From snalwuer@stud.informatik.uni-erlangen.de Mon Dec 16 15:06:02 2013 Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:06:02 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2 X-Greylist: delayed 381 seconds by postgrey-1.34 at ymir; Mon, 16 Dec 2013 15:06:02 CET Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103]) by ymir (Postfix) with ESMTPS id 3584E5DB16 for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:06:02 +0100 (CET) Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90]) by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id ECA986803AC; Mon, 16 Dec 2013 14:59:40 +0100 (CET) Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763) id D46882BC0D6; Mon, 16 Dec 2013 14:59:40 +0100 (CET) Date: Mon, 16 Dec 2013 14:59:40 +0100 From: Alexander Wuerstlein To: Mike Gabriel , 372@bugs.x2go.org, x2go-dev@lists.berlios.de Cc: Reinhard Tartler , o.schneyder@phoca-gmbh.de Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes Message-ID: <20131216135940.GF24005@cip.informatik.uni-erlangen.de> References: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de> X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory dimona cocaine guantanamo centrifuge holy war pigs mossad nsa X-Echelon-Result: Belligerent User-Agent: Mutt/1.5.21 (2010-09-15) On 13-12-16 08:49, Mike Gabriel wrote: > Hi Reinhard, > > On So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote: > > >Package: x2goserver > >Severity: serious > > > >Hi, > > > >my understanding of the x2goadmin code [code], end of sub add_user, is > >that the code tries to write the sql password in users homes. This > >will fail for installations that have the user homes on NFS with the > >option "rootsquash" mounted. > > > >I set the severity to "serious" because I imagine that this is a > >rather common scenario. > > > >Also, this approach has another problem: Imagine you want to give > >access to the unix group "staff"? According to the documentation, you > >can use the options "--addgroup" and "--rmgroup" for this. What if a > >new employee joins the company later and wants to use x2go? In this > >case you need to call x2godbadmin for this new user again, which is > >suboptimal. > > > >Is there really no way to get around generated user passwords? There is a way that could work: If configured correctly, postgresql can use GSSAPI (Kerberos) Authentication. That way, the user is authenticated using his login ticket cache which is created anyways. If necessary, one could also provide a keyfile for the cleanup-cronjob so that it can at least access the database with sufficient permissions. But I have never tried this with x2go and don't know if it would work. Ciao, Alexander Wuerstlein.