From mike.gabriel@das-netzwerkteam.de Tue May 15 17:32:46 2018 Received: (at 1253) by bugs.x2go.org; 15 May 2018 15:32:48 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.1 Received: from localhost (localhost [127.0.0.1]) by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 4F6CB5DAE9 for <1253@bugs.x2go.org>; Tue, 15 May 2018 17:32:46 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de Received: from ymir.das-netzwerkteam.de ([127.0.0.1]) by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bRqjn_gZA8iG for <1253@bugs.x2go.org>; Tue, 15 May 2018 17:32:37 +0200 (CEST) Received: from fregna.das-netzwerkteam.de (fregna.das-netzwerkteam.de [148.251.53.130]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id D994A5DACE for <1253@bugs.x2go.org>; Tue, 15 May 2018 17:32:37 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [IPv6:2a01:4f8:202:1381::105]) by fregna.das-netzwerkteam.de (Postfix) with ESMTPS id AB8CF60532; Tue, 15 May 2018 15:32:37 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A0581C47EA; Tue, 15 May 2018 17:32:37 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KuY4W65f6Gzx; Tue, 15 May 2018 17:32:32 +0200 (CEST) Received: from das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 358C4C3434; Tue, 15 May 2018 17:32:32 +0200 (CEST) Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTPS; Tue, 15 May 2018 15:32:32 +0000 Date: Tue, 15 May 2018 15:32:32 +0000 Message-ID: <20180515153232.Horde.4DboKhJ0hynHH7wKBXXLdM1@mail.das-netzwerkteam.de> From: Mike Gabriel To: Walid MOGHRABI , 1253@bugs.x2go.org Subject: Re: [X2Go-Dev] Bug#1253: ssh broker : bad error feedback in interaction mode References: <1242363712.4618700.1518541999382.JavaMail.root@servicemagic.eu> <1155172713.4629662.1518546585375.JavaMail.root@servicemagic.eu> In-Reply-To: <1155172713.4629662.1518546585375.JavaMail.root@servicemagic.eu> User-Agent: Horde Application Framework 5 Accept-Language: de,en Organization: DAS-NETZWERKTEAM X-Originating-IP: 178.62.101.154 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Content-Type: multipart/signed; boundary="=_GQME5jP85O5NEAPG_v2t83T"; protocol="application/pgp-signature"; micalg=pgp-sha256 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_GQME5jP85O5NEAPG_v2t83T Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Control: reassign -1 x2goclient Control: found -1 4.1.1.1 On Di 13 Feb 2018 19:29:45 CET, Walid MOGHRABI wrote: > package: x2gobroker-ssh > version: 0.0.4.0-0~972~ubuntu16.04.1 > priority: bug > > Using the ssh broker is great because it adds the ability for the=20=20 >=20x2goclient to interact with the auth mechanism such as PAM so that=20= =20 >=20you get notified that you need to renew a password for example. > This is great but it doesn't always work well. > > For example, the user don't get the reason why the access is denied. > > Here are different tests I made based on the following setup :=20=20 >=20x2gobroker in ssh mode with local PAM auth based on Samba=20=20 >=20Winbind/Kerberos. > > I tried both situations to compare : > * with the x2goclient in broker-ssh mode > * with a term rying to connect through SSH > > > 1) Account set for password change with temporary password in Active=20= =20 >=20Directory, user type wrong password (neither old or new one) > * with x2goclient: get message "Access denied. Authentication that=20=20 >=20can continue: publickey,password,keyboard-interactive" > * with term : "Your account has been locked. Please contact your=20=20 >=20System administrator. Password: " > > > 2) Account set for password change with temporary password in Active=20= =20 >=20Directory, user type good password > > * with x2goclient: get a new password form in order to type (and=20=20 >=20confirm) the new password. Reseting password works and you get=20=20 >=20logged in to the broker with the sessions list displayed. > However, if you click on the "cancel" button, x2goclient freeze and=20=20 >=20must be killed, you're not sent back to the login form. > On the other hand, if you change your password and then be logged=20=20 >=20in, clicking on the session slot fails because this is the old=20=20 >=20password that is relayed to the session slot and not the new one.=20=20 >=20When it fails, you get a new login form to enter your password=20=20 >=20again, if you type the new password there, it works. > > * with term: > "Password: ******" > "Password expired. You must change it now." > "Enter new password: ******" > "Enter it again: ******" > If you cancel (ctrl+c), nothing happen and you get back to the prompt. > If you enter the good old password, you're prompted to change it=20=20 >=20then you're logged in. > If you enter the wrong password, your prompted to retry 2 times then=20= =20 >=20you get this message "Your account has been locked. Please contact=20= =20 >=20your System administrator" (this is our security policy, this is=20=20 >=20normal behaviour, 2 fauils then blocked for 10mn. > > > 3) Account disabled in Active Directory > * with x2goclient: get message "Access denied. Authentication that=20=20 >=20can continue: publickey,password,keyboard-interactive" > * with term : "Your account has been locked. Please contact your=20=20 >=20System administrator. Password: " > > > Would be great to fix the issues in 2) and would be great to=20=20 >=20retrieve the error message directly from PAM so that we get the=20=20 >=20reason. Most of this is unrelated to X2Go Broker. It needs to be worked on in=20=20 X2Go=20Client. Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de --=_GQME5jP85O5NEAPG_v2t83T Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIzBAABCAAdFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAlr6/Y8ACgkQmvRrMCV3 GzGIzw//WHdP2xjty99lCcsIpjyXuPypkShUq66G3oIGTPUcTFGTBIGlOmKVp/9L RutAIUMLijsJPR4JNSBgAQ7sxKTjZSsiyBQGYed/g3hJbCfPJmM/W5D2A2iTdFrG 6txh1ben46kAS1eCRiDxPsrtfbwaZMIWMnuDmdgHzjGc75P5g47RCv74YL3X4CO0 zP9wvY2hXjbr7oJOhQRv7f2pUATw14uuQY0BggTHe8QlEmkW1JUKr+vejhoHAHry rDjjdfSV7QtKJ74rn/iJawEYXRMc/r7YExx2l5/h8oL8Q9k81QojnBVMr0Nxz4re OtTjgX1s9wd7wiZG17GMNDK3uq3N7N+jwOgNN4I90lypU4bamVuw21w+aKOXIE26 84z/kx7+Fhs/XKkmImgbJMcTjtNiYi9zsI6J90rf4PnoSDZo+uSC8cvIPjfhGJcL cchY8ZhaDo4J+66sTocu5q4dns8a9+GfZ9n1URavIZNLvujyVz6vCqZVY2iV2W3f sVuVr/2MNU8m1S9zQHMzCjsiZLOWqqP6L/f/joa3kR/YhK4pWOrAvsdy2IUXAv0T Kw1i1qKQF4+YAzvi1/K0906f5gRxmivQK6Xx0LhqoOGVtDHfBiVqsizBYNb9i3Pl 6/teG3DucfVU7bjgFOun7CYoJMtIIYW2DrPZ/nRRGgdBj1zuxPI= =V4tO -----END PGP SIGNATURE----- --=_GQME5jP85O5NEAPG_v2t83T--