X2Go Bug report logs - #1253
ssh broker : bad error feedback in interaction mode

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Walid MOGHRABI <w.moghrabi@servicemagic.eu>

Date: Tue, 13 Feb 2018 18:35:02 UTC

Severity: normal

Found in version 4.1.1.1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1253; Package x2gobroker-ssh. (Tue, 13 Feb 2018 18:35:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Walid MOGHRABI <w.moghrabi@servicemagic.eu>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>.

Your message specified a Severity: in the pseudo-header, but the severity value bug was not recognised. The default severity normal is being used instead. The recognised values are: critical, grave, important, normal, minor, wishlist.

(Tue, 13 Feb 2018 18:35:02 GMT) Full text and rfc822 format available.


Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Walid MOGHRABI <w.moghrabi@servicemagic.eu>
To: submit@bugs.x2go.org
Subject: ssh broker : bad error feedback in interaction mode
Date: Tue, 13 Feb 2018 19:29:45 +0100 (CET)
package: x2gobroker-ssh
version: 0.0.4.0-0~972~ubuntu16.04.1
priority: bug

Using the ssh broker is great because it adds the ability for the x2goclient to interact with the auth mechanism such as PAM so that you get notified that you need to renew a password for example.
This is great but it doesn't always work well.

For example, the user don't get the reason why the access is denied.

Here are different tests I made based on the following setup : x2gobroker in ssh mode with local PAM auth based on Samba Winbind/Kerberos.

I tried both situations to compare :
* with the x2goclient in broker-ssh mode
* with a term rying to connect through SSH


1) Account set for password change with temporary password in Active Directory, user type wrong password (neither old or new one)
* with x2goclient: get message "Access denied. Authentication that can continue: publickey,password,keyboard-interactive"
* with term : "Your account has been locked. Please contact your System administrator. Password: "


2) Account set for password change with temporary password in Active Directory, user type good password

* with x2goclient: get a new password form in order to type (and confirm) the new password. Reseting password works and you get logged in to the broker with the sessions list displayed.
However, if you click on the "cancel" button, x2goclient freeze and must be killed, you're not sent back to the login form.
On the other hand, if you change your password and then be logged in, clicking on the session slot fails because this is the old password that is relayed to the session slot and not the new one. When it fails, you get a new login form to enter your password again, if you type the new password there, it works.

* with term: 
    "Password: ******"
    "Password expired.  You must change it now."
    "Enter new password: ******"
    "Enter it again: ******"
If you cancel (ctrl+c), nothing happen and you get back to the prompt.
If you enter the good old password, you're prompted to change it then you're logged in.
If you enter the wrong password, your prompted to retry 2 times then you get this message "Your account has been locked. Please contact your System administrator" (this is our security policy, this is normal behaviour, 2 fauils then blocked for 10mn.


3) Account disabled in Active Directory
* with x2goclient: get message "Access denied. Authentication that can continue: publickey,password,keyboard-interactive"
* with term : "Your account has been locked. Please contact your System administrator. Password: "


Would be great to fix the issues in 2) and would be great to retrieve the error message directly from PAM so that we get the reason.

Regards,
Walid Moghrabi

TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#1253; Package x2gobroker-ssh. (Tue, 15 May 2018 15:35:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 15 May 2018 15:35:02 GMT) Full text and rfc822 format available.

Message #10 received at 1253@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Walid MOGHRABI <w.moghrabi@servicemagic.eu>, 1253@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#1253: ssh broker : bad error feedback in interaction mode
Date: Tue, 15 May 2018 15:32:32 +0000
[Message part 1 (text/plain, inline)]
Control: reassign -1 x2goclient
Control: found -1 4.1.1.1

On  Di 13 Feb 2018 19:29:45 CET, Walid MOGHRABI wrote:

> package: x2gobroker-ssh
> version: 0.0.4.0-0~972~ubuntu16.04.1
> priority: bug
>
> Using the ssh broker is great because it adds the ability for the  
> x2goclient to interact with the auth mechanism such as PAM so that  
> you get notified that you need to renew a password for example.
> This is great but it doesn't always work well.
>
> For example, the user don't get the reason why the access is denied.
>
> Here are different tests I made based on the following setup :  
> x2gobroker in ssh mode with local PAM auth based on Samba  
> Winbind/Kerberos.
>
> I tried both situations to compare :
> * with the x2goclient in broker-ssh mode
> * with a term rying to connect through SSH
>
>
> 1) Account set for password change with temporary password in Active  
> Directory, user type wrong password (neither old or new one)
> * with x2goclient: get message "Access denied. Authentication that  
> can continue: publickey,password,keyboard-interactive"
> * with term : "Your account has been locked. Please contact your  
> System administrator. Password: "
>
>
> 2) Account set for password change with temporary password in Active  
> Directory, user type good password
>
> * with x2goclient: get a new password form in order to type (and  
> confirm) the new password. Reseting password works and you get  
> logged in to the broker with the sessions list displayed.
> However, if you click on the "cancel" button, x2goclient freeze and  
> must be killed, you're not sent back to the login form.
> On the other hand, if you change your password and then be logged  
> in, clicking on the session slot fails because this is the old  
> password that is relayed to the session slot and not the new one.  
> When it fails, you get a new login form to enter your password  
> again, if you type the new password there, it works.
>
> * with term:
>     "Password: ******"
>     "Password expired.  You must change it now."
>     "Enter new password: ******"
>     "Enter it again: ******"
> If you cancel (ctrl+c), nothing happen and you get back to the prompt.
> If you enter the good old password, you're prompted to change it  
> then you're logged in.
> If you enter the wrong password, your prompted to retry 2 times then  
> you get this message "Your account has been locked. Please contact  
> your System administrator" (this is our security policy, this is  
> normal behaviour, 2 fauils then blocked for 10mn.
>
>
> 3) Account disabled in Active Directory
> * with x2goclient: get message "Access denied. Authentication that  
> can continue: publickey,password,keyboard-interactive"
> * with term : "Your account has been locked. Please contact your  
> System administrator. Password: "
>
>
> Would be great to fix the issues in 2) and would be great to  
> retrieve the error message directly from PAM so that we get the  
> reason.

Most of this is unrelated to X2Go Broker. It needs to be worked on in  
X2Go Client.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Bug reassigned from package 'x2gobroker-ssh' to 'x2goclient'. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 1253-submit@bugs.x2go.org. (Tue, 15 May 2018 15:35:02 GMT) Full text and rfc822 format available.

No longer marked as found in versions 0.0.4.0-0~972~ubuntu16.04.1. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 1253-submit@bugs.x2go.org. (Tue, 15 May 2018 15:35:02 GMT) Full text and rfc822 format available.

Marked as found in versions 4.1.1.1. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 1253-submit@bugs.x2go.org. (Tue, 15 May 2018 15:35:02 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Tue Dec 11 06:44:56 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.