X2Go Bug report logs - #1253
ssh broker : bad error feedback in interaction mode

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Walid MOGHRABI <w.moghrabi@servicemagic.eu>

To: submit@bugs.x2go.org

Subject: ssh broker : bad error feedback in interaction mode

Date: Tue, 13 Feb 2018 19:29:45 +0100 (CET)

package: x2gobroker-ssh
version: 0.0.4.0-0~972~ubuntu16.04.1
priority: bug

Using the ssh broker is great because it adds the ability for the x2goclient to interact with the auth mechanism such as PAM so that you get notified that you need to renew a password for example.
This is great but it doesn't always work well.

For example, the user don't get the reason why the access is denied.

Here are different tests I made based on the following setup : x2gobroker in ssh mode with local PAM auth based on Samba Winbind/Kerberos.

I tried both situations to compare :
* with the x2goclient in broker-ssh mode
* with a term rying to connect through SSH


1) Account set for password change with temporary password in Active Directory, user type wrong password (neither old or new one)
* with x2goclient: get message "Access denied. Authentication that can continue: publickey,password,keyboard-interactive"
* with term : "Your account has been locked. Please contact your System administrator. Password: "


2) Account set for password change with temporary password in Active Directory, user type good password

* with x2goclient: get a new password form in order to type (and confirm) the new password. Reseting password works and you get logged in to the broker with the sessions list displayed.
However, if you click on the "cancel" button, x2goclient freeze and must be killed, you're not sent back to the login form.
On the other hand, if you change your password and then be logged in, clicking on the session slot fails because this is the old password that is relayed to the session slot and not the new one. When it fails, you get a new login form to enter your password again, if you type the new password there, it works.

* with term: 
    "Password: ******"
    "Password expired.  You must change it now."
    "Enter new password: ******"
    "Enter it again: ******"
If you cancel (ctrl+c), nothing happen and you get back to the prompt.
If you enter the good old password, you're prompted to change it then you're logged in.
If you enter the wrong password, your prompted to retry 2 times then you get this message "Your account has been locked. Please contact your System administrator" (this is our security policy, this is normal behaviour, 2 fauils then blocked for 10mn.


3) Account disabled in Active Directory
* with x2goclient: get message "Access denied. Authentication that can continue: publickey,password,keyboard-interactive"
* with term : "Your account has been locked. Please contact your System administrator. Password: "


Would be great to fix the issues in 2) and would be great to retrieve the error message directly from PAM so that we get the reason.

Regards,
Walid Moghrabi

TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you

Message #10 received at 1253@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Walid MOGHRABI <w.moghrabi@servicemagic.eu>, 1253@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#1253: ssh broker : bad error feedback in interaction mode

Date: Tue, 15 May 2018 15:32:32 +0000

[Message part 1 (text/plain, inline)]

Control: reassign -1 x2goclient
Control: found -1 4.1.1.1

On  Di 13 Feb 2018 19:29:45 CET, Walid MOGHRABI wrote:

> package: x2gobroker-ssh
> version: 0.0.4.0-0~972~ubuntu16.04.1
> priority: bug
>
> Using the ssh broker is great because it adds the ability for the  
> x2goclient to interact with the auth mechanism such as PAM so that  
> you get notified that you need to renew a password for example.
> This is great but it doesn't always work well.
>
> For example, the user don't get the reason why the access is denied.
>
> Here are different tests I made based on the following setup :  
> x2gobroker in ssh mode with local PAM auth based on Samba  
> Winbind/Kerberos.
>
> I tried both situations to compare :
> * with the x2goclient in broker-ssh mode
> * with a term rying to connect through SSH
>
>
> 1) Account set for password change with temporary password in Active  
> Directory, user type wrong password (neither old or new one)
> * with x2goclient: get message "Access denied. Authentication that  
> can continue: publickey,password,keyboard-interactive"
> * with term : "Your account has been locked. Please contact your  
> System administrator. Password: "
>
>
> 2) Account set for password change with temporary password in Active  
> Directory, user type good password
>
> * with x2goclient: get a new password form in order to type (and  
> confirm) the new password. Reseting password works and you get  
> logged in to the broker with the sessions list displayed.
> However, if you click on the "cancel" button, x2goclient freeze and  
> must be killed, you're not sent back to the login form.
> On the other hand, if you change your password and then be logged  
> in, clicking on the session slot fails because this is the old  
> password that is relayed to the session slot and not the new one.  
> When it fails, you get a new login form to enter your password  
> again, if you type the new password there, it works.
>
> * with term:
>     "Password: ******"
>     "Password expired.  You must change it now."
>     "Enter new password: ******"
>     "Enter it again: ******"
> If you cancel (ctrl+c), nothing happen and you get back to the prompt.
> If you enter the good old password, you're prompted to change it  
> then you're logged in.
> If you enter the wrong password, your prompted to retry 2 times then  
> you get this message "Your account has been locked. Please contact  
> your System administrator" (this is our security policy, this is  
> normal behaviour, 2 fauils then blocked for 10mn.
>
>
> 3) Account disabled in Active Directory
> * with x2goclient: get message "Access denied. Authentication that  
> can continue: publickey,password,keyboard-interactive"
> * with term : "Your account has been locked. Please contact your  
> System administrator. Password: "
>
>
> Would be great to fix the issues in 2) and would be great to  
> retrieve the error message directly from PAM so that we get the  
> reason.

Most of this is unrelated to X2Go Broker. It needs to be worked on in  
X2Go Client.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.