From unknown Thu Mar 28 19:06:03 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#1253: ssh broker : bad error feedback in interaction mode Reply-To: Walid MOGHRABI , 1253@bugs.x2go.org Resent-From: Walid MOGHRABI Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Tue, 13 Feb 2018 18:35:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: report 1253 X-X2Go-PR-Package: x2gobroker-ssh X-X2Go-PR-Keywords: Received: via spool by submit@bugs.x2go.org id=B.151854667726602 (code B); Tue, 13 Feb 2018 18:35:02 +0000 Received: (at submit) by bugs.x2go.org; 13 Feb 2018 18:31:17 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.7 required=3.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 7AFFF5DAEA for ; Tue, 13 Feb 2018 19:31:14 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wzGnudFL0HVI for ; Tue, 13 Feb 2018 19:29:46 +0100 (CET) Received: from zm-01.servicemagic.eu (zm-01.servicemagic.eu [176.31.236.17]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 75E775DACF for ; Tue, 13 Feb 2018 19:29:46 +0100 (CET) Received: from localhost (localhost.localdomain [127.0.0.1]) by zm-01.servicemagic.eu (Postfix) with ESMTP id DA6CF806BB9C4 for ; Tue, 13 Feb 2018 19:29:45 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 zm-01.servicemagic.eu DA6CF806BB9C4 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=servicemagic.eu; s=frmailing; t=1518546585; bh=ZCr4gtFMEeSN6f/OTxRlZ9B+lu635QmQFbLL1WADem0=; h=Date:From:To:In-Reply-To:Subject:From; b=bikjHtfLF1yN2TnjQD7Xh3D+oXBRv/r+f4zH2xa+N+rjr07OzcpLoY2xwn2N8iKjW C8S8yDdJJi+mWmIAczhnop1MklCBHu1fvuzGfZ8mIdfbQA5wtervkK0golxaf4lWpG mbg8UYMsBA3Q9CeTGhKdaSzEIv04LYJafPeEGTBQ= X-Amavis-Modified: Mail body modified (using disclaimer) - zm-01.servicemagic.eu X-Virus-Scanned: amavisd-new at servicemagic.eu Received: from zm-01.servicemagic.eu ([127.0.0.1]) by localhost (zm-01.servicemagic.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nyrwdm2OhedS for ; Tue, 13 Feb 2018 19:29:45 +0100 (CET) Received: from zm-01.servicemagic.eu (localhost.localdomain [127.0.0.1]) by zm-01.servicemagic.eu (Postfix) with ESMTP id 72EA0803CC7CC for ; Tue, 13 Feb 2018 19:29:45 +0100 (CET) Date: Tue, 13 Feb 2018 19:29:45 +0100 (CET) From: Walid MOGHRABI To: submit@bugs.x2go.org Message-ID: <1155172713.4629662.1518546585375.JavaMail.root@servicemagic.eu> In-Reply-To: <1242363712.4618700.1518541999382.JavaMail.root@servicemagic.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Originating-IP: [195.200.167.70] X-Mailer: Zimbra 7.2.0_GA_2669 (ZimbraWebClient - GC64 (Linux)/7.2.0_GA_2669) package: x2gobroker-ssh version: 0.0.4.0-0~972~ubuntu16.04.1 priority: bug Using the ssh broker is great because it adds the ability for the x2goclient to interact with the auth mechanism such as PAM so that you get notified that you need to renew a password for example. This is great but it doesn't always work well. For example, the user don't get the reason why the access is denied. Here are different tests I made based on the following setup : x2gobroker in ssh mode with local PAM auth based on Samba Winbind/Kerberos. I tried both situations to compare : * with the x2goclient in broker-ssh mode * with a term rying to connect through SSH 1) Account set for password change with temporary password in Active Directory, user type wrong password (neither old or new one) * with x2goclient: get message "Access denied. Authentication that can continue: publickey,password,keyboard-interactive" * with term : "Your account has been locked. Please contact your System administrator. Password: " 2) Account set for password change with temporary password in Active Directory, user type good password * with x2goclient: get a new password form in order to type (and confirm) the new password. Reseting password works and you get logged in to the broker with the sessions list displayed. However, if you click on the "cancel" button, x2goclient freeze and must be killed, you're not sent back to the login form. On the other hand, if you change your password and then be logged in, clicking on the session slot fails because this is the old password that is relayed to the session slot and not the new one. When it fails, you get a new login form to enter your password again, if you type the new password there, it works. * with term: "Password: ******" "Password expired. You must change it now." "Enter new password: ******" "Enter it again: ******" If you cancel (ctrl+c), nothing happen and you get back to the prompt. If you enter the good old password, you're prompted to change it then you're logged in. If you enter the wrong password, your prompted to retry 2 times then you get this message "Your account has been locked. Please contact your System administrator" (this is our security policy, this is normal behaviour, 2 fauils then blocked for 10mn. 3) Account disabled in Active Directory * with x2goclient: get message "Access denied. Authentication that can continue: publickey,password,keyboard-interactive" * with term : "Your account has been locked. Please contact your System administrator. Password: " Would be great to fix the issues in 2) and would be great to retrieve the error message directly from PAM so that we get the reason. Regards, Walid Moghrabi TRAVAUX.COM BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403 13591 AIX EN PROVENCE CEDEX 3 --- DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you From unknown Thu Mar 28 19:06:03 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#1253: [X2Go-Dev] Bug#1253: ssh broker : bad error feedback in interaction mode Reply-To: Mike Gabriel , 1253@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Tue, 15 May 2018 15:35:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 1253 X-X2Go-PR-Package: x2gobroker-ssh X-X2Go-PR-Keywords: Received: via spool by 1253-submit@bugs.x2go.org id=B1253.152639836811271 (code B ref 1253); Tue, 15 May 2018 15:35:01 +0000 Received: (at 1253) by bugs.x2go.org; 15 May 2018 15:32:48 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 4F6CB5DAE9 for <1253@bugs.x2go.org>; Tue, 15 May 2018 17:32:46 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRqjn_gZA8iG for <1253@bugs.x2go.org>; Tue, 15 May 2018 17:32:37 +0200 (CEST) Received: from fregna.das-netzwerkteam.de (fregna.das-netzwerkteam.de [148.251.53.130]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id D994A5DACE for <1253@bugs.x2go.org>; Tue, 15 May 2018 17:32:37 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [IPv6:2a01:4f8:202:1381::105]) by fregna.das-netzwerkteam.de (Postfix) with ESMTPS id AB8CF60532; Tue, 15 May 2018 15:32:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A0581C47EA; Tue, 15 May 2018 17:32:37 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KuY4W65f6Gzx; Tue, 15 May 2018 17:32:32 +0200 (CEST) Received: from das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 358C4C3434; Tue, 15 May 2018 17:32:32 +0200 (CEST) Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTPS; Tue, 15 May 2018 15:32:32 +0000 Date: Tue, 15 May 2018 15:32:32 +0000 Message-ID: <20180515153232.Horde.4DboKhJ0hynHH7wKBXXLdM1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Walid MOGHRABI , 1253@bugs.x2go.org References: <1242363712.4618700.1518541999382.JavaMail.root@servicemagic.eu> <1155172713.4629662.1518546585375.JavaMail.root@servicemagic.eu> In-Reply-To: <1155172713.4629662.1518546585375.JavaMail.root@servicemagic.eu> User-Agent: Horde Application Framework 5 Accept-Language: de,en Organization: DAS-NETZWERKTEAM X-Originating-IP: 178.62.101.154 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Content-Type: multipart/signed; boundary="=_GQME5jP85O5NEAPG_v2t83T"; protocol="application/pgp-signature"; micalg=pgp-sha256 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_GQME5jP85O5NEAPG_v2t83T Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Control: reassign -1 x2goclient Control: found -1 4.1.1.1 On Di 13 Feb 2018 19:29:45 CET, Walid MOGHRABI wrote: > package: x2gobroker-ssh > version: 0.0.4.0-0~972~ubuntu16.04.1 > priority: bug > > Using the ssh broker is great because it adds the ability for the=20=20 >=20x2goclient to interact with the auth mechanism such as PAM so that=20= =20 >=20you get notified that you need to renew a password for example. > This is great but it doesn't always work well. > > For example, the user don't get the reason why the access is denied. > > Here are different tests I made based on the following setup :=20=20 >=20x2gobroker in ssh mode with local PAM auth based on Samba=20=20 >=20Winbind/Kerberos. > > I tried both situations to compare : > * with the x2goclient in broker-ssh mode > * with a term rying to connect through SSH > > > 1) Account set for password change with temporary password in Active=20= =20 >=20Directory, user type wrong password (neither old or new one) > * with x2goclient: get message "Access denied. Authentication that=20=20 >=20can continue: publickey,password,keyboard-interactive" > * with term : "Your account has been locked. Please contact your=20=20 >=20System administrator. Password: " > > > 2) Account set for password change with temporary password in Active=20= =20 >=20Directory, user type good password > > * with x2goclient: get a new password form in order to type (and=20=20 >=20confirm) the new password. Reseting password works and you get=20=20 >=20logged in to the broker with the sessions list displayed. > However, if you click on the "cancel" button, x2goclient freeze and=20=20 >=20must be killed, you're not sent back to the login form. > On the other hand, if you change your password and then be logged=20=20 >=20in, clicking on the session slot fails because this is the old=20=20 >=20password that is relayed to the session slot and not the new one.=20=20 >=20When it fails, you get a new login form to enter your password=20=20 >=20again, if you type the new password there, it works. > > * with term: > "Password: ******" > "Password expired. You must change it now." > "Enter new password: ******" > "Enter it again: ******" > If you cancel (ctrl+c), nothing happen and you get back to the prompt. > If you enter the good old password, you're prompted to change it=20=20 >=20then you're logged in. > If you enter the wrong password, your prompted to retry 2 times then=20= =20 >=20you get this message "Your account has been locked. Please contact=20= =20 >=20your System administrator" (this is our security policy, this is=20=20 >=20normal behaviour, 2 fauils then blocked for 10mn. > > > 3) Account disabled in Active Directory > * with x2goclient: get message "Access denied. Authentication that=20=20 >=20can continue: publickey,password,keyboard-interactive" > * with term : "Your account has been locked. Please contact your=20=20 >=20System administrator. Password: " > > > Would be great to fix the issues in 2) and would be great to=20=20 >=20retrieve the error message directly from PAM so that we get the=20=20 >=20reason. Most of this is unrelated to X2Go Broker. It needs to be worked on in=20=20 X2Go=20Client. Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de --=_GQME5jP85O5NEAPG_v2t83T Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIzBAABCAAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlr6/Y8ACgkQmvRrMCV3 GzGIzw//WHdP2xjty99lCcsIpjyXuPypkShUq66G3oIGTPUcTFGTBIGlOmKVp/9L RutAIUMLijsJPR4JNSBgAQ7sxKTjZSsiyBQGYed/g3hJbCfPJmM/W5D2A2iTdFrG 6txh1ben46kAS1eCRiDxPsrtfbwaZMIWMnuDmdgHzjGc75P5g47RCv74YL3X4CO0 zP9wvY2hXjbr7oJOhQRv7f2pUATw14uuQY0BggTHe8QlEmkW1JUKr+vejhoHAHry rDjjdfSV7QtKJ74rn/iJawEYXRMc/r7YExx2l5/h8oL8Q9k81QojnBVMr0Nxz4re OtTjgX1s9wd7wiZG17GMNDK3uq3N7N+jwOgNN4I90lypU4bamVuw21w+aKOXIE26 84z/kx7+Fhs/XKkmImgbJMcTjtNiYi9zsI6J90rf4PnoSDZo+uSC8cvIPjfhGJcL cchY8ZhaDo4J+66sTocu5q4dns8a9+GfZ9n1URavIZNLvujyVz6vCqZVY2iV2W3f sVuVr/2MNU8m1S9zQHMzCjsiZLOWqqP6L/f/joa3kR/YhK4pWOrAvsdy2IUXAv0T Kw1i1qKQF4+YAzvi1/K0906f5gRxmivQK6Xx0LhqoOGVtDHfBiVqsizBYNb9i3Pl 6/teG3DucfVU7bjgFOun7CYoJMtIIYW2DrPZ/nRRGgdBj1zuxPI= =V4tO -----END PGP SIGNATURE----- --=_GQME5jP85O5NEAPG_v2t83T--