From siretart@gmail.com Sun Dec 15 01:13:36 2013 Received: (at submit) by bugs.x2go.org; 15 Dec 2013 00:13:37 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-qe0-f47.google.com (mail-qe0-f47.google.com [209.85.128.47]) by ymir (Postfix) with ESMTPS id BDC715DB20 for ; Sun, 15 Dec 2013 01:13:36 +0100 (CET) Received: by mail-qe0-f47.google.com with SMTP id t7so2841159qeb.20 for ; Sat, 14 Dec 2013 16:13:35 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=luLV9ChP8jliT01wZJHpxPykyGU6hPb67EYJddK0IM4=; b=rWyzctlGLIRlcOYpLR2zljqTim5F4r0tInkHl3UCSA5jjZlzKfFVxjHScLfvTvfSeO bewmaxy7ugYq7Z7zCuou02V/O2xab9akRzmTZg9E1DAE7eOsH5IrH2fch9l+txsmDrs6 uVFdXRrxI/wxO0xC3SlXZYYtQ4xG9UyiswGS00e2Zk3fBy9eleZaF1mnH2ZAdiF1jxmK 7Z0YNs/CgaKTbOJG90kTFAefOvglLWVdgZ7izBdVeoj/XKYfMH3qQ2okvW0sGZkOznul NB/9nRc2Tz2vHNnQjQAdR7zr0Pu+zlFFEgQCWm71eU38TANYmIkGXWh8oVDrQk6H1qqn 8FkA== MIME-Version: 1.0 X-Received: by 10.224.37.1 with SMTP id v1mr18881441qad.29.1387066415425; Sat, 14 Dec 2013 16:13:35 -0800 (PST) Received: by 10.96.78.227 with HTTP; Sat, 14 Dec 2013 16:13:35 -0800 (PST) Date: Sat, 14 Dec 2013 19:13:35 -0500 Message-ID: Subject: x2goadmin writes to users homes From: Reinhard Tartler To: submit@bugs.x2go.org Content-Type: text/plain; charset=ISO-8859-1 Package: x2goserver Severity: serious Hi, my understanding of the x2goadmin code [code], end of sub add_user, is that the code tries to write the sql password in users homes. This will fail for installations that have the user homes on NFS with the option "rootsquash" mounted. I set the severity to "serious" because I imagine that this is a rather common scenario. Also, this approach has another problem: Imagine you want to give access to the unix group "staff"? According to the documentation, you can use the options "--addgroup" and "--rmgroup" for this. What if a new employee joins the company later and wants to use x2go? In this case you need to call x2godbadmin for this new user again, which is suboptimal. Is there really no way to get around generated user passwords? [code] http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin -- regards, Reinhard From mike.gabriel@das-netzwerkteam.de Mon Dec 16 08:34:35 2013 Received: (at 372) by bugs.x2go.org; 16 Dec 2013 07:34:35 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir (Postfix) with ESMTPS id 385835DB16 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 08:34:35 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id D3C3AC38; Mon, 16 Dec 2013 08:34:34 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A8E503C04F; Mon, 16 Dec 2013 08:34:34 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fhaRH+X7QOL8; Mon, 16 Dec 2013 08:34:34 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 785243C02A; Mon, 16 Dec 2013 08:34:34 +0100 (CET) Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Mon, 16 Dec 2013 07:34:34 +0000 Date: Mon, 16 Dec 2013 07:34:34 +0000 Message-ID: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> From: Mike Gabriel To: Reinhard Tartler , 372@bugs.x2go.org Cc: o.schneyder@phoca-gmbh.de Subject: Re: [X2Go-Dev] Bug#372: x2goadmin writes to users homes References: In-Reply-To: User-Agent: Internet Messaging Program (IMP) H5 (6.1.4) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 213.178.75.58 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101 Firefox/23.0 Iceweasel/23.0 Content-Type: multipart/signed; boundary="=_90GagPUWvFr4ZipUbb0qGg6"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_90GagPUWvFr4ZipUbb0qGg6 Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Hi Reinhard, On So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote: > Package: x2goserver > Severity: serious > > Hi, > > my understanding of the x2goadmin code [code], end of sub add_user, is > that the code tries to write the sql password in users homes. This > will fail for installations that have the user homes on NFS with the > option "rootsquash" mounted. > > I set the severity to "serious" because I imagine that this is a > rather common scenario. > > Also, this approach has another problem: Imagine you want to give > access to the unix group "staff"? According to the documentation, you > can use the options "--addgroup" and "--rmgroup" for this. What if a > new employee joins the company later and wants to use x2go? In this > case you need to call x2godbadmin for this new user again, which is > suboptimal. > > Is there really no way to get around generated user passwords? > > [code] > http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin I install x2goserver on the file servers and run x2godbadmin there daily in a cron job. If you have distributed file servers, one should test for the $HOME to be accessible in x2godbadmin. If needed, we could split out x2godbadmin from the x2goserver package and provide it as a standalone package. As this is a workaround and not a solution to your question above, let's see if Alex has a comment on this. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb --=_90GagPUWvFr4ZipUbb0qGg6 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAABAgAGBQJSrq0JAAoJEJr0azAldxsxQR0P/Rsm943/Vjup2CrzcnD+gR0Y zgC1RGh9B8eQMrdH3wvZMuyb9OkaEkyBxqbrS+akA8E3CoRuiEbn5e5uvzwvHt0k hTIelki4HhKZiwLw7yAFFooJ8yIDEZuSMkbQQKDEXBA2AansBSV2Jhpk7UcTL/zy km0fy9Y/QzoOX/qQNu/i1NS3Krw2IvYjwnvqFyN8Dmm/02Jo3IN4GQ438w6wn2BA eP+b9j5uLWaohETbnECgJuOFIJifx/7wEvEAu0x+gZMFyTjuZgD1viOPxEmaMSwd kSwdMkAxt7WVXOAAY4wAyv8q08Rn8F4/2FWXLslclWNdaWUfRX9hWzSXOcH7keDX xaxNX0d3VAjrKpdgioqn0xwJJxJQRI6vbslocE7qI67PETGtfQeBMhBzeCL5KKM3 95ZLTOjTUIiblIIPuDO0jfcy68cSi+K7f8yZkmOHvL5pn0UpVymLWHmp2M/SvAc/ JvaK4qEYyoFXKvUeAcgnDbS3UtDrbg6RKhG9GuJlWsqsRz1LK+OTx9oXmE+OL3zi 4uiaPqSpwxjwYSWk8sCApMo4ESbRVVswJ4OtA5hLexkcgmkeTos1xFtrqk1oR2AP jzsmGs4F37qRnc+dqamky1JHAbnn17d2be5oQlLZgeoPLe8ijnT7hVpszG7yxPz7 q1QwhKOXRsPGpmTh1jW+ =YRDh -----END PGP SIGNATURE----- --=_90GagPUWvFr4ZipUbb0qGg6-- From siretart@gmail.com Mon Dec 16 13:33:41 2013 Received: (at 372) by bugs.x2go.org; 16 Dec 2013 12:33:42 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-qe0-f41.google.com (mail-qe0-f41.google.com [209.85.128.41]) by ymir (Postfix) with ESMTPS id C141B5DB16 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 13:33:41 +0100 (CET) Received: by mail-qe0-f41.google.com with SMTP id gh4so3869259qeb.0 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 04:33:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=vUu7kxlB/O6GBRNVY5zrM4KU39cghbNSeYTo4xwQGVc=; b=TxQyBn5ogbQG23lB3HKXM9FBg6obaNZ9xVg8NZ7bxBoZKI367SorJ8cC+QPq8fincQ 0hj9K7FfNqTTsdcMr8LwqpJrewNn/tCKJmuAXL4ng8W9mmypGHHrOTvqbc6MUXK7pSuR rMHxv0T1oT+g2XDT1Afm95SIzFeW+8xysXCre7IgmMZapcq9mzFFQ6FbajkAN3EQr813 QgfBmEhWeAzXJru7cRZs5DYMwhlGg/ejQ0T+ilsELQtfG3ppmXTTVzzgrIpGxqPLdCrp rhb8fkAPtDbJ50Epf9FQD5jYoAAKhi4UkATgrmmMXBi9/5zrKkKAqLaonux1bPUXKhZb JTlw== MIME-Version: 1.0 X-Received: by 10.224.34.71 with SMTP id k7mr8897497qad.15.1387197220438; Mon, 16 Dec 2013 04:33:40 -0800 (PST) Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 04:33:40 -0800 (PST) In-Reply-To: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> References: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> Date: Mon, 16 Dec 2013 07:33:40 -0500 Message-ID: Subject: Re: [X2Go-Dev] Bug#372: x2goadmin writes to users homes From: Reinhard Tartler To: Mike Gabriel Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de Content-Type: text/plain; charset=ISO-8859-1 On Mon, Dec 16, 2013 at 2:34 AM, Mike Gabriel wrote: > I install x2goserver on the file servers and run x2godbadmin there daily in > a cron job. > > If you have distributed file servers, one should test for the $HOME to be > accessible in x2godbadmin. What to do if it isn't accesible? Then the user won't get a password to access the postgres, and x2godbadmin will fail silently. That's even worse! > If needed, we could split out x2godbadmin from the x2goserver package and > provide it as a standalone package. I don't see any benefit in doing so other than moving the problem around instead of solving it. Cheers, -- regards, Reinhard From snalwuer@stud.informatik.uni-erlangen.de Mon Dec 16 15:06:02 2013 Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:06:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 381 seconds by postgrey-1.34 at ymir; Mon, 16 Dec 2013 15:06:02 CET Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id 3584E5DB16 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:06:02 +0100 (CET) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id ECA986803AC; Mon, 16 Dec 2013 14:59:40 +0100 (CET) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id D46882BC0D6; Mon, 16 Dec 2013 14:59:40 +0100 (CET) Date: Mon, 16 Dec 2013 14:59:40 +0100 From: Alexander Wuerstlein To: Mike Gabriel , 372@bugs.x2go.org, x2go-dev@lists.berlios.de Cc: Reinhard Tartler , o.schneyder@phoca-gmbh.de Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes Message-ID: <20131216135940.GF24005@cip.informatik.uni-erlangen.de> References: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-12-16 08:49, Mike Gabriel wrote: > Hi Reinhard, > > On So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote: > > >Package: x2goserver > >Severity: serious > > > >Hi, > > > >my understanding of the x2goadmin code [code], end of sub add_user, is > >that the code tries to write the sql password in users homes. This > >will fail for installations that have the user homes on NFS with the > >option "rootsquash" mounted. > > > >I set the severity to "serious" because I imagine that this is a > >rather common scenario. > > > >Also, this approach has another problem: Imagine you want to give > >access to the unix group "staff"? According to the documentation, you > >can use the options "--addgroup" and "--rmgroup" for this. What if a > >new employee joins the company later and wants to use x2go? In this > >case you need to call x2godbadmin for this new user again, which is > >suboptimal. > > > >Is there really no way to get around generated user passwords? There is a way that could work: If configured correctly, postgresql can use GSSAPI (Kerberos) Authentication. That way, the user is authenticated using his login ticket cache which is created anyways. If necessary, one could also provide a keyfile for the cleanup-cronjob so that it can at least access the database with sufficient permissions. But I have never tried this with x2go and don't know if it would work. Ciao, Alexander Wuerstlein. From siretart@gmail.com Mon Dec 16 15:31:49 2013 Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:31:50 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-qa0-f46.google.com (mail-qa0-f46.google.com [209.85.216.46]) by ymir (Postfix) with ESMTPS id B7FF85DB16 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:31:49 +0100 (CET) Received: by mail-qa0-f46.google.com with SMTP id f11so1564074qae.12 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 06:31:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=79zbFEr13g+A8tDAF9uYzV/fmYhjxGC86Te6xe91a5g=; b=PEPp8bzxfBLqO3oadnAck8fwiV4QR4OCVuaQ00frT/qABFvwdq/7ouHgx9qLfN8/ut f3YfOkVgrzFlLViiQE4FrEYvOH6H8xm7NFafYHT66pYTNHFWmTxxQRHMffD7zUkwoBK2 ASDzt8nzXHp7GhmIjArEIVQC+Okubs0hnrxdcdF7nl9/ccPrYWdGTzwHyBoZxVucBPjN cfUQoVJhDlyrnkpAc6UqdJmLwUW6Z1q2WkvHxPc/+0N9tSmV/d71iTytSQyXOcZpEcJ4 +uYmTfE8Go5FDqsgq95rLQ7i36s8YA4VjYk8oS70Ese3Q8PnSDBU6J+CmeV6PrNLOr1v 7MiA== MIME-Version: 1.0 X-Received: by 10.224.37.1 with SMTP id v1mr32729366qad.29.1387204308479; Mon, 16 Dec 2013 06:31:48 -0800 (PST) Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:31:48 -0800 (PST) Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:31:48 -0800 (PST) In-Reply-To: <20131216135940.GF24005@cip.informatik.uni-erlangen.de> References: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> <20131216135940.GF24005@cip.informatik.uni-erlangen.de> Date: Mon, 16 Dec 2013 09:31:48 -0500 Message-ID: Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes From: Reinhard Tartler To: Alexander Wuerstlein Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de, Mike Gabriel , x2go-dev@lists.berlios.de Content-Type: multipart/alternative; boundary=001a11c2b25609b5a804eda7acef --001a11c2b25609b5a804eda7acef Content-Type: text/plain; charset=ISO-8859-1 On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" < snalwuer@cip.informatik.uni-erlangen.de> wrote: > > On 13-12-16 08:49, Mike Gabriel wrote: > > Hi Reinhard, > > > > On So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote: > > > > >Package: x2goserver > > >Severity: serious > > > > > >Hi, > > > > > >my understanding of the x2goadmin code [code], end of sub add_user, is > > >that the code tries to write the sql password in users homes. This > > >will fail for installations that have the user homes on NFS with the > > >option "rootsquash" mounted. > > > > > >I set the severity to "serious" because I imagine that this is a > > >rather common scenario. > > > > > >Also, this approach has another problem: Imagine you want to give > > >access to the unix group "staff"? According to the documentation, you > > >can use the options "--addgroup" and "--rmgroup" for this. What if a > > >new employee joins the company later and wants to use x2go? In this > > >case you need to call x2godbadmin for this new user again, which is > > >suboptimal. > > > > > >Is there really no way to get around generated user passwords? > > There is a way that could work: If configured correctly, postgresql can > use GSSAPI (Kerberos) Authentication. That way, the user is > authenticated using his login ticket cache which is created anyways. > If necessary, one could also provide a keyfile for the cleanup-cronjob > so that it can at least access the database with sufficient permissions. That would be an option if you are OK to break passwordless ssh key authentication logins. If you really wanted to go the kerberos route, you would have to create special db principals that can only access the db, and stash a passwordless keyfile in the users home. > > But I have never tried this with x2go and don't know if it would work. > > > > Ciao, > > Alexander Wuerstlein. --001a11c2b25609b5a804eda7acef Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable


On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <snalwuer@cip.informatik.uni-e= rlangen.de> wrote:
>
> On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> > Hi Reinhard,
> >
> > On =A0So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> >
> > >Package: x2goserver
> > >Severity: serious
> > >
> > >Hi,
> > >
> > >my understanding of the x2goadmin code [code], end of sub add= _user, is
> > >that the code tries to write the sql password in users homes.= This
> > >will fail for installations that have the user homes on NFS w= ith the
> > >option "rootsquash" mounted.
> > >
> > >I set the severity to "serious" because I imagine t= hat this is a
> > >rather common scenario.
> > >
> > >Also, this approach has another problem: Imagine you want to = give
> > >access to the unix group "staff"? According to the = documentation, you
> > >can use the options "--addgroup" and "--rmgrou= p" for this. What if a
> > >new employee joins the company later and wants to use x2go? I= n this
> > >case you need to call x2godbadmin for this new user again, wh= ich is
> > >suboptimal.
> > >
> > >Is there really no way to get around generated user passwords= ?
>
> There is a way that could work: If configured correctly, postgresql ca= n
> use GSSAPI (Kerberos) Authentication. That way, the user is
> authenticated using his login ticket cache which is created anyways. > If necessary, one could also provide a keyfile for the cleanup-cronjob=
> so that it can at least access the database with sufficient permission= s.

That would be an option if you are OK to break passwordless = ssh key authentication logins.

If you really wanted to go the kerberos route, you would hav= e to create special db principals that can only access the db, and stash a = passwordless keyfile in the users home.

>
> But I have never tried this with x2go and don't know if it would w= ork.
>
>
>
> Ciao,
>
> Alexander Wuerstlein.

--001a11c2b25609b5a804eda7acef-- From snalwuer@stud.informatik.uni-erlangen.de Mon Dec 16 15:40:26 2013 Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:40:27 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id A79565DB16 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:40:26 +0100 (CET) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 794C768057D; Mon, 16 Dec 2013 15:40:26 +0100 (CET) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id 720EA2BC0D6; Mon, 16 Dec 2013 15:40:26 +0100 (CET) Date: Mon, 16 Dec 2013 15:40:26 +0100 From: Alexander Wuerstlein To: Reinhard Tartler Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de, Mike Gabriel , x2go-dev@lists.berlios.de Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes Message-ID: <20131216144026.GG24005@cip.informatik.uni-erlangen.de> References: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> <20131216135940.GF24005@cip.informatik.uni-erlangen.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-12-16 15:33, Reinhard Tartler wrote: > On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" < > snalwuer@cip.informatik.uni-erlangen.de> wrote: > > > > On 13-12-16 08:49, Mike Gabriel wrote: > > > Hi Reinhard, > > > > > > On So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote: > > > > > > >Package: x2goserver > > > >Severity: serious > > > > > > > >Hi, > > > > > > > >my understanding of the x2goadmin code [code], end of sub add_user, is > > > >that the code tries to write the sql password in users homes. This > > > >will fail for installations that have the user homes on NFS with the > > > >option "rootsquash" mounted. > > > > > > > >I set the severity to "serious" because I imagine that this is a > > > >rather common scenario. > > > > > > > >Also, this approach has another problem: Imagine you want to give > > > >access to the unix group "staff"? According to the documentation, you > > > >can use the options "--addgroup" and "--rmgroup" for this. What if a > > > >new employee joins the company later and wants to use x2go? In this > > > >case you need to call x2godbadmin for this new user again, which is > > > >suboptimal. > > > > > > > >Is there really no way to get around generated user passwords? > > > > There is a way that could work: If configured correctly, postgresql can > > use GSSAPI (Kerberos) Authentication. That way, the user is > > authenticated using his login ticket cache which is created anyways. > > If necessary, one could also provide a keyfile for the cleanup-cronjob > > so that it can at least access the database with sufficient permissions. > > That would be an option if you are OK to break passwordless ssh key > authentication logins. > > If you really wanted to go the kerberos route, you would have to create > special db principals that can only access the db, and stash a passwordless > keyfile in the users home. Yes, that is correct. One more thing that could also work, but is ugly, would be 'ident' authentication in postgresql. But that would of course mean that one needs a sufficiently trustable identd on all machines. Ciao, Alexander Wuerstlein. From siretart@gmail.com Mon Dec 16 15:46:37 2013 Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:46:38 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from mail-qe0-f53.google.com (mail-qe0-f53.google.com [209.85.128.53]) by ymir (Postfix) with ESMTPS id 728E45DB16 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:46:37 +0100 (CET) Received: by mail-qe0-f53.google.com with SMTP id nc12so3922524qeb.12 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 06:46:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=TaK4h7jbhFGzNNbtAj0239+DZpy+g1ayKBl6SMtBJz4=; b=XMr91eKuv8lhN/Z/GRNfr1Csx8yqwh9IsY3yXplkLzAXk2zJS7mmM8mo74+xuSdkZ+ C0CSuPNz/VuytoII4VMXjlhucP0TRgUWod3uJNxRxYGdOJ2FqPl5In/+6DIikGXpXTBH XT6kNCWEBEOcdSQADLFSxZAnFNEoSB4zP5+zS2DCQhCGkxOSEjUNk2L6hdDJMTSSSdp2 rjbMpKETUac3OEQ1Sb6b7XWv308f1pz+5ECv90eM8RIPhkJ5iE/C++p2Ar7n6aJIhUpa pP71lFBuPVznY+RU5riu6RE+Rsgrxs6fAuUdjW2jmuhWpYvGI6QSwA9CUEcF/141ZFrk QKuA== MIME-Version: 1.0 X-Received: by 10.224.47.73 with SMTP id m9mr32458954qaf.23.1387205196459; Mon, 16 Dec 2013 06:46:36 -0800 (PST) Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:46:36 -0800 (PST) Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:46:36 -0800 (PST) In-Reply-To: <20131216144026.GG24005@cip.informatik.uni-erlangen.de> References: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> <20131216135940.GF24005@cip.informatik.uni-erlangen.de> <20131216144026.GG24005@cip.informatik.uni-erlangen.de> Date: Mon, 16 Dec 2013 09:46:36 -0500 Message-ID: Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes From: Reinhard Tartler To: Alexander Wuerstlein Cc: 372@bugs.x2go.org, Mike Gabriel , o.schneyder@phoca-gmbh.de, x2go-dev@lists.berlios.de Content-Type: multipart/alternative; boundary=001a1134a7faf74fd704eda7e0e8 --001a1134a7faf74fd704eda7e0e8 Content-Type: text/plain; charset=ISO-8859-1 On Dec 16, 2013 9:40 AM, "Alexander Wuerstlein" wrote: > > On 13-12-16 15:33, Reinhard Tartler wrote: > > On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" < > > snalwuer@cip.informatik.uni-erlangen.de> wrote: > > > > > > On 13-12-16 08:49, Mike Gabriel wrote: > > > > Hi Reinhard, > > > > > > > > On So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote: > > > > > > > > >Package: x2goserver > > > > >Severity: serious > > > > > > > > > >Hi, > > > > > > > > > >my understanding of the x2goadmin code [code], end of sub add_user, is > > > > >that the code tries to write the sql password in users homes. This > > > > >will fail for installations that have the user homes on NFS with the > > > > >option "rootsquash" mounted. > > > > > > > > > >I set the severity to "serious" because I imagine that this is a > > > > >rather common scenario. > > > > > > > > > >Also, this approach has another problem: Imagine you want to give > > > > >access to the unix group "staff"? According to the documentation, you > > > > >can use the options "--addgroup" and "--rmgroup" for this. What if a > > > > >new employee joins the company later and wants to use x2go? In this > > > > >case you need to call x2godbadmin for this new user again, which is > > > > >suboptimal. > > > > > > > > > >Is there really no way to get around generated user passwords? > > > > > > There is a way that could work: If configured correctly, postgresql can > > > use GSSAPI (Kerberos) Authentication. That way, the user is > > > authenticated using his login ticket cache which is created anyways. > > > If necessary, one could also provide a keyfile for the cleanup-cronjob > > > so that it can at least access the database with sufficient permissions. > > > > That would be an option if you are OK to break passwordless ssh key > > authentication logins. > > > > If you really wanted to go the kerberos route, you would have to create > > special db principals that can only access the db, and stash a passwordless > > keyfile in the users home. > > Yes, that is correct. One more thing that could also work, but is ugly, > would be 'ident' authentication in postgresql. But that would of course > mean that one needs a sufficiently trustable identd on all machines. Only on the x2go server, not the machine the user is connecting from. For me, this seems perfectly appropriate in this case. Reinhard --001a1134a7faf74fd704eda7e0e8 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable


On Dec 16, 2013 9:40 AM, "Alexander Wuerstlein" <arw@cs.fau.de> wrote:
>
> On 13-12-16 15:33, Reinhard Tartler <siretart@gmail.com> wrote:
> > On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" < > > snalwu= er@cip.informatik.uni-erlangen.de> wrote:
> > >
> > > On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:=
> > > > Hi Reinhard,
> > > >
> > > > On =A0So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wro= te:
> > > >
> > > > >Package: x2goserver
> > > > >Severity: serious
> > > > >
> > > > >Hi,
> > > > >
> > > > >my understanding of the x2goadmin code [code], end = of sub add_user, is
> > > > >that the code tries to write the sql password in us= ers homes. This
> > > > >will fail for installations that have the user home= s on NFS with the
> > > > >option "rootsquash" mounted.
> > > > >
> > > > >I set the severity to "serious" because I= imagine that this is a
> > > > >rather common scenario.
> > > > >
> > > > >Also, this approach has another problem: Imagine yo= u want to give
> > > > >access to the unix group "staff"? Accordi= ng to the documentation, you
> > > > >can use the options "--addgroup" and &quo= t;--rmgroup" for this. What if a
> > > > >new employee joins the company later and wants to u= se x2go? In this
> > > > >case you need to call x2godbadmin for this new user= again, which is
> > > > >suboptimal.
> > > > >
> > > > >Is there really no way to get around generated user= passwords?
> > >
> > > There is a way that could work: If configured correctly, pos= tgresql can
> > > use GSSAPI (Kerberos) Authentication. That way, the user is<= br> > > > authenticated using his login ticket cache which is created = anyways.
> > > If necessary, one could also provide a keyfile for the clean= up-cronjob
> > > so that it can at least access the database with sufficient = permissions.
> >
> > That would be an option if you are OK to break passwordless ssh k= ey
> > authentication logins.
> >
> > If you really wanted to go the kerberos route, you would have to = create
> > special db principals that can only access the db, and stash a pa= sswordless
> > keyfile in the users home.
>
> Yes, that is correct. One more thing that could also work, but is ugly= ,
> would be 'ident' authentication in postgresql. But that would = of course
> mean that one needs a sufficiently trustable identd on all machines.

Only on the x2go server, not the machine the user is connect= ing from.

For me, this seems perfectly appropriate in this case.

Reinhard

--001a1134a7faf74fd704eda7e0e8--