From unknown Mon Apr 06 04:29:51 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#141: Fwd: [X2Go-Dev] autologin with x2goclient in broker-mode: analysis and fix for "enter passphrase"-bug Reply-To: Mike Gabriel , 141@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.berlios.de Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Sat, 20 Apr 2013 19:03:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 141 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: moreinfo Received: via spool by 141-submit@bugs.x2go.org id=B141.136648396626048 (code B ref 141); Sat, 20 Apr 2013 19:03:01 +0000 Received: (at 141) by bugs.x2go.org; 20 Apr 2013 18:52:46 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id BE9015DB20; Sat, 20 Apr 2013 20:52:45 +0200 (CEST) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 586E3C63; Sat, 20 Apr 2013 20:52:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 2AA733B977; Sat, 20 Apr 2013 20:52:40 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UV9MZ5HZj8nY; Sat, 20 Apr 2013 20:52:40 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id EC1483B979; Sat, 20 Apr 2013 20:52:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id B647F3B977; Sat, 20 Apr 2013 20:52:39 +0200 (CEST) Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33) id 1AF503B979; Sat, 20 Apr 2013 20:52:39 +0200 (CEST) Received: from 176-180-142-46.pool.kielnet.net (176-180-142-46.pool.kielnet.net [46.142.180.176]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 20 Apr 2013 20:52:39 +0200 Message-ID: <20130420205239.87507fsoftcfnqbb@mail.das-netzwerkteam.de> X-Priority: 3 (Normal) Date: Sat, 20 Apr 2013 20:52:39 +0200 From: Mike Gabriel To: 141@bugs.x2go.org Cc: control@bugs.x2go.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=_cvquj4r8ttj"; protocol="application/pgp-signature"; micalg="pgp-sha1" Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) H3 (4.3.4) This message is in MIME format and has been PGP signed. --=_cvquj4r8ttj Content-Type: text/plain; charset=UTF-8; DelSp="Yes"; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit tag #141 - moreinfo thanks Detailed analysis from Anders below... ----- Weitergeleitete Nachricht von abo@dsl.dk ----- Datum: Fri, 19 Apr 2013 16:16:47 +0200 Von: Anders Bruun Olsen Antwort an: x2go-dev@lists.berlios.de Betreff: [X2Go-Dev] autologin with x2goclient in broker-mode: analysis and fix for "enter passphrase"-bug An: x2go-dev Hi guys, I just spent most of the day digging through source code for x2goclient (reminds my why I code Python rather than C++ :) ), trying to understand why the "enter passphrase" dialog box appears when the broker is set to do autologin. Summary of the bug: x2gobroker can be setup to do autologin of users, to avoid users having to enter their credentials twice. This is accomplished by the broker placing a temporary SSH public key in $HOME/.x2go/authorized_keys and handing the matching private key to the client. This temporary key is then removed after a short while. Unfortunately, on all machines I have tested with, including thinclients, x2goclient pops up a dialog box with the text "Enter passphrase to decrypt a key" after authenticating against the broker and choosing a session with autologin enabled. Pressing cancel on this dialog box will on my desktop machine result in the autologin completing and getting logged in. However on the x2gothinclient I tested with, the dialog box would just pop up again and again and login would never occur. Analysis of the bug: When autologin is enabled, SshMasterConnection::userAuth() will react by calling userAuthAuto(), which will look for ssh keys and if you, like me, have an ssh key with a passphrase, it will want to try out this key by asking for the passphrase (despite having ssh-agent running). If it does not find a key, it also asks for a passphrase, at least on my system. The reasons for this aren't really important here, in my oppinion. The important question here is why it even looks for other keys when the nice broker has provided a key. Further analysis and testing showed me that after userAuthAuto() exists without having gotten a proper key loaded (by pressing Cancel on the dialog box), userAuth() will then test if a key is loaded. And because httpbrokerclient has recieved a key and put it into the config-variable, a key IS available. This key is then used for login and all is good. Looking closer at the code revealed that setting config->autologin to true was actually not needed at all, and is the culprit here. If autologin is false, then userAuth() will still see that there is a key loaded, and happily log in the user. My naive fix for this bug: In ONMainWindow::startSession(), make setting the autologin variable dependent upon not being in brokerMode: diff --git a/onmainwindow.cpp b/onmainwindow.cpp index 31dbc17..bc2b70f 100644 --- a/onmainwindow.cpp +++ b/onmainwindow.cpp @@ -3249,8 +3249,9 @@ bool ONMainWindow::startSession ( const QString& sid ) QString cmd=st->setting()->value ( sid+"/command", ( QVariant ) QString::null ).toString(); - autologin=st->setting()->value ( sid+"/autologin", - ( QVariant ) false ).toBool(); + if (!brokerMode) + autologin=st->setting()->value ( sid+"/autologin", + ( QVariant ) false ).toBool(); krblogin=st->setting()->value ( sid+"/krblogin", ( QVariant ) false ).toBool(); #ifdef Q_OS_LINUX I can't say what other consequences this might have, not knowing the code well enough, but initial tests on my system shows that it works. This patch is against git/master btw. -- Anders Bruun Olsen It-ansvarlig Det Danske Sprog- og Litteraturselskab (Society for Danish Language and Literature) ----- Ende der weitergeleiteten Nachricht ----- -- DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_cvquj4r8ttj Content-Type: application/pgp-signature Content-Description: Digitale PGP-Unterschrift Content-Disposition: inline Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAABAgAGBQJRcuP2AAoJEJr0azAldxsxcLsP/jVRm16XqVUTkcChaIxVADl2 UdVRXzv5B25bT5suHBEedHKJcBv5B8nxaA+8O2/3efe19KONZl2VzN5WgggnwIDD Nn3lyAgjfNotIXH0jVNr29AsZz0vs8opSiwGTYA8kt1SMWhjPLlqm674UzqZ+adu qoPBctij1XJrX0mwnzSO2KIMcKjK786ne7ExcGfKPK2+8nlnPOihww53wdu2qe+Q G7JAzjGSQ9ScY/xKEpnr1RFft6CyaMMhp9rQE8j5TO6BQBNE5z193dGsombINYEI lal9kliEPeTyVb4DxzGwHshJM2yVAivymVbdyPlj/4piclee/UhTx2LMAr4nzDUV s52JikfqiFJrG69kezHEaK9v2pu5aPq+Fvy0dkbbMmenT+sDM0Tz+y++Pq2PHEFB uDGpigXGbJjT+Z1/eSOMbaZ77HNnrpL0N8bCb6+R7LMPbzJxxvZ4CL7TExoHVCM7 HhUSzgXCiTerOicflP9bYYwlrg1suwcynOZg9mlJPEkevRmQh4TdZUsbaJIPg4id xaYrFbNRuoBCVEcPEvcLt+MeW5JDJt0L3qvv9qgx1nKHQW5Qn3sGEzknPm0yJ+o3 Kr7KVRmnAon8yxiHEG2yijzFUq1ALDxtmMaifrc4WL21OdlB3Ja/qVG+HXlDIXPs xSoJsd+c8I6qMRTPxXuc =fZk7 -----END PGP SIGNATURE----- --=_cvquj4r8ttj--