From unknown Sun Mar 15 06:31:41 2026
X-Loop: owner@bugs.x2go.org
Subject: Bug#290: SSH key based authentication problems
Reply-To: Matthias Kauer <software@matthiaskauer.com>, 290@bugs.x2go.org
Resent-From: Matthias Kauer <software@matthiaskauer.com>
Resent-To: x2go-dev@lists.berlios.de
Resent-CC: X2Go Developers <x2go-dev@lists.berlios.de>
X-Loop: owner@bugs.x2go.org
Resent-Date: Wed, 28 Aug 2013 21:33:02 +0000
Resent-Message-ID: <handler.290.B290.137772490610098@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 290
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: confirmed
Received: via spool by 290-submit@bugs.x2go.org id=B290.137772490610098
          (code B ref 290); Wed, 28 Aug 2013 21:33:02 +0000
Received: (at 290) by bugs.x2go.org; 28 Aug 2013 21:21:46 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,
	URIBL_BLOCKED autolearn=ham version=3.3.2
X-Greylist: delayed 563 seconds by postgrey-1.34 at ymir; Wed, 28 Aug 2013 23:21:45 CEST
Received: from fra07-inx04.webhod.de (fra07-inx04.webhod.de [212.224.89.152])
	by ymir (Postfix) with ESMTPS id 777235DB1C
	for <290@bugs.x2go.org>; Wed, 28 Aug 2013 23:21:45 +0200 (CEST)
X-No-Relay: not in my network
X-No-Relay: not in my network
Received: from [192.168.123.189] (e181003244.adsl.alicedsl.de [85.181.3.244])
	by fra07-inx04.webhod.de (Postfix) with ESMTPSA id 09F38D20687;
	Wed, 28 Aug 2013 23:12:43 +0200 (CEST)
Message-ID: <521E67B6.2030605@matthiaskauer.com>
Date: Wed, 28 Aug 2013 23:12:22 +0200
From: Matthias Kauer <software@matthiaskauer.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 290@bugs.x2go.org
References: <20130827123401.1559208fzp3qfrtl@mail.das-netzwerkteam.de>
In-Reply-To: <20130827123401.1559208fzp3qfrtl@mail.das-netzwerkteam.de>
Content-Type: multipart/alternative;
 boundary="------------050307080702090806020902"

This is a multi-part message in MIME format.
--------------050307080702090806020902
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

Hi Mike,
thanks for the confirmation and the submission.

If anyone is interested, one thing I did for now, to address this issue
was to allow password-based access from my LAN addresses as described
here:
http://askubuntu.com/questions/101670/how-can-i-allow-ssh-password-authentication-from-only-certain-ip-addresses
(Note that the match block should be at the end of sshd_config file as
it affects all statements below it if I understand it correctly)

Use a |Match| block in |/etc/ssh/sshd_config|.

|PasswordAuthentication no

Match address 192.0.2.0/24
    PasswordAuthentication yes
|

Best,
Matthias

On 27/8/2013 12:34 PM, Mike Gabriel wrote:
> Package: x2goclient
> Tags: confirmed
> Version: 4.0.1.0
> Severity: important
> x-debbugs-cc: software@matthiaskauer.com
>
> I myself have also observed the issue reported by Matthias. Adding
> this as a bug. This should get fixed before the release of 4.0.1.1.
>
> Mike
>
> ----- Weitergeleitete Nachricht von software@matthiaskauer.com -----
>      Datum: Mon, 26 Aug 2013 23:54:55 +0200
>        Von: Matthias Kauer <software@matthiaskauer.com>
>    Betreff: [X2Go-User] Login via ~/.ssh/authorized_keys fails
>         An: x2go-user@lists.berlios.de
>
> Hi,
> I am looking for input on how to set up an ssh key-based authentication.
>
> I generated an RSA key pair with puttygen and added it to
> ~/.ssh/authorized_keys2 => confirmed that I can login with putty.
> Now, I specify the same private key in x2goclient (windows). I enter my
> password and I am then prompted for the password of the ssh key. I enter
> it and the same ssh key password prompt reappears. This seems to be an
> infinite loop. When I cancel it, I get a message saying that only
> publickey is supported as login method (which corresponds to my
> sshd_config settings).
>
> I then tried renaming ~/.ssh/authorized_keys and using a DSA key pair.
> putty still works as expected with both of these alternatives.
> x2goclient still shows the same problems however. It only lets me login
> if I adapt my sshd_config and authenticate via user / password
> combination.
>
> Is this a known limitation?
> What is the best way to achieve high security? Can I limit the x2go
> connections to only LAN IPs (without restricting the pure ssh
> connections)?
>
> Best Wishes,
> Matthias Kauer
> _______________________________________________
> X2Go-User mailing list
> X2Go-User@lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-user
>
>
> ----- Ende der weitergeleiteten Nachricht -----
>
>


--------------050307080702090806020902
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

<html>
  <head>
    <meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Mike,<br>
    thanks for the confirmation and the submission.<br>
    <br>
    If anyone is interested, one thing I did for now, to address this
    issue was to allow password-based access from my LAN addresses as
    described here:
    <a class="moz-txt-link-freetext" href="http://askubuntu.com/questions/101670/how-can-i-allow-ssh-password-authentication-from-only-certain-ip-addresses">http://askubuntu.com/questions/101670/how-can-i-allow-ssh-password-authentication-from-only-certain-ip-addresses</a>
    (Note that the match block should be at the end of sshd_config file
    as it affects all statements below it if I understand it correctly)<br>
    <div class="post-text">
      <p>Use a <code>Match</code> block in <code>/etc/ssh/sshd_config</code>.</p>
      <pre><code>PasswordAuthentication no

Match address 192.0.2.0/24
    PasswordAuthentication yes
</code></pre>
    </div>
    Best,<br>
    Matthias<br>
    <br>
    <div class="moz-cite-prefix">On 27/8/2013 12:34 PM, Mike Gabriel
      wrote:<br>
    </div>
    <blockquote
      cite="mid:20130827123401.1559208fzp3qfrtl@mail.das-netzwerkteam.de"
      type="cite">Package: x2goclient
      <br>
      Tags: confirmed
      <br>
      Version: 4.0.1.0
      <br>
      Severity: important
      <br>
      x-debbugs-cc: <a class="moz-txt-link-abbreviated" href="mailto:software@matthiaskauer.com">software@matthiaskauer.com</a>
      <br>
      <br>
      I myself have also observed the issue reported by Matthias. Adding
      this as a bug. This should get fixed before the release of
      4.0.1.1.
      <br>
      <br>
      Mike
      <br>
      <br>
      ----- Weitergeleitete Nachricht von <a class="moz-txt-link-abbreviated" href="mailto:software@matthiaskauer.com">software@matthiaskauer.com</a>
      -----
      <br>
           Datum: Mon, 26 Aug 2013 23:54:55 +0200
      <br>
             Von: Matthias Kauer <a class="moz-txt-link-rfc2396E" href="mailto:software@matthiaskauer.com">&lt;software@matthiaskauer.com&gt;</a>
      <br>
         Betreff: [X2Go-User] Login via ~/.ssh/authorized_keys fails
      <br>
              An: <a class="moz-txt-link-abbreviated" href="mailto:x2go-user@lists.berlios.de">x2go-user@lists.berlios.de</a>
      <br>
      <br>
      Hi,
      <br>
      I am looking for input on how to set up an ssh key-based
      authentication.
      <br>
      <br>
      I generated an RSA key pair with puttygen and added it to
      <br>
      ~/.ssh/authorized_keys2 =&gt; confirmed that I can login with
      putty.
      <br>
      Now, I specify the same private key in x2goclient (windows). I
      enter my
      <br>
      password and I am then prompted for the password of the ssh key. I
      enter
      <br>
      it and the same ssh key password prompt reappears. This seems to
      be an
      <br>
      infinite loop. When I cancel it, I get a message saying that only
      <br>
      publickey is supported as login method (which corresponds to my
      <br>
      sshd_config settings).
      <br>
      <br>
      I then tried renaming ~/.ssh/authorized_keys and using a DSA key
      pair.
      <br>
      putty still works as expected with both of these alternatives.
      <br>
      x2goclient still shows the same problems however. It only lets me
      login
      <br>
      if I adapt my sshd_config and authenticate via user / password
      combination.
      <br>
      <br>
      Is this a known limitation?
      <br>
      What is the best way to achieve high security? Can I limit the
      x2go
      <br>
      connections to only LAN IPs (without restricting the pure ssh
      connections)?
      <br>
      <br>
      Best Wishes,
      <br>
      Matthias Kauer
      <br>
      _______________________________________________
      <br>
      X2Go-User mailing list
      <br>
      <a class="moz-txt-link-abbreviated" href="mailto:X2Go-User@lists.berlios.de">X2Go-User@lists.berlios.de</a>
      <br>
      <a class="moz-txt-link-freetext" href="https://lists.berlios.de/mailman/listinfo/x2go-user">https://lists.berlios.de/mailman/listinfo/x2go-user</a>
      <br>
      <br>
      <br>
      ----- Ende der weitergeleiteten Nachricht -----
      <br>
      <br>
      <br>
    </blockquote>
    <br>
  </body>
</html>

--------------050307080702090806020902--