X2Go Bug report logs - #372
x2goadmin writes to users homes

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Reinhard Tartler <siretart@gmail.com>

Date: Sun, 15 Dec 2013 00:18:02 UTC

Severity: serious

Full log


Message #35 received at 372@bugs.x2go.org (full text, mbox, reply):

Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:46:38 +0000
From siretart@gmail.com  Mon Dec 16 15:46:37 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham
	version=3.3.2
Received: from mail-qe0-f53.google.com (mail-qe0-f53.google.com [209.85.128.53])
	by ymir (Postfix) with ESMTPS id 728E45DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:46:37 +0100 (CET)
Received: by mail-qe0-f53.google.com with SMTP id nc12so3922524qeb.12
        for <372@bugs.x2go.org>; Mon, 16 Dec 2013 06:46:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=TaK4h7jbhFGzNNbtAj0239+DZpy+g1ayKBl6SMtBJz4=;
        b=XMr91eKuv8lhN/Z/GRNfr1Csx8yqwh9IsY3yXplkLzAXk2zJS7mmM8mo74+xuSdkZ+
         C0CSuPNz/VuytoII4VMXjlhucP0TRgUWod3uJNxRxYGdOJ2FqPl5In/+6DIikGXpXTBH
         XT6kNCWEBEOcdSQADLFSxZAnFNEoSB4zP5+zS2DCQhCGkxOSEjUNk2L6hdDJMTSSSdp2
         rjbMpKETUac3OEQ1Sb6b7XWv308f1pz+5ECv90eM8RIPhkJ5iE/C++p2Ar7n6aJIhUpa
         pP71lFBuPVznY+RU5riu6RE+Rsgrxs6fAuUdjW2jmuhWpYvGI6QSwA9CUEcF/141ZFrk
         QKuA==
MIME-Version: 1.0
X-Received: by 10.224.47.73 with SMTP id m9mr32458954qaf.23.1387205196459;
 Mon, 16 Dec 2013 06:46:36 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:46:36 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:46:36 -0800 (PST)
In-Reply-To: <20131216144026.GG24005@cip.informatik.uni-erlangen.de>
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
	<20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
	<20131216135940.GF24005@cip.informatik.uni-erlangen.de>
	<CAJ0ccebpO+3_0oJYq2m9oomhFMi4KW-MsafT7mBpMKdi5qYRMA@mail.gmail.com>
	<20131216144026.GG24005@cip.informatik.uni-erlangen.de>
Date: Mon, 16 Dec 2013 09:46:36 -0500
Message-ID: <CAJ0cceZDX4YZz3=-f3fk9yyg3YA74-4h2icdhH0NgnBPmPQyfg@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes
From: Reinhard Tartler <siretart@gmail.com>
To: Alexander Wuerstlein <arw@cs.fau.de>
Cc: 372@bugs.x2go.org, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 
	o.schneyder@phoca-gmbh.de, x2go-dev@lists.berlios.de
Content-Type: multipart/alternative; boundary=001a1134a7faf74fd704eda7e0e8
[Message part 1 (text/plain, inline)]
On Dec 16, 2013 9:40 AM, "Alexander Wuerstlein" <arw@cs.fau.de> wrote:
>
> On 13-12-16 15:33, Reinhard Tartler <siretart@gmail.com> wrote:
> > On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <
> > snalwuer@cip.informatik.uni-erlangen.de> wrote:
> > >
> > > On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
wrote:
> > > > Hi Reinhard,
> > > >
> > > > On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> > > >
> > > > >Package: x2goserver
> > > > >Severity: serious
> > > > >
> > > > >Hi,
> > > > >
> > > > >my understanding of the x2goadmin code [code], end of sub
add_user, is
> > > > >that the code tries to write the sql password in users homes. This
> > > > >will fail for installations that have the user homes on NFS with
the
> > > > >option "rootsquash" mounted.
> > > > >
> > > > >I set the severity to "serious" because I imagine that this is a
> > > > >rather common scenario.
> > > > >
> > > > >Also, this approach has another problem: Imagine you want to give
> > > > >access to the unix group "staff"? According to the documentation,
you
> > > > >can use the options "--addgroup" and "--rmgroup" for this. What if
a
> > > > >new employee joins the company later and wants to use x2go? In this
> > > > >case you need to call x2godbadmin for this new user again, which is
> > > > >suboptimal.
> > > > >
> > > > >Is there really no way to get around generated user passwords?
> > >
> > > There is a way that could work: If configured correctly, postgresql
can
> > > use GSSAPI (Kerberos) Authentication. That way, the user is
> > > authenticated using his login ticket cache which is created anyways.
> > > If necessary, one could also provide a keyfile for the cleanup-cronjob
> > > so that it can at least access the database with sufficient
permissions.
> >
> > That would be an option if you are OK to break passwordless ssh key
> > authentication logins.
> >
> > If you really wanted to go the kerberos route, you would have to create
> > special db principals that can only access the db, and stash a
passwordless
> > keyfile in the users home.
>
> Yes, that is correct. One more thing that could also work, but is ugly,
> would be 'ident' authentication in postgresql. But that would of course
> mean that one needs a sufficiently trustable identd on all machines.

Only on the x2go server, not the machine the user is connecting from.

For me, this seems perfectly appropriate in this case.

Reinhard
[Message part 2 (text/html, inline)]

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Nov 21 14:41:24 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.