X2Go Bug report logs - #1253
ssh broker : bad error feedback in interaction mode

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Walid MOGHRABI <w.moghrabi@servicemagic.eu>

Date: Tue, 13 Feb 2018 18:35:02 UTC

Severity: normal

Found in version 4.1.1.1

Full log


Message #10 received at 1253@bugs.x2go.org (full text, mbox, reply):

Received: (at 1253) by bugs.x2go.org; 15 May 2018 15:32:48 +0000
From mike.gabriel@das-netzwerkteam.de  Tue May 15 17:32:46 2018
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.1
Received: from localhost (localhost [127.0.0.1])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 4F6CB5DAE9
	for <1253@bugs.x2go.org>; Tue, 15 May 2018 17:32:46 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de
Received: from ymir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id bRqjn_gZA8iG for <1253@bugs.x2go.org>;
	Tue, 15 May 2018 17:32:37 +0200 (CEST)
Received: from fregna.das-netzwerkteam.de (fregna.das-netzwerkteam.de [148.251.53.130])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id D994A5DACE
	for <1253@bugs.x2go.org>; Tue, 15 May 2018 17:32:37 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [IPv6:2a01:4f8:202:1381::105])
	by fregna.das-netzwerkteam.de (Postfix) with ESMTPS id AB8CF60532;
	Tue, 15 May 2018 15:32:37 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A0581C47EA;
	Tue, 15 May 2018 17:32:37 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id KuY4W65f6Gzx; Tue, 15 May 2018 17:32:32 +0200 (CEST)
Received: from das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 358C4C3434;
	Tue, 15 May 2018 17:32:32 +0200 (CEST)
Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de
 [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTPS;
 Tue, 15 May 2018 15:32:32 +0000
Date: Tue, 15 May 2018 15:32:32 +0000
Message-ID: <20180515153232.Horde.4DboKhJ0hynHH7wKBXXLdM1@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Walid MOGHRABI <w.moghrabi@servicemagic.eu>, 1253@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#1253: ssh broker : bad error feedback in
 interaction mode
References: <1242363712.4618700.1518541999382.JavaMail.root@servicemagic.eu>
 <1155172713.4629662.1518546585375.JavaMail.root@servicemagic.eu>
In-Reply-To: <1155172713.4629662.1518546585375.JavaMail.root@servicemagic.eu>
User-Agent: Horde Application Framework 5
Accept-Language: de,en
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 178.62.101.154
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Firefox/52.0
Content-Type: multipart/signed; boundary="=_GQME5jP85O5NEAPG_v2t83T";
 protocol="application/pgp-signature"; micalg=pgp-sha256
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
Control: reassign -1 x2goclient
Control: found -1 4.1.1.1

On  Di 13 Feb 2018 19:29:45 CET, Walid MOGHRABI wrote:

> package: x2gobroker-ssh
> version: 0.0.4.0-0~972~ubuntu16.04.1
> priority: bug
>
> Using the ssh broker is great because it adds the ability for the  
> x2goclient to interact with the auth mechanism such as PAM so that  
> you get notified that you need to renew a password for example.
> This is great but it doesn't always work well.
>
> For example, the user don't get the reason why the access is denied.
>
> Here are different tests I made based on the following setup :  
> x2gobroker in ssh mode with local PAM auth based on Samba  
> Winbind/Kerberos.
>
> I tried both situations to compare :
> * with the x2goclient in broker-ssh mode
> * with a term rying to connect through SSH
>
>
> 1) Account set for password change with temporary password in Active  
> Directory, user type wrong password (neither old or new one)
> * with x2goclient: get message "Access denied. Authentication that  
> can continue: publickey,password,keyboard-interactive"
> * with term : "Your account has been locked. Please contact your  
> System administrator. Password: "
>
>
> 2) Account set for password change with temporary password in Active  
> Directory, user type good password
>
> * with x2goclient: get a new password form in order to type (and  
> confirm) the new password. Reseting password works and you get  
> logged in to the broker with the sessions list displayed.
> However, if you click on the "cancel" button, x2goclient freeze and  
> must be killed, you're not sent back to the login form.
> On the other hand, if you change your password and then be logged  
> in, clicking on the session slot fails because this is the old  
> password that is relayed to the session slot and not the new one.  
> When it fails, you get a new login form to enter your password  
> again, if you type the new password there, it works.
>
> * with term:
>     "Password: ******"
>     "Password expired.  You must change it now."
>     "Enter new password: ******"
>     "Enter it again: ******"
> If you cancel (ctrl+c), nothing happen and you get back to the prompt.
> If you enter the good old password, you're prompted to change it  
> then you're logged in.
> If you enter the wrong password, your prompted to retry 2 times then  
> you get this message "Your account has been locked. Please contact  
> your System administrator" (this is our security policy, this is  
> normal behaviour, 2 fauils then blocked for 10mn.
>
>
> 3) Account disabled in Active Directory
> * with x2goclient: get message "Access denied. Authentication that  
> can continue: publickey,password,keyboard-interactive"
> * with term : "Your account has been locked. Please contact your  
> System administrator. Password: "
>
>
> Would be great to fix the issues in 2) and would be great to  
> retrieve the error message directly from PAM so that we get the  
> reason.

Most of this is unrelated to X2Go Broker. It needs to be worked on in  
X2Go Client.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Sat Nov 23 23:11:50 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.