X2Go Bug report logs - #184
missing public SSH key file should throw an error

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Anders Bruun Olsen <abo@dsl.dk>

Date: Thu, 7 Mar 2013 10:03:01 UTC

Severity: minor

Found in version 4.0.0.4

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#141; Package x2gobroker. (Thu, 07 Mar 2013 10:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Anders Bruun Olsen <abo@dsl.dk>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Thu, 07 Mar 2013 10:03:02 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Anders Bruun Olsen <abo@dsl.dk>
To: submit@bugs.x2go.org
Subject: X2Gobroker: session autologin does not work
Date: Thu, 7 Mar 2013 10:50:13 +0100
[Message part 1 (text/plain, inline)]
Package: x2gobroker
Version: 0.0.0.7

When broker-session-autologin=true is set for a profile, a temp
ssh-key-pair is generated. The pubkey is added to %h/.x2go/authorized_keys
on the term-server and the private key is given to x2goclient.
Unfortunately this does not seem to work for us. When we try to login this
way, a dialog box is shown, asking for a "passphrase to decrypt a key".
At first in our test-setup we thought this worked, because I already had
password-less login to the terminal-servers using ssh-keys. As soon as I
move my .ssh dir, this other problem occurs. It also occurs for for users
without any ssh-keys setup. I can see that the pubkey is successfully added
(and removed after 20 seconds) on the term-server in
$HOME/.x2go/authorized_keys. The sshd on the term-server is set to also
look in %h/.x2go/authorized_keys.

-- 
Anders Bruun Olsen
It-ansvarlig
Det Danske Sprog- og Litteraturselskab
(Society for Danish Language and Literature)
[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#141; Package x2gobroker. (Thu, 07 Mar 2013 11:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Thu, 07 Mar 2013 11:03:02 GMT) Full text and rfc822 format available.

Message #10 received at 141@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Anders Bruun Olsen <abo@dsl.dk>, 141@bugs.x2go.org
Cc: control@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#141: X2Gobroker: session autologin does not work
Date: Thu, 07 Mar 2013 11:55:59 +0100
[Message part 1 (text/plain, inline)]
reassign #141 x2goclient
found #141 4.0.0.4
tag #141 moreinfo
thanks

Hi Anders,

I suspect that this is not a broker issue.

On Do 07 Mär 2013 10:50:13 CET Anders Bruun Olsen wrote:

> When broker-session-autologin=true is set for a profile, a temp
> ssh-key-pair is generated. The pubkey is added to %h/.x2go/authorized_keys
> on the term-server and the private key is given to x2goclient.
> Unfortunately this does not seem to work for us. When we try to login this
> way, a dialog box is shown, asking for a "passphrase to decrypt a key".
> At first in our test-setup we thought this worked, because I already had
> password-less login to the terminal-servers using ssh-keys.

ACK.

> As soon as I
> move my .ssh dir, this other problem occurs. It also occurs for for users

What do you mean by ,,as soon as I move my .ssh dir''. I think that  
this point may be crucial to fix this bug.

> without any ssh-keys setup. I can see that the pubkey is successfully added
> (and removed after 20 seconds) on the term-server in
> $HOME/.x2go/authorized_keys. The sshd on the term-server is set to also
> look in %h/.x2go/authorized_keys.

Ack.

Mike



-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Bug reassigned from package 'x2gobroker' to 'x2goclient'. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Thu, 07 Mar 2013 11:03:02 GMT) Full text and rfc822 format available.

No longer marked as found in versions 0.0.0.7. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Thu, 07 Mar 2013 11:03:02 GMT) Full text and rfc822 format available.

Marked as found in versions 4.0.0.4. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Thu, 07 Mar 2013 11:03:02 GMT) Full text and rfc822 format available.

Added tag(s) moreinfo. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Thu, 07 Mar 2013 11:03:02 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#141; Package x2goclient. (Thu, 07 Mar 2013 12:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Anders Bruun Olsen <abo@dsl.dk>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Thu, 07 Mar 2013 12:48:02 GMT) Full text and rfc822 format available.

Message #23 received at 141@bugs.x2go.org (full text, mbox):

From: Anders Bruun Olsen <abo@dsl.dk>
To: 141@bugs.x2go.org
Subject: Bug#141: X2Gobroker: session autologin does not work
Date: Thu, 7 Mar 2013 13:42:08 +0100
[Message part 1 (text/plain, inline)]
This problem was partially fixed by clearing my .x2go and .x2goclient dirs,
meaning it might be a combination of ecdsa keys in .ssh and something in
.x2go*.

There is still the problem where x2goclient asks for a passphrase and you
have to click cancel (pressing escape will result in an "authentication
failed" dialog).

-- 
Anders Bruun Olsen
It-ansvarlig
Det Danske Sprog- og Litteraturselskab
(Society for Danish Language and Literature)
[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#141; Package x2goclient. (Sat, 20 Apr 2013 19:03:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sat, 20 Apr 2013 19:03:01 GMT) Full text and rfc822 format available.

Message #28 received at 141@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 141@bugs.x2go.org
Cc: control@bugs.x2go.org
Subject: Fwd: [X2Go-Dev] autologin with x2goclient in broker-mode: analysis and fix for "enter passphrase"-bug
Date: Sat, 20 Apr 2013 20:52:39 +0200
[Message part 1 (text/plain, inline)]
tag #141 - moreinfo
thanks

Detailed analysis from Anders below...

----- Weitergeleitete Nachricht von abo@dsl.dk -----
     Datum: Fri, 19 Apr 2013 16:16:47 +0200
       Von: Anders Bruun Olsen <abo@dsl.dk>
Antwort an: x2go-dev@lists.berlios.de
   Betreff: [X2Go-Dev] autologin with x2goclient in broker-mode:  
analysis and fix for "enter passphrase"-bug
        An: x2go-dev <x2go-dev@lists.berlios.de>

Hi guys,

I just spent most of the day digging through source code for x2goclient
(reminds my why I code Python rather than C++ :) ), trying to understand
why the "enter passphrase" dialog box appears when the broker is set to do
autologin.

Summary of the bug:
x2gobroker can be setup to do autologin of users, to avoid users having to
enter their credentials twice. This is accomplished by the broker placing a
temporary SSH public key in $HOME/.x2go/authorized_keys and handing the
matching private key to the client. This temporary key is then removed
after a short while. Unfortunately, on all machines I have tested with,
including thinclients, x2goclient pops up a dialog box with the text "Enter
passphrase to decrypt a key" after authenticating against the broker and
choosing a session with autologin enabled. Pressing cancel on this dialog
box will on my desktop machine result in the autologin completing and
getting logged in. However on the x2gothinclient I tested with, the dialog
box would just pop up again and again and login would never occur.

Analysis of the bug:
When autologin is enabled, SshMasterConnection::userAuth() will react by
calling userAuthAuto(), which will look for ssh keys and if you, like me,
have an ssh key with a passphrase, it will want to try out this key by
asking for the passphrase (despite having ssh-agent running). If it does
not find a key, it also asks for a passphrase, at least on my system. The
reasons for this aren't really important here, in my oppinion. The
important question here is why it even looks for other keys when the nice
broker has provided a key. Further analysis and testing showed me that
after userAuthAuto() exists without having gotten a proper key loaded (by
pressing Cancel on the dialog box), userAuth() will then test if a key is
loaded. And because httpbrokerclient has recieved a key and put it into the
config-variable, a key IS available. This key is then used for login and
all is good. Looking closer at the code revealed that setting
config->autologin to true was actually not needed at all, and is the
culprit here. If autologin is false, then userAuth() will still see that
there is a key loaded, and happily log in the user.

My naive fix for this bug:
In ONMainWindow::startSession(), make setting the autologin variable
dependent upon not being in brokerMode:

diff --git a/onmainwindow.cpp b/onmainwindow.cpp
index 31dbc17..bc2b70f 100644
--- a/onmainwindow.cpp
+++ b/onmainwindow.cpp
@@ -3249,8 +3249,9 @@ bool ONMainWindow::startSession ( const QString& sid )

     QString cmd=st->setting()->value ( sid+"/command",
                                        ( QVariant ) QString::null
).toString();
-    autologin=st->setting()->value ( sid+"/autologin",
-                                     ( QVariant ) false ).toBool();
+    if (!brokerMode)
+        autologin=st->setting()->value ( sid+"/autologin",
+                                         ( QVariant ) false ).toBool();
     krblogin=st->setting()->value ( sid+"/krblogin",
                                     ( QVariant ) false ).toBool();
 #ifdef Q_OS_LINUX

I can't say what other consequences this might have, not knowing the code
well enough, but initial tests on my system shows that it works. This patch
is against git/master btw.

--
Anders Bruun Olsen
It-ansvarlig
Det Danske Sprog- og Litteraturselskab
(Society for Danish Language and Literature)


----- Ende der weitergeleiteten Nachricht -----


-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Removed tag(s) moreinfo. Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sat, 20 Apr 2013 19:03:02 GMT) Full text and rfc822 format available.

Bug 141 cloned as bug 184 Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sun, 21 Apr 2013 23:07:15 GMT) Full text and rfc822 format available.

Changed Bug title to 'missing public SSH key file should throw an error' from 'X2Gobroker: session autologin does not work' Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sun, 21 Apr 2013 23:07:15 GMT) Full text and rfc822 format available.

Severity set to 'minor' from 'normal' Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to control@bugs.x2go.org. (Sun, 21 Apr 2013 23:07:15 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#184; Package x2goclient. (Sun, 21 Apr 2013 23:13:24 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sun, 21 Apr 2013 23:13:24 GMT) Full text and rfc822 format available.

Message #41 received at 184@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 184@bugs.x2go.org
Subject: x2goclient behaviour in cases where SSH pubkeys are not found
Date: Mon, 22 Apr 2013 01:13:18 +0200
[Message part 1 (text/plain, inline)]
Hi Alex, hi Devs,

But #184 is a clone of #141 with a different topic now: x2goclient  
behaviour in cases where SSH pubkeys are not found

during the investigation of a fix for #141 [1] I found out this:

  o in session profile, specify a key file that does not exist
  o start a session
  -> x2goclient will ask you for the (non-existent) keys passphrase
  Better: an error message should be thrown that informs the user correctly

Something similar happens if autologin==true and the user does not  
have a key loaded in ssh-agent nor does he have some default SSH key  
files in his $HOME/.ssh:

  o start a session
  -> x2goclient will ask you for the (non-existent) keys passphrase
  Better: an error message should be thrown that informs the user correctly

[1] http://bugs.x2go.org/141

Greets,
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#184; Package x2goclient. (Mon, 28 Sep 2015 07:35:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Phil Naidoo <phil-naidoo@outlook.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Mon, 28 Sep 2015 07:35:03 GMT) Full text and rfc822 format available.

Message #46 received at 184@bugs.x2go.org (full text, mbox):

From: Phil Naidoo <kab@euronet.nl>
To: undisclosed-recipients:;
Subject: Dringend unterstützung gesucht!!!
Date: Mon, 28 Sep 2015 09:16:37 +0200 (CEST)
Phil Naidoo                                                                                     
Johannesburg South Africa
E-Mail: phil-naidoo@outlook.com
                                              Dringend unterstützung gesucht!!!
Hallo, 
mein Name ist Phil Naidoo, Chefredakteur der ABSA Bank of South  Africa. Ich war ein sehr enger Freund von Matthias Berger, Staatsbürger  ihres Landes. Matthias Berger arbeitete mit Diamond Mine firma in Botswana zusammen. Am 19 Dezember 2011 verunglückte Matthias Berger mit seiner Familie bei einem Hubschrauberabsturz.  Alle Insassen des Hubschrauber starben bei dem Unfall. Seit dem haben wir zahlreiche Erkundigungen bei Ihre Botschaft hier in Süd Afrika und Botswana angestellt um Verwandte von Herr Matthias Berger ausfindig zu machen. Leider waren wir bisher erfolglos.
Nach zahlreichen ergebnisslosen Versuchen Herr Matthias Berger Verwandten  ausfindig zu machen, habe ich mich entschieden Ihren Namen /E-mail Addresse übers dasoertliche site ausfindig zu machen, da sie die gleiche Nationalität haben. Ich habe Sie kontaktiert um Ihnen dabei zu assistieren Anspruch auf einen Betrag von 8.2 Millionen US Dollar, hinterlassen von meinem Freund Herr Matthias Berger zu erheben, bevor es von der ABSA Bank of South Africa konfeziert wird . Die ABSA Bank of South Afrika hat mich benachrichtigt das ich einen Verwandten ausfindig machen muss oder das Geld wird innerhalb der nächsten 21 Arbeitstagen konfesziert. In meiner Position als Chefredakteur der ABSA Bank of South Afrika ist es mir Möglich das Geld auf ein gültiges ausländisches Konto zu überweien mit der Sicherung das das Geld komplett sein wird bis ich in Ihr Land komme um das Geld mit Ihnen zu teilen.
Da es mir seit Vier Jahren nicht gelungen ist Verwandschaft von Herr Matthias Berger ausfindig zu machen, versuche ich Ihr Einverständnis zu bekommen Sie als nächste Verwandten des Verstorbenen zu präsentieren da Sie die gleiche Nationalität haben und somit das Geld zu Ihnen überwiesen werden kann. Wenn Sie an meinen Vorschlag interessiert sind, können wir die Teilungsverhältnisse und Uberweisungsmodalitäten besprechen. Ich besitze alle nötigen Informationen und gesetzlichen Dokumente um Ihre Anspruchsforderung zu unterstützen falls Se sich dazu entscheiden.
Ich brauche nur Ihre ehrliche Zustimmung zur Zusammenarbeit um uns diese Transaktion zu ermöglichen. Ich garantiere Ihnen das dies nur unter legalen/ gesetzlichen Vorraussetzungen stattfinden wird.
Bitte kontaktiren Sie mich unter meiner E-mail:phil-naidoo@outlook.com
 	
Mit freundlichen Grüssen
Phil Naidoo


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Dec 14 05:17:37 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.