X2Go Bug report logs - #290
SSH key based authentication problems

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Tue, 27 Aug 2013 10:48:02 UTC

Severity: important

Tags: confirmed

Found in version 4.0.1.0

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.berlios.de, software@matthiaskauer.com, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#290; Package x2goclient. (Tue, 27 Aug 2013 10:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to software@matthiaskauer.com, X2Go Developers <x2go-dev@lists.berlios.de>. (Tue, 27 Aug 2013 10:48:02 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: SSH key based authentication problems
Date: Tue, 27 Aug 2013 12:34:01 +0200
[Message part 1 (text/plain, inline)]
Package: x2goclient
Tags: confirmed
Version: 4.0.1.0
Severity: important
x-debbugs-cc: software@matthiaskauer.com

I myself have also observed the issue reported by Matthias. Adding  
this as a bug. This should get fixed before the release of 4.0.1.1.

Mike

----- Weitergeleitete Nachricht von software@matthiaskauer.com -----
     Datum: Mon, 26 Aug 2013 23:54:55 +0200
       Von: Matthias Kauer <software@matthiaskauer.com>
   Betreff: [X2Go-User] Login via ~/.ssh/authorized_keys fails
        An: x2go-user@lists.berlios.de

Hi,
I am looking for input on how to set up an ssh key-based authentication.

I generated an RSA key pair with puttygen and added it to
~/.ssh/authorized_keys2 => confirmed that I can login with putty.
Now, I specify the same private key in x2goclient (windows). I enter my
password and I am then prompted for the password of the ssh key. I enter
it and the same ssh key password prompt reappears. This seems to be an
infinite loop. When I cancel it, I get a message saying that only
publickey is supported as login method (which corresponds to my
sshd_config settings).

I then tried renaming ~/.ssh/authorized_keys and using a DSA key pair.
putty still works as expected with both of these alternatives.
x2goclient still shows the same problems however. It only lets me login
if I adapt my sshd_config and authenticate via user / password combination.

Is this a known limitation?
What is the best way to achieve high security? Can I limit the x2go
connections to only LAN IPs (without restricting the pure ssh connections)?

Best Wishes,
Matthias Kauer
_______________________________________________
X2Go-User mailing list
X2Go-User@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-user


----- Ende der weitergeleiteten Nachricht -----


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#290; Package x2goclient. (Tue, 27 Aug 2013 12:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Stefan Baur <newsgroups.mail2@stefanbaur.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Tue, 27 Aug 2013 12:18:02 GMT) Full text and rfc822 format available.

Message #10 received at 290@bugs.x2go.org (full text, mbox):

From: Stefan Baur <newsgroups.mail2@stefanbaur.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 290@bugs.x2go.org, x2go-dev@lists.berlios.de
Cc: submit@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#290: SSH key based authentication problems
Date: Tue, 27 Aug 2013 14:04:39 +0200
Hi Guys!

As a suggestion/workaround: I am using Pageant from the PuTTY suite, 
this is where I have my users load their keys.
Pageant is a SSH agent for Windows, under the same license as PuTTY and 
PuTTYgen.
The reason why I'm using it is that my users also use WinSCP for file 
transfers and thus have to authenticate only once - when 
loading/unlocking their key file in pageant.

Thus, I'm telling both x2goclient and WinSCP to use the SSH agent, and 
everything works (for me).

Please ALSO note that PuTTYgen saves the private key files in its own 
special format (as indicated by the *.ppk extension).
You might have to use one of the "Export" Options in PuTTYgen's 
"Conversions" menu so that x2goclient is able to process the key.

-Stefan

Am 27.08.2013 12:34, schrieb Mike Gabriel:
> Package: x2goclient
> Tags: confirmed
> Version: 4.0.1.0
> Severity: important
> x-debbugs-cc: software@matthiaskauer.com
>
> I myself have also observed the issue reported by Matthias. Adding 
> this as a bug. This should get fixed before the release of 4.0.1.1.
>
> Mike
>
> ----- Weitergeleitete Nachricht von software@matthiaskauer.com -----
>      Datum: Mon, 26 Aug 2013 23:54:55 +0200
>        Von: Matthias Kauer <software@matthiaskauer.com>
>    Betreff: [X2Go-User] Login via ~/.ssh/authorized_keys fails
>         An: x2go-user@lists.berlios.de
>
> Hi,
> I am looking for input on how to set up an ssh key-based authentication.
>
> I generated an RSA key pair with puttygen and added it to
> ~/.ssh/authorized_keys2 => confirmed that I can login with putty.
> Now, I specify the same private key in x2goclient (windows). I enter my
> password and I am then prompted for the password of the ssh key. I enter
> it and the same ssh key password prompt reappears. This seems to be an
> infinite loop. When I cancel it, I get a message saying that only
> publickey is supported as login method (which corresponds to my
> sshd_config settings).
>
> I then tried renaming ~/.ssh/authorized_keys and using a DSA key pair.
> putty still works as expected with both of these alternatives.
> x2goclient still shows the same problems however. It only lets me login
> if I adapt my sshd_config and authenticate via user / password 
> combination.
>
> Is this a known limitation?
> What is the best way to achieve high security? Can I limit the x2go
> connections to only LAN IPs (without restricting the pure ssh 
> connections)?
>
> Best Wishes,
> Matthias Kauer
> _______________________________________________
> X2Go-User mailing list
> X2Go-User@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-user
>
>
> ----- Ende der weitergeleiteten Nachricht -----
>
>
>
>
> _______________________________________________
> X2Go-Dev mailing list
> X2Go-Dev@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-dev


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#290; Package x2goclient. (Wed, 28 Aug 2013 21:33:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Matthias Kauer <software@matthiaskauer.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Wed, 28 Aug 2013 21:33:02 GMT) Full text and rfc822 format available.

Message #15 received at 290@bugs.x2go.org (full text, mbox):

From: Matthias Kauer <software@matthiaskauer.com>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 290@bugs.x2go.org
Subject: Re: Bug#290: SSH key based authentication problems
Date: Wed, 28 Aug 2013 23:12:22 +0200
[Message part 1 (text/plain, inline)]
Hi Mike,
thanks for the confirmation and the submission.

If anyone is interested, one thing I did for now, to address this issue
was to allow password-based access from my LAN addresses as described
here:
http://askubuntu.com/questions/101670/how-can-i-allow-ssh-password-authentication-from-only-certain-ip-addresses
(Note that the match block should be at the end of sshd_config file as
it affects all statements below it if I understand it correctly)

Use a |Match| block in |/etc/ssh/sshd_config|.

|PasswordAuthentication no

Match address 192.0.2.0/24
    PasswordAuthentication yes
|

Best,
Matthias

On 27/8/2013 12:34 PM, Mike Gabriel wrote:
> Package: x2goclient
> Tags: confirmed
> Version: 4.0.1.0
> Severity: important
> x-debbugs-cc: software@matthiaskauer.com
>
> I myself have also observed the issue reported by Matthias. Adding
> this as a bug. This should get fixed before the release of 4.0.1.1.
>
> Mike
>
> ----- Weitergeleitete Nachricht von software@matthiaskauer.com -----
>      Datum: Mon, 26 Aug 2013 23:54:55 +0200
>        Von: Matthias Kauer <software@matthiaskauer.com>
>    Betreff: [X2Go-User] Login via ~/.ssh/authorized_keys fails
>         An: x2go-user@lists.berlios.de
>
> Hi,
> I am looking for input on how to set up an ssh key-based authentication.
>
> I generated an RSA key pair with puttygen and added it to
> ~/.ssh/authorized_keys2 => confirmed that I can login with putty.
> Now, I specify the same private key in x2goclient (windows). I enter my
> password and I am then prompted for the password of the ssh key. I enter
> it and the same ssh key password prompt reappears. This seems to be an
> infinite loop. When I cancel it, I get a message saying that only
> publickey is supported as login method (which corresponds to my
> sshd_config settings).
>
> I then tried renaming ~/.ssh/authorized_keys and using a DSA key pair.
> putty still works as expected with both of these alternatives.
> x2goclient still shows the same problems however. It only lets me login
> if I adapt my sshd_config and authenticate via user / password
> combination.
>
> Is this a known limitation?
> What is the best way to achieve high security? Can I limit the x2go
> connections to only LAN IPs (without restricting the pure ssh
> connections)?
>
> Best Wishes,
> Matthias Kauer
> _______________________________________________
> X2Go-User mailing list
> X2Go-User@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-user
>
>
> ----- Ende der weitergeleiteten Nachricht -----
>
>

[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#290; Package x2goclient. (Fri, 30 Aug 2013 19:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Fri, 30 Aug 2013 19:48:02 GMT) Full text and rfc822 format available.

Message #20 received at 290@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: 290@bugs.x2go.org
Subject: SSH key's passphrase queried when...
Date: Fri, 30 Aug 2013 21:39:23 +0200
[Message part 1 (text/plain, inline)]
... these conditions conincide:

  o no SSH priv key with default name(s) available

  and

  ((

  o ssh-agent not aware of any private key
  o ssh-agent running

  )

  or

  (

  o ssh-agent not running

  ))

/me will dig into this and then release X2Go Client.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#290; Package x2goclient. (Sun, 13 Apr 2014 13:55:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sun, 13 Apr 2014 13:55:01 GMT) Full text and rfc822 format available.

Message #25 received at 290@bugs.x2go.org (full text, mbox):

From: Michael DePaulo <mikedep333@gmail.com>
To: 290@bugs.x2go.org
Subject: Workaround with PuTTYGen
Date: Sun, 13 Apr 2014 09:51:35 -0400
1st of all, as the Windows maintainer for X2Go Client, I intend to
either add support for using PuTTY private keys, or at least update
X2Go Client to give a meaningful error message about PuTTY private
keys not being supported.  I currently have no ETA on when I will
implement this.

2nd, if Pageant support is not working for you in x2goclient 4.0.1.3
or 4.0.1.3+build2, upgrade to x2goclient 4.0.2.0. This is bug 448.

3rd, as Stefan briefly mentioned, With PuTTYGen (0.63), a workaround
is available. Basically you are just exporting your private key from
PuTTY format to OpenSSH format. This workaround is the intended design
of PuTTY suite. Here are full instructions.

Step 4 isn't required, but I strongly encourage you to follow it. Step
5 only applies to if you wish to use cygwin.

1. Generate or load your putty private key with PuTTYGen
2. Select Conversions -> export OpenSSH key
3. Save the private key file to a file. I strongly encourage you to
save it with the standard openSSH filename. The standard filename
would be, depending upon what type of key your generated,:
id_rsa
id_dsa
4. Copy the "Public key for pasting into OpenSSH authorized_keys file"
into a new file in your favorite text editor; notepad will suffice.
Save it as one of the standard filenames in the same folder:
id_rsa.pub
id_dsa.pub
When saving it, make sure you do not put .txt on the end of the filename!
5. If you have cygwin installed on your Windows client, copy or move
both files to: ~/.ssh/ . Create ~/.ssh/ if it does not exist. Make
sure you set the correct permissions though:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/*
6. Configure your X2Go Client to use your id_rsa or id_dsa file.


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Dec 14 05:18:04 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.