X2Go Bug report logs - #184
missing public SSH key file should throw an error

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Anders Bruun Olsen <abo@dsl.dk>

Date: Thu, 7 Mar 2013 10:03:01 UTC

Severity: minor

Found in version 4.0.0.4

Full log

Message #28 received at 141@bugs.x2go.org (full text, mbox, reply):

Received: (at 141) by bugs.x2go.org; 20 Apr 2013 18:52:46 +0000
From mike.gabriel@das-netzwerkteam.de  Sat Apr 20 20:52:45 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=5.0 tests=URIBL_BLOCKED autolearn=ham
	version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id BE9015DB20;
	Sat, 20 Apr 2013 20:52:45 +0200 (CEST)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 586E3C63;
	Sat, 20 Apr 2013 20:52:40 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 2AA733B977;
	Sat, 20 Apr 2013 20:52:40 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id UV9MZ5HZj8nY; Sat, 20 Apr 2013 20:52:40 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id EC1483B979;
	Sat, 20 Apr 2013 20:52:39 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id B647F3B977;
	Sat, 20 Apr 2013 20:52:39 +0200 (CEST)
Received: by grimnir.das-netzwerkteam.de (Postfix, from userid 33)
	id 1AF503B979; Sat, 20 Apr 2013 20:52:39 +0200 (CEST)
Received: from 176-180-142-46.pool.kielnet.net
 (176-180-142-46.pool.kielnet.net [46.142.180.176]) by
 mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 20 Apr 2013
 20:52:39 +0200
Message-ID: <20130420205239.87507fsoftcfnqbb@mail.das-netzwerkteam.de>
X-Priority: 3 (Normal)
Date: Sat, 20 Apr 2013 20:52:39 +0200
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 141@bugs.x2go.org
Cc: control@bugs.x2go.org
Subject: Fwd: [X2Go-Dev] autologin with x2goclient in broker-mode: analysis
 and fix for "enter passphrase"-bug
MIME-Version: 1.0
Content-Type: multipart/signed;
 boundary="=_cvquj4r8ttj";
 protocol="application/pgp-signature";
 micalg="pgp-sha1"
Content-Transfer-Encoding: 7bit
User-Agent: Internet Messaging Program (IMP) H3 (4.3.4)

[Message part 1 (text/plain, inline)]
tag #141 - moreinfo
thanks

Detailed analysis from Anders below...

----- Weitergeleitete Nachricht von abo@dsl.dk -----
     Datum: Fri, 19 Apr 2013 16:16:47 +0200
       Von: Anders Bruun Olsen <abo@dsl.dk>
Antwort an: x2go-dev@lists.berlios.de
   Betreff: [X2Go-Dev] autologin with x2goclient in broker-mode:  
analysis and fix for "enter passphrase"-bug
        An: x2go-dev <x2go-dev@lists.berlios.de>

Hi guys,

I just spent most of the day digging through source code for x2goclient
(reminds my why I code Python rather than C++ :) ), trying to understand
why the "enter passphrase" dialog box appears when the broker is set to do
autologin.

Summary of the bug:
x2gobroker can be setup to do autologin of users, to avoid users having to
enter their credentials twice. This is accomplished by the broker placing a
temporary SSH public key in $HOME/.x2go/authorized_keys and handing the
matching private key to the client. This temporary key is then removed
after a short while. Unfortunately, on all machines I have tested with,
including thinclients, x2goclient pops up a dialog box with the text "Enter
passphrase to decrypt a key" after authenticating against the broker and
choosing a session with autologin enabled. Pressing cancel on this dialog
box will on my desktop machine result in the autologin completing and
getting logged in. However on the x2gothinclient I tested with, the dialog
box would just pop up again and again and login would never occur.

Analysis of the bug:
When autologin is enabled, SshMasterConnection::userAuth() will react by
calling userAuthAuto(), which will look for ssh keys and if you, like me,
have an ssh key with a passphrase, it will want to try out this key by
asking for the passphrase (despite having ssh-agent running). If it does
not find a key, it also asks for a passphrase, at least on my system. The
reasons for this aren't really important here, in my oppinion. The
important question here is why it even looks for other keys when the nice
broker has provided a key. Further analysis and testing showed me that
after userAuthAuto() exists without having gotten a proper key loaded (by
pressing Cancel on the dialog box), userAuth() will then test if a key is
loaded. And because httpbrokerclient has recieved a key and put it into the
config-variable, a key IS available. This key is then used for login and
all is good. Looking closer at the code revealed that setting
config->autologin to true was actually not needed at all, and is the
culprit here. If autologin is false, then userAuth() will still see that
there is a key loaded, and happily log in the user.

My naive fix for this bug:
In ONMainWindow::startSession(), make setting the autologin variable
dependent upon not being in brokerMode:

diff --git a/onmainwindow.cpp b/onmainwindow.cpp
index 31dbc17..bc2b70f 100644
--- a/onmainwindow.cpp
+++ b/onmainwindow.cpp
@@ -3249,8 +3249,9 @@ bool ONMainWindow::startSession ( const QString& sid )

     QString cmd=st->setting()->value ( sid+"/command",
                                        ( QVariant ) QString::null
).toString();
-    autologin=st->setting()->value ( sid+"/autologin",
-                                     ( QVariant ) false ).toBool();
+    if (!brokerMode)
+        autologin=st->setting()->value ( sid+"/autologin",
+                                         ( QVariant ) false ).toBool();
     krblogin=st->setting()->value ( sid+"/krblogin",
                                     ( QVariant ) false ).toBool();
 #ifdef Q_OS_LINUX

I can't say what other consequences this might have, not knowing the code
well enough, but initial tests on my system shows that it works. This patch
is against git/master btw.

--
Anders Bruun Olsen
It-ansvarlig
Det Danske Sprog- og Litteraturselskab
(Society for Danish Language and Literature)


----- Ende der weitergeleiteten Nachricht -----


-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Apr 19 13:48:53 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.