X2Go Bug report logs - #372
x2goadmin writes to users homes

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: submit@bugs.x2go.org

Subject: x2goadmin writes to users homes

Date: Sat, 14 Dec 2013 19:13:35 -0500

Package: x2goserver
Severity: serious

Hi,

my understanding of the x2goadmin code [code], end of sub add_user, is
that the code tries to write the sql password in users homes. This
will fail for installations that have the user homes on NFS with the
option "rootsquash" mounted.

I set the severity to "serious" because I imagine that this is a
rather common scenario.

Also, this approach has another problem: Imagine you want to give
access to the unix group "staff"? According to the documentation, you
can use the options "--addgroup" and "--rmgroup" for this. What if a
new employee joins the company later and wants to use x2go? In this
case you need to call x2godbadmin for this new user again, which is
suboptimal.

Is there really no way to get around generated user passwords?

[code] http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin

-- 
regards,
    Reinhard

Message #10 received at 372@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Reinhard Tartler <siretart@gmail.com>, 372@bugs.x2go.org

Cc: o.schneyder@phoca-gmbh.de

Subject: Re: [X2Go-Dev] Bug#372: x2goadmin writes to users homes

Date: Mon, 16 Dec 2013 07:34:34 +0000

[Message part 1 (text/plain, inline)]

Hi Reinhard,

On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:

> Package: x2goserver
> Severity: serious
>
> Hi,
>
> my understanding of the x2goadmin code [code], end of sub add_user, is
> that the code tries to write the sql password in users homes. This
> will fail for installations that have the user homes on NFS with the
> option "rootsquash" mounted.
>
> I set the severity to "serious" because I imagine that this is a
> rather common scenario.
>
> Also, this approach has another problem: Imagine you want to give
> access to the unix group "staff"? According to the documentation, you
> can use the options "--addgroup" and "--rmgroup" for this. What if a
> new employee joins the company later and wants to use x2go? In this
> case you need to call x2godbadmin for this new user again, which is
> suboptimal.
>
> Is there really no way to get around generated user passwords?
>
> [code]  
> http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin

I install x2goserver on the file servers and run x2godbadmin there  
daily in a cron job.

If you have distributed file servers, one should test for the $HOME to  
be accessible in x2godbadmin.

If needed, we could split out x2godbadmin from the x2goserver package  
and provide it as a standalone package.

As this is a workaround and not a solution to your question above,  
let's see if Alex has a comment on this.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 372@bugs.x2go.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de

Subject: Re: [X2Go-Dev] Bug#372: x2goadmin writes to users homes

Date: Mon, 16 Dec 2013 07:33:40 -0500

On Mon, Dec 16, 2013 at 2:34 AM, Mike Gabriel
<mike.gabriel@das-netzwerkteam.de> wrote:
> I install x2goserver on the file servers and run x2godbadmin there daily in
> a cron job.
>
> If you have distributed file servers, one should test for the $HOME to be
> accessible in x2godbadmin.

What to do if it isn't accesible? Then the user won't get a password
to access the postgres, and x2godbadmin will fail silently. That's
even worse!

> If needed, we could split out x2godbadmin from the x2goserver package and
> provide it as a standalone package.

I don't see any benefit in doing so other than moving the problem
around instead of solving it.

Cheers,

-- 
regards,
    Reinhard

Message #20 received at 372@bugs.x2go.org (full text, mbox, reply):

From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>

To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 372@bugs.x2go.org, x2go-dev@lists.berlios.de

Cc: Reinhard Tartler <siretart@gmail.com>, o.schneyder@phoca-gmbh.de

Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes

Date: Mon, 16 Dec 2013 14:59:40 +0100

On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> Hi Reinhard,
> 
> On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> 
> >Package: x2goserver
> >Severity: serious
> >
> >Hi,
> >
> >my understanding of the x2goadmin code [code], end of sub add_user, is
> >that the code tries to write the sql password in users homes. This
> >will fail for installations that have the user homes on NFS with the
> >option "rootsquash" mounted.
> >
> >I set the severity to "serious" because I imagine that this is a
> >rather common scenario.
> >
> >Also, this approach has another problem: Imagine you want to give
> >access to the unix group "staff"? According to the documentation, you
> >can use the options "--addgroup" and "--rmgroup" for this. What if a
> >new employee joins the company later and wants to use x2go? In this
> >case you need to call x2godbadmin for this new user again, which is
> >suboptimal.
> >
> >Is there really no way to get around generated user passwords?

There is a way that could work: If configured correctly, postgresql can
use GSSAPI (Kerberos) Authentication. That way, the user is
authenticated using his login ticket cache which is created anyways.
If necessary, one could also provide a keyfile for the cleanup-cronjob
so that it can at least access the database with sufficient permissions. 

But I have never tried this with x2go and don't know if it would work.



Ciao,

Alexander Wuerstlein.

Message #25 received at 372@bugs.x2go.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>

Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, x2go-dev@lists.berlios.de

Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes

Date: Mon, 16 Dec 2013 09:31:48 -0500

[Message part 1 (text/plain, inline)]

On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <
snalwuer@cip.informatik.uni-erlangen.de> wrote:
>
> On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> > Hi Reinhard,
> >
> > On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> >
> > >Package: x2goserver
> > >Severity: serious
> > >
> > >Hi,
> > >
> > >my understanding of the x2goadmin code [code], end of sub add_user, is
> > >that the code tries to write the sql password in users homes. This
> > >will fail for installations that have the user homes on NFS with the
> > >option "rootsquash" mounted.
> > >
> > >I set the severity to "serious" because I imagine that this is a
> > >rather common scenario.
> > >
> > >Also, this approach has another problem: Imagine you want to give
> > >access to the unix group "staff"? According to the documentation, you
> > >can use the options "--addgroup" and "--rmgroup" for this. What if a
> > >new employee joins the company later and wants to use x2go? In this
> > >case you need to call x2godbadmin for this new user again, which is
> > >suboptimal.
> > >
> > >Is there really no way to get around generated user passwords?
>
> There is a way that could work: If configured correctly, postgresql can
> use GSSAPI (Kerberos) Authentication. That way, the user is
> authenticated using his login ticket cache which is created anyways.
> If necessary, one could also provide a keyfile for the cleanup-cronjob
> so that it can at least access the database with sufficient permissions.

That would be an option if you are OK to break passwordless ssh key
authentication logins.

If you really wanted to go the kerberos route, you would have to create
special db principals that can only access the db, and stash a passwordless
keyfile in the users home.

>
> But I have never tried this with x2go and don't know if it would work.
>
>
>
> Ciao,
>
> Alexander Wuerstlein.

[Message part 2 (text/html, inline)]

Message #30 received at 372@bugs.x2go.org (full text, mbox, reply):

From: Alexander Wuerstlein <arw@cs.fau.de>

To: Reinhard Tartler <siretart@gmail.com>

Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, x2go-dev@lists.berlios.de

Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes

Date: Mon, 16 Dec 2013 15:40:26 +0100

On 13-12-16 15:33, Reinhard Tartler <siretart@gmail.com> wrote:
> On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <
> snalwuer@cip.informatik.uni-erlangen.de> wrote:
> >
> > On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> > > Hi Reinhard,
> > >
> > > On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> > >
> > > >Package: x2goserver
> > > >Severity: serious
> > > >
> > > >Hi,
> > > >
> > > >my understanding of the x2goadmin code [code], end of sub add_user, is
> > > >that the code tries to write the sql password in users homes. This
> > > >will fail for installations that have the user homes on NFS with the
> > > >option "rootsquash" mounted.
> > > >
> > > >I set the severity to "serious" because I imagine that this is a
> > > >rather common scenario.
> > > >
> > > >Also, this approach has another problem: Imagine you want to give
> > > >access to the unix group "staff"? According to the documentation, you
> > > >can use the options "--addgroup" and "--rmgroup" for this. What if a
> > > >new employee joins the company later and wants to use x2go? In this
> > > >case you need to call x2godbadmin for this new user again, which is
> > > >suboptimal.
> > > >
> > > >Is there really no way to get around generated user passwords?
> >
> > There is a way that could work: If configured correctly, postgresql can
> > use GSSAPI (Kerberos) Authentication. That way, the user is
> > authenticated using his login ticket cache which is created anyways.
> > If necessary, one could also provide a keyfile for the cleanup-cronjob
> > so that it can at least access the database with sufficient permissions.
> 
> That would be an option if you are OK to break passwordless ssh key
> authentication logins.
> 
> If you really wanted to go the kerberos route, you would have to create
> special db principals that can only access the db, and stash a passwordless
> keyfile in the users home.

Yes, that is correct. One more thing that could also work, but is ugly,
would be 'ident' authentication in postgresql. But that would of course
mean that one needs a sufficiently trustable identd on all machines.



Ciao,

Alexander Wuerstlein.

Message #35 received at 372@bugs.x2go.org (full text, mbox, reply):

From: Reinhard Tartler <siretart@gmail.com>

To: Alexander Wuerstlein <arw@cs.fau.de>

Cc: 372@bugs.x2go.org, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, o.schneyder@phoca-gmbh.de, x2go-dev@lists.berlios.de

Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes

Date: Mon, 16 Dec 2013 09:46:36 -0500

[Message part 1 (text/plain, inline)]

On Dec 16, 2013 9:40 AM, "Alexander Wuerstlein" <arw@cs.fau.de> wrote:
>
> On 13-12-16 15:33, Reinhard Tartler <siretart@gmail.com> wrote:
> > On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <
> > snalwuer@cip.informatik.uni-erlangen.de> wrote:
> > >
> > > On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
wrote:
> > > > Hi Reinhard,
> > > >
> > > > On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> > > >
> > > > >Package: x2goserver
> > > > >Severity: serious
> > > > >
> > > > >Hi,
> > > > >
> > > > >my understanding of the x2goadmin code [code], end of sub
add_user, is
> > > > >that the code tries to write the sql password in users homes. This
> > > > >will fail for installations that have the user homes on NFS with
the
> > > > >option "rootsquash" mounted.
> > > > >
> > > > >I set the severity to "serious" because I imagine that this is a
> > > > >rather common scenario.
> > > > >
> > > > >Also, this approach has another problem: Imagine you want to give
> > > > >access to the unix group "staff"? According to the documentation,
you
> > > > >can use the options "--addgroup" and "--rmgroup" for this. What if
a
> > > > >new employee joins the company later and wants to use x2go? In this
> > > > >case you need to call x2godbadmin for this new user again, which is
> > > > >suboptimal.
> > > > >
> > > > >Is there really no way to get around generated user passwords?
> > >
> > > There is a way that could work: If configured correctly, postgresql
can
> > > use GSSAPI (Kerberos) Authentication. That way, the user is
> > > authenticated using his login ticket cache which is created anyways.
> > > If necessary, one could also provide a keyfile for the cleanup-cronjob
> > > so that it can at least access the database with sufficient
permissions.
> >
> > That would be an option if you are OK to break passwordless ssh key
> > authentication logins.
> >
> > If you really wanted to go the kerberos route, you would have to create
> > special db principals that can only access the db, and stash a
passwordless
> > keyfile in the users home.
>
> Yes, that is correct. One more thing that could also work, but is ugly,
> would be 'ident' authentication in postgresql. But that would of course
> mean that one needs a sufficiently trustable identd on all machines.

Only on the x2go server, not the machine the user is connecting from.

For me, this seems perfectly appropriate in this case.

Reinhard

[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.