From mike.gabriel@das-netzwerkteam.de Sat Jun 3 23:48:48 2017 Received: (at 1183) by bugs.x2go.org; 3 Jun 2017 21:48:50 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id BEEA25DAD5 for <1183@bugs.x2go.org>; Sat, 3 Jun 2017 23:48:48 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pGka7WAGY6dD for <1183@bugs.x2go.org>; Sat, 3 Jun 2017 23:48:41 +0200 (CEST) Received: from fregna.das-netzwerkteam.de (fregna.das-netzwerkteam.de [148.251.53.130]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 547F35DAD4 for <1183@bugs.x2go.org>; Sat, 3 Jun 2017 23:48:41 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [IPv6:2a01:4f8:202:1381::105]) by fregna.das-netzwerkteam.de (Postfix) with ESMTPS id 3702F6067B; Sat, 3 Jun 2017 21:48:41 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 2DCF5C7CDF; Sat, 3 Jun 2017 23:48:41 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wmit3Hd4BBjc; Sat, 3 Jun 2017 23:48:36 +0200 (CEST) Received: from das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 97233C7CE0; Sat, 3 Jun 2017 23:48:36 +0200 (CEST) Received: from p20030058BD448F00468500FFFE8EEA5E.dip0.t-ipconnect.de (p20030058BD448F00468500FFFE8EEA5E.dip0.t-ipconnect.de [2003:58:bd44:8f00:4685:ff:fe8e:ea5e]) by mail.das-netzwerkteam.de (Horde Framework) with HTTPS; Sat, 03 Jun 2017 21:48:36 +0000 Date: Sat, 03 Jun 2017 21:48:36 +0000 Message-ID: <20170603214836.Horde.KM_ApxTzVTUOd-joEonczDd@mail.das-netzwerkteam.de> From: Mike Gabriel To: Walid MOGHRABI , 1183@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#1183: Bug#1183: Pass broker creds to RDP client as plaintext References: <20170531195828.Horde.vAcyRcGCGpIX0L09g1bH-8e@mail.das-netzwerkteam.de> <922067046.11109892.1496306815562.JavaMail.root@servicemagic.eu> In-Reply-To: <922067046.11109892.1496306815562.JavaMail.root@servicemagic.eu> User-Agent: Horde Application Framework 5 Accept-Language: de,en Organization: DAS-NETZWERKTEAM X-Originating-IP: 2003:58:bd44:8f00:4685:ff:fe8e:ea5e X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Firefox/45.0 Content-Type: multipart/signed; boundary="=_bswTktx9ws_uM57-AoXgOfA"; protocol="application/pgp-signature"; micalg=pgp-sha256 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_bswTktx9ws_uM57-AoXgOfA Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable HI Walid, On Do 01 Jun 2017 10:46:55 CEST, Walid MOGHRABI wrote: > I'll take your requests into account but just to clarify : > > >> 1. Please split up the RDP broker creds as session creds from the >> --close-disconnect change. > > This little fix is related to this support since, in that particular=20= =20 >=20case which is broker mode + RDP session + --close-disconnect=20=20 >=20activated, you couldn't have a one time authentication (at broker=20=20 >=20auth). > For that "one time auth" to work, I need a way to pass broker=20=20 >=20credentials to the session and to close the client at the end of the=20= =20 >=20session in order to force a re-auth at broker login. > Without the --close-disconnect fix, I can pass my credentials to the=20= =20 >=20RDP session but when finishing the session, I'm still on the broker=20= =20 >=20page with my session list and I don't re-auth which is what I wanted. > I can easily split these patches since they are quite clearly=20=20 >=20separated but I thought they were related to the same need that's=20=20 >=20why I kept them together. Please split off the change for --close-disconnect into a separate commit. >> 2. Please let the cmdline option start with --broker-... >> >> --broker-use-creds-for-session > > ok > >> 3. Don't limit this functionality to RDP sessions only. It is >> useful for all sorts of session >> types (X2Go, DirectRDP, DirectXDMCP if already in (there were >> rumours about such a new feature)). > > Well, I'm not aware of XDMCP and have nothing under my hand to test it. > This patch affect RDP sessions only in fact because X2Go sessions=20=20 >=20have heir own way to pass credentials from broker to x2go server=20=20 >=20with the intermediate key auth so using this method for this kind of=20= =20 >=20session is purely useless. > On the other hand, RDP sessions have no such key authentication=20=20 >=20available so it is necessary to pass credentials as plaintext to=20=20 >=20xfreerdp/rdesktop because in the case of the broker mode only, when=20= =20 >=20clicking on the session profile, the client is waiting for the=20=20 >=20credentials but you are not prompted for them so the client stay=20=20 >=20stuck in an unusable situation. > So really, this is a "broker + RDP only" method that's why I=20=20 >=20precised this was for RDP only in order not to confuse users who=20=20 >=20might think this could be used for any type of connection. > > I'll modify the cmdline option name and wait for your comments on my=20= =20 >=20precisions. > IMHO, the --broker-use-creds-for-session could be a nice and cheap=20=20 alternative=20to setting up x2gobroker-agent based authentication. So,=20= =20 it=20would be nice to have it working for X2Go and RDP sessions. Thanks, Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de --=_bswTktx9ws_uM57-AoXgOfA Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIzBAABCAAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlkzLrQACgkQmvRrMCV3 GzF4nxAAoOaFsE4hOVAsuT04XA62h/MaXl419L/79OsY01Dtx4wq+EFp7QWdVjIY 45m2JH1zoqhDc3alzkF+4W+vO4gBabHroP9tFrRKyz17AtSNe3I2B3wS22dEZ93N CjMZkQ3Ra2DW3goTqK9/vVb1hJ2KLz9IQHqNMOzd7O1Usah/DcFpyRllXSWX8rnW 2DuDY634u0GDbrgeyuOUznzq0pOcbSutNPeVrkESMtvpVD+hgEWyXVR7aahdenig 17TVcrPjY1SI7jtBTI3MjTv4gpq7tmrFcVM3CnD9OaQ5Sns8SFqlNhB3TmlhKdgS /lew60g4T1ZLCMaep4i0cl7MSZvhT3kAz/u6aRA5Hg25svwqBhFGo+uRsYQxVj7c ke/mVEgTKh/CBJ7xiRA2pmheaWnihNbDfjbuDvuLf2mQYH+Ll9fk3c7I++bJPMoM uItLT3MinF9cRHH5+B6jySk50b9M6fY51U7tRwXSVvBp54FWh/eTbzBZAIzzIhTf fGApqv9uJ5Bqi36sRKbNpBiNVYt1R37xT475n8W7lhkFtTWGwsEtVyN7b3sw8VK0 8aJueeLoIEIn4fKXpK1UrdN32bHXLMxTx/HG9vxqdJ61J/YdEoI54Ld0Iod6WPXr JmYMchSn6sDH4AFDHe1eoIWrdFehthI7wPVc/bMANHyas2hQEXY= =k0LA -----END PGP SIGNATURE----- --=_bswTktx9ws_uM57-AoXgOfA--