool();
 #ifdef Q_OS_LINUX

I can't say what other consequences this might have, not knowing the code
well enough, but initial tests on my system shows that it works. This patch
is against git/master btw.

--
Anders Bruun Olsen
It-ansvarlig
Det Danske Sprog- og Litteraturselskab
(Society for Danish Language and Literature)


----- Ende der weitergeleiteten Nachricht -----


-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #39 received at 141-submitter@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 141@bugs.x2go.org

Cc: control@bugs.x2go.org, 141-submitter@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#141: Fwd: autologin with x2goclient in broker-mode: analysis and fix for "enter passphrase"-bug

Date: Mon, 22 Apr 2013 01:07:03 +0200

[Message part 1 (text/plain, inline)]

clone #141 -1
retitle -1 missing public SSH key file should throw an error
severity -1 minor
tag #141 pending
fixed #141 4.0.1.1
thanks

Hi Anders,

On Sa 20 Apr 2013 20:52:39 CEST Mike Gabriel wrote:

> Analysis of the bug:
> When autologin is enabled, SshMasterConnection::userAuth() will react by
> calling userAuthAuto(), which will look for ssh keys and if you, like me,
> have an ssh key with a passphrase, it will want to try out this key by
> asking for the passphrase (despite having ssh-agent running). If it does
> not find a key, it also asks for a passphrase, at least on my system. The
> reasons for this aren't really important here, in my oppinion. The
> important question here is why it even looks for other keys when the nice
> broker has provided a key. Further analysis and testing showed me that
> after userAuthAuto() exists without having gotten a proper key loaded (by
> pressing Cancel on the dialog box), userAuth() will then test if a key is
> loaded. And because httpbrokerclient has recieved a key and put it into the
> config-variable, a key IS available. This key is then used for login and
> all is good. Looking closer at the code revealed that setting
> config->autologin to true was actually not needed at all, and is the
> culprit here. If autologin is false, then userAuth() will still see that
> there is a key loaded, and happily log in the user.

Thanks for this detailled analysis. It indeed put me on some trail  
that worked.

> My naive fix for this bug:
> In ONMainWindow::startSession(), make setting the autologin variable
> dependent upon not being in brokerMode:
>
> diff --git a/onmainwindow.cpp b/onmainwindow.cpp
> index 31dbc17..bc2b70f 100644
> --- a/onmainwindow.cpp
> +++ b/onmainwindow.cpp
> @@ -3249,8 +3249,9 @@ bool ONMainWindow::startSession ( const QString& sid )
>
>      QString cmd=st->setting()->value ( sid+"/command",
>                                         ( QVariant ) QString::null
> ).toString();
> -    autologin=st->setting()->value ( sid+"/autologin",
> -                                     ( QVariant ) false ).toBool();
> +    if (!brokerMode)
> +        autologin=st->setting()->value ( sid+"/autologin",
> +                                         ( QVariant ) false ).toBool();
>      krblogin=st->setting()->value ( sid+"/krblogin",
>                                      ( QVariant ) false ).toBool();
>  #ifdef Q_OS_LINUX
>
> I can't say what other consequences this might have, not knowing the code
> well enough, but initial tests on my system shows that it works. This patch
> is against git/master btw.

The above fix is not appropriate as it will disable the autologin  
feature completely when x2goclient is in broker mode. That works for  
your setup, but is not a generic solution.

My approach is here:
http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=fe4408b12c982b81c56c52f37230865f4e9f41ea

@Alex: please cross-check. Thanks!

Greets,
Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #49 received at 141@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 141-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 141@bugs.x2go.org

Subject: X2Go issue (in src:x2goclient) has been marked as closed

Date: Wed, 11 Sep 2013 12:07:07 +0200 (CEST)

close #141
thanks

Hello,

we are very hopeful that X2Go issue #141 reported by you
has been resolved in the new release (4.0.1.1) of the
X2Go source project »src:x2goclient«.

You can view the complete changelog entry of src:x2goclient (4.0.1.1)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=dad4fcc24868504be24ccc9a3ab0fcac41859080;hp=1b4260f86a6fda01c5263fa3d27504677a3cdfac

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:x2goclient
Version: 4.0.1.1
Status: RELEASE
Date: Wed, 11 Sep 2013 12:06:02 +0200
Fixes: 141 142 151 164 165 177 179 183 214 222 226 243 255
Changes: 
 x2goclient (4.0.1.1) RELEASED; urgency=low
 .
   [ Nicolai Hansen ]
   * New upstream version (4.0.1.1):
     - Update Danish translation file.
 .
   [ Terje Andersen ]
   * New upstream version (4.0.1.1):
     - Update Norwegian Bokmaal translation file.
 .
   [ Oleksandr Shneyder ]
   * New upstream version (4.0.1.1):
     - Use "127.0.0.1" instead of localhost to avoid wrong IPv6 hostname
       resolution. (Fixes: #151).
     - Wait for x2gocmdexitmessage to return before closing in hidden mode.
     - Support for published applications in X2Go Plugin
     - Support for "shadow" mode in X2Go Plugin
 .
   [ Mike Gabriel ]
   * New upstream version (4.0.1.1):
     - If a priv SSH key has been specified, skip the autologin procedure.
       Let's consider a given SSH private key that fails to log the user
       in as an overall login failure. (Fixes: #141).
     - Avoid multiple selectUserSession requests when in broker
       mode.
     - Properly set the remote server address received via selectUserSession
       method when in broker mode. (Fixes: #226).
     - Fix segmentation fault that started occurring since the custom trayIcon
       patch was applied. Segfault only occurred if the tray icon was not used.
     - Show session name in notification bubbles.
     - Update German translation.
     - Add cmdline option --broker-autologoff: Enforce re-authentication against
       X2Go Session Broker after a session has been suspended or terminated.
       (Fixes: #179).
     - Enable full access desktop sharing across user accounts. (Fixes: #222).
     - Make X2Go Client aware of the MATE desktop environment.
     - Make X2Go Client work in SSH broker mode without the need of a auth-id
       file.
 .
   [ Heinrich Schuchardt ]
   * New upstream version (4.0.1.1):
     - Call ssh_clean_pubkey_hash() for deallocating public key hashes instead of
       just calling free(). Required under MS Windows as documented in libssh2
       API. (Fixes: #243). (For further details see:
       http://api.libssh.org/master/group__libssh__session.html).
   * Provide bin:package with debug symbols for X2Go Client. (Fixes: #255).
 .
   [ Ezra Bühler ]
   * New upstream version (4.0.1.1):
     - Fix auto-resume when session type is »Single Application«. (Fixes: #183).
 .
   [ Ricardo Díaz Martín ]
   * New upstream version (4.0.1.1):
     - Fix detection of maximum screen area available for a session. (Fixes:
       #165).
     - Use the session icon as tray icon, pop up notification bubble that informs
       about current session actions. (Fixes: #177).
     - Allow for setting maximum available desktop size as window size via the
       session profile card. Unfortunately, this feature is for now only
       available on Linux. (Fixes: #214).
 .
   [ Otto Kjell ]
   * New upstream version (4.0.1.1):
     - Enable debug mode through cmd line parameter. (Fixes: #142).
     - Standardize output to stdout+stderr and make it parseable.
 .
   [ Orion Poplawski ]
   * New upstream version (4.0.1.1):
     - Instead of using a hard-code DPI of 96, use local DPI settings for new
       sessions if not explicitly set in session profile (Fixes: #164).
 .
   [ Daniel Lindgren ]
   * New upstream version (4.0.1.1):
     - Update Swedish translation file.
 .
   [ Ricardo Díaz Martín ]
   * New upstream version (4.0.1.1):
     - Update Spanish translation file.

Send a report that this bug log contains spam.