From unknown Fri Mar 29 10:58:34 2024 X-Loop: owner@bugs.x2go.org Subject: Bug#1323: SSH proxy connection doesn't work for tunnel only accounts Reply-To: Pajula Juha , 1323@bugs.x2go.org Resent-From: Pajula Juha Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Tue, 03 Mar 2020 10:00:02 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 1323 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: References: <9001429.J6SYMhqjRr@avocado> Received: via spool by 1323-submit@bugs.x2go.org id=B1323.158322948317492 (code B ref 1323); Tue, 03 Mar 2020 10:00:02 +0000 Received: (at 1323) by bugs.x2go.org; 3 Mar 2020 09:58:03 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.0 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.2 Received: from gate.edelkey.net (gate.edelkey.net [213.138.147.140]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 558A65DA8B for <1323@bugs.x2go.org>; Tue, 3 Mar 2020 10:57:59 +0100 (CET) Received: from asgw3.edelkey.net (213138142181.edelkey.net [213.138.142.181]) by gate.edelkey.net (8.15.2/8.15.2) with ESMTPS id 0239vvT7020124 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for <1323@bugs.x2go.org>; Tue, 3 Mar 2020 11:57:57 +0200 Received: from VTTMAIL02.ad.vtt.fi (213214155241.edelkey.net [213.214.155.241]) by asgw3.edelkey.net (8.16.0.42/8.16.0.42) with ESMTPS id 0239vv6V010089 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT) for <1323@bugs.x2go.org>; Tue, 3 Mar 2020 11:57:57 +0200 Received: from VTTMAIL01.ad.vtt.fi (2002:82bc:7e17::82bc:7e17) by VTTMAIL02.ad.vtt.fi (2002:82bc:7e18::82bc:7e18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1847.3; Tue, 3 Mar 2020 11:57:57 +0200 Received: from EUR02-AM5-obe.outbound.protection.outlook.com (104.47.4.54) by VTTMAIL01.ad.vtt.fi (130.188.126.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1847.3 via Frontend Transport; Tue, 3 Mar 2020 11:57:57 +0200 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e07k99sHGkcfYGxXLCsNRKR68f3o2EAUDFLAJ80MY6i/4kVgHpSRISsNoSzZ7hGvDCPii22gToL74QLpzmKmnAqzI1cRssBu6atYf1pJKVmBW56Av+Kb4TyqyYuXHVAogf3pIL/LIgq/02cfLeGkNPZ5CDPIwX6jH/uCXvTq2oK9KAIxu0YtC18yDzO5qVzeXjYCvJ+TOcUUn6Sjs9utHKgOxwsWc7e0avHEn65XtRagPjPMllfKQO/LpQOz93umULpgl1NFNqXH5JWd0bXsfcU41KoJaxdi1vzmma7qZCi2oC6/xIDmGlPx7tVUS5+6+h+ngJkyM7k4TKQBDQhUlg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P+AmVZ5nBVpg7O4paF1SU/QgfQfKWsDGPuDl56iT4QU=; b=X48z2rCfL1Mb5Q6BRag4u+pTRwpDg1qXq+bsLKScvVcy9S7nmDvpIZIaQbNZoAQeLlGTqTwT9Jv9SKrDw8SACVn2NhinN1boQT0cN3R60/f7G1v880nVb/WJgQfF9UbmH2OVqk5FbHN3Gvmob/dJVS+RHA8G8CmNk36aY2ECd9FbxIsl0GXryvxY1ROW6xYDMkc0GIGpiHbGGc0l8A6BymfxPIrhJc/TXzBjyo0Pw4SXajjZVbYfr2DzPXiqBlL7eabRBJjsmBoLsTSWTko32dZ8zWLweErIhpHdL9/JqI8+3Rw364Tzcz/miDDwQLL3pg2YkPT7vFcxEmf2+dIz7w== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=vtt.fi; dmarc=pass action=none header.from=vtt.fi; dkim=pass header.d=vtt.fi; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vtt.fi; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=P+AmVZ5nBVpg7O4paF1SU/QgfQfKWsDGPuDl56iT4QU=; b=Fv97DlUyzAkrR1U7UU0OrCmGQCs7UV/3RamZ2uZSi08on5QQwcPMgYidIB9RQd5YI08OJD0QOGzW7xoI/vW+YkLIq5azFn9nJ8gYQmROfiIEL1lyPJdlQYY64YBDQi07u+0+Y9q2giIcFCZoTFz16PAbzDZpHw80sop34H5gzDI= Received: from HE1PR0801MB1930.eurprd08.prod.outlook.com (10.168.98.145) by HE1PR0801MB1994.eurprd08.prod.outlook.com (10.168.95.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.16; Tue, 3 Mar 2020 09:57:56 +0000 Received: from HE1PR0801MB1930.eurprd08.prod.outlook.com ([fe80::2c42:a035:6ade:ade0]) by HE1PR0801MB1930.eurprd08.prod.outlook.com ([fe80::2c42:a035:6ade:ade0%12]) with mapi id 15.20.2750.024; Tue, 3 Mar 2020 09:57:56 +0000 From: Pajula Juha To: "1323@bugs.x2go.org" <1323@bugs.x2go.org> Thread-Topic: Re: SSH proxy connection doesn't work for tunnel only accounts Thread-Index: AdXxO+b/WmctX3vDTNGC0sAlaB80lQ== Date: Tue, 3 Mar 2020 09:57:56 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [130.188.108.97] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f2084e30-cdc8-462d-4779-08d7bf595920 x-ms-traffictypediagnostic: HE1PR0801MB1994: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-forefront-prvs: 03319F6FEF x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(4636009)(39860400002)(366004)(346002)(376002)(136003)(396003)(199004)(189003)(76116006)(8676002)(55016002)(71200400001)(26005)(5660300002)(86362001)(9686003)(81166006)(8936002)(81156014)(6916009)(186003)(316002)(66946007)(6506007)(478600001)(66556008)(64756008)(66476007)(15650500001)(66446008)(52536014)(7696005)(2906002)(33656002);DIR:OUT;SFP:1101;SCL:1;SRVR:HE1PR0801MB1994;H:HE1PR0801MB1930.eurprd08.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: vtt.fi does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 2gHmZaC+PF2SGsu/d3uKK3EDIug39h4CY2hJRbaGvUXtsJhlVBOIjRpN5lmgGNu63caJjZSLAE41RChbdH0mT7Vq/jUH+6P0dOGKQygbXN1mOyO8Vh7WZIRjiq5Tr9OTuLcf/HWfCSYUYFlSaeEpHmH8Y7BVgv7LiE6ZLJKyFJjEkWPrGLGr3kI8eDkRF77iCp70T9fB5IX+0tcwi+lIWNtqqWaellndsC8Ao3mvHM1aV/1ILX9PKk0aeMhafA8ywbZA0KV+8rSNOlJsOYRqfB44NbJyhmxp1ihMmkFETYhqGLQdjmc7CDIspJI/qbA0LSLR5q/Ul+c6klWVV7d6zzfnFfw+k43RvAFNoQL8Xwg4AZ16WyWhFGv4lfmO9U3LlGvmBLgfpLtNQ4J0iHUs7/tnPpRd9YluGr816Wmq0RXG0b9oeCOF20p+zSp00LCY x-ms-exchange-antispam-messagedata: +uqkXX8TbSomvPBQgOGAe5l7iNJtgM2vu6e0swCV7JXBGr0erTbQXfq2rmnDs0xpE9dmAOjHXyF2aGpYUuQHHoveBoVcsGBxGwayhfoExZyebOHByJqVhbQHO8rH8hxCRtQemT90Ya++rUekuu/59w== x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_HE1PR0801MB19305291A03FD3BE7481B76296E40HE1PR0801MB1930_" MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: f2084e30-cdc8-462d-4779-08d7bf595920 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2020 09:57:56.3657 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 68d6b592-5008-43b5-9b04-23bec4e86cf7 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: vb+ZTdiy0JI237Wq1sFbECG/Su7cnsnHliYPVa+Q13J3NM/tRRpd2E3y8kPbbplg82tifi41KlqQ+Joz3mjmkA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0801MB1994 X-OriginatorOrg: vtt.fi X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138,18.0.572 definitions=2020-03-03_02:2020-03-03,2020-03-03 signatures=0 --_000_HE1PR0801MB19305291A03FD3BE7481B76296E40HE1PR0801MB1930_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable On Tue, 21 Aug 2018 16:38:24 +0300 Arcadie Cracan > wrote: > Package: x2goclient > Version: 4.1.2.1 > Tag: patch > > I use a ssh proxy server that allows only tunnel connections (i.e. doesn'= t > allow the users to use the shell). After upgrading from Ubuntu 16.04 to > 18.04 x2goclient stopped working with my ssh proxy server. > > I believe the reason for this is the call to the "checkLogin()" function > even for ssh proxy connections (which in my opinion is not necessary). > > I attach a patch that makes x2goclient skip the checkLogin() call (as it > does for kerberos connections) for the ssh proxy connection. > > Thank you for considering this patch. > > Kind regards, > Arcadie Cracan I can confirm that the bug exists still on latest version 4.1.2.2-2020.02.1= 3. It prevents using newer versions of X2GO (4.1.x) with Bastion host type of = ssh proxies where proxy account is jailed to use only ssh (no shell is allo= wed). The connections work fine with version 4.0.5.2-2016.09.20, but not newer. This is clearly visible on debug messages with latest version: x2go-DEBUG-../src/sshmasterconnection.cpp:943> state: 1 x2go-DEBUG-../src/sshmasterconnection.cpp:676> Setting SSH directory to C:/= xxxxxxx x2go-DEBUG-../src/sshmasterconnection.cpp:1324> Trying to authenticate user= with private key. x2go-DEBUG-../src/sshmasterconnection.cpp:1507> Authenticating with key: 0 x2go-DEBUG-../src/sshmasterconnection.cpp:687> User authentication OK. x2go-DEBUG-../src/sshmasterconnection.cpp:1708> LOGIN CHECK:"This account i= s currently not available. " x2go-DEBUG-../src/sshmasterconnection.cpp:1744> LOOP FINISHED x2go-DEBUG-../src/sshmasterconnection.cpp:1754> Reconnect session x2go-DEBUG-../src/sshmasterconnection.cpp:707> Login Check - Failed x2go-DEBUG-../src/onmainwindow.cpp:3051> SSH Session prompt:"This account i= s currently not available. " x2go-DEBUG-../src/onmainwindow.cpp:3054> SSH Session interaction x2go-DEBUG-../src/sshmasterconnection.cpp:437> SSH proxy interaction finish= ed Regards, -Juha Pajula --_000_HE1PR0801MB19305291A03FD3BE7481B76296E40HE1PR0801MB1930_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

On Tue, 21 Aug 2018 16:38:24= +0300 Arcadie Cracan <<= span lang=3D"EN-US">acracan@gmail.com> w= rote:

> Package: x2goclient

> Version: 4.1.2.1

> Tag: patch

>

> I use a ssh proxy serve= r that allows only tunnel connections (i.e. doesn't

> allow the users to use = the shell). After upgrading from Ubuntu 16.04 to

> 18.04 x2goclient stoppe= d working with my ssh proxy server.

>

> I believe the reason fo= r this is the call to the "checkLogin()" function

> even for ssh proxy conn= ections (which in my opinion is not necessary).

>

> I attach a patch that m= akes x2goclient skip the checkLogin() call (as it

> does for kerberos conne= ctions) for the ssh proxy connection.

>

> Thank you for consideri= ng this patch.

>

> Kind regards,

>    Arcad= ie Cracan

 

I can confirm that the bug e= xists still on latest version 4.1.2.2-2020.02.13.

 

It prevents using newer vers= ions of X2GO (4.1.x) with Bastion host type of ssh proxies where proxy acco= unt is jailed to use only ssh (no shell is allowed).

 

The connections work fine wi= th version 4.0.5.2-2016.09.20, but not newer.

 

This is clearly visible on d= ebug messages with latest version:

x2go-DEBUG-../src/sshmasterc= onnection.cpp:943> state: 1

 

x2go-DEBUG-../src/sshmasterc= onnection.cpp:676> Setting SSH directory to C:/xxxxxxx=

x2go-DEBUG-../src/sshmasterc= onnection.cpp:1324> Trying to authenticate user with private key.

x2go-DEBUG-../src/sshmasterc= onnection.cpp:1507> Authenticating with key: 0

 

x2go-DEBUG-../src/sshmasterc= onnection.cpp:687> User authentication OK.

x2go-DEBUG-../src/sshmast= erconnection.cpp:1708> LOGIN CHECK:"This account is currently not a= vailable.

"<= /b>

x2go-DEBUG-../src/sshmasterc= onnection.cpp:1744> LOOP FINISHED

x2go-DEBUG-../src/sshmasterc= onnection.cpp:1754> Reconnect session

x2go-DEBUG-../src/sshmasterc= onnection.cpp:707> Login Check - Failed

x2go-DEBUG-../src/onmainwind= ow.cpp:3051> SSH Session prompt:"This account is currently not avai= lable.

"

x2go-DEBUG-../src/onmainwind= ow.cpp:3054> SSH Session interaction

x2go-DEBUG-../src/sshmasterc= onnection.cpp:437> SSH proxy interaction finished

 

 

Regards,

-Juha Pajula

--_000_HE1PR0801MB19305291A03FD3BE7481B76296E40HE1PR0801MB1930_--