X2Go Bug report logs - #372
x2goadmin writes to users homes

Package: x2goserver; Maintainer for x2goserver is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goserver is src:x2goserver.

Reported by: Reinhard Tartler <siretart@gmail.com>

Date: Sun, 15 Dec 2013 00:18:02 UTC

Severity: serious

Full log


Report forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#372; Package x2goserver. (Sun, 15 Dec 2013 00:18:02 GMT) (full text, mbox, link).


Acknowledgement sent to Reinhard Tartler <siretart@gmail.com>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Sun, 15 Dec 2013 00:18:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

Received: (at submit) by bugs.x2go.org; 15 Dec 2013 00:13:37 +0000
From siretart@gmail.com  Sun Dec 15 01:13:36 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-qe0-f47.google.com (mail-qe0-f47.google.com [209.85.128.47])
	by ymir (Postfix) with ESMTPS id BDC715DB20
	for <submit@bugs.x2go.org>; Sun, 15 Dec 2013 01:13:36 +0100 (CET)
Received: by mail-qe0-f47.google.com with SMTP id t7so2841159qeb.20
        for <submit@bugs.x2go.org>; Sat, 14 Dec 2013 16:13:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=luLV9ChP8jliT01wZJHpxPykyGU6hPb67EYJddK0IM4=;
        b=rWyzctlGLIRlcOYpLR2zljqTim5F4r0tInkHl3UCSA5jjZlzKfFVxjHScLfvTvfSeO
         bewmaxy7ugYq7Z7zCuou02V/O2xab9akRzmTZg9E1DAE7eOsH5IrH2fch9l+txsmDrs6
         uVFdXRrxI/wxO0xC3SlXZYYtQ4xG9UyiswGS00e2Zk3fBy9eleZaF1mnH2ZAdiF1jxmK
         7Z0YNs/CgaKTbOJG90kTFAefOvglLWVdgZ7izBdVeoj/XKYfMH3qQ2okvW0sGZkOznul
         NB/9nRc2Tz2vHNnQjQAdR7zr0Pu+zlFFEgQCWm71eU38TANYmIkGXWh8oVDrQk6H1qqn
         8FkA==
MIME-Version: 1.0
X-Received: by 10.224.37.1 with SMTP id v1mr18881441qad.29.1387066415425; Sat,
 14 Dec 2013 16:13:35 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Sat, 14 Dec 2013 16:13:35 -0800 (PST)
Date: Sat, 14 Dec 2013 19:13:35 -0500
Message-ID: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
Subject: x2goadmin writes to users homes
From: Reinhard Tartler <siretart@gmail.com>
To: submit@bugs.x2go.org
Content-Type: text/plain; charset=ISO-8859-1
Package: x2goserver
Severity: serious

Hi,

my understanding of the x2goadmin code [code], end of sub add_user, is
that the code tries to write the sql password in users homes. This
will fail for installations that have the user homes on NFS with the
option "rootsquash" mounted.

I set the severity to "serious" because I imagine that this is a
rather common scenario.

Also, this approach has another problem: Imagine you want to give
access to the unix group "staff"? According to the documentation, you
can use the options "--addgroup" and "--rmgroup" for this. What if a
new employee joins the company later and wants to use x2go? In this
case you need to call x2godbadmin for this new user again, which is
suboptimal.

Is there really no way to get around generated user passwords?

[code] http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin

-- 
regards,
    Reinhard


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#372; Package x2goserver. (Mon, 16 Dec 2013 07:48:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 16 Dec 2013 07:48:02 GMT) (full text, mbox, link).


Message #10 received at 372@bugs.x2go.org (full text, mbox, reply):

Received: (at 372) by bugs.x2go.org; 16 Dec 2013 07:34:35 +0000
From mike.gabriel@das-netzwerkteam.de  Mon Dec 16 08:34:35 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir (Postfix) with ESMTPS id 385835DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 08:34:35 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id D3C3AC38;
	Mon, 16 Dec 2013 08:34:34 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id A8E503C04F;
	Mon, 16 Dec 2013 08:34:34 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id fhaRH+X7QOL8; Mon, 16 Dec 2013 08:34:34 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPSA id 785243C02A;
	Mon, 16 Dec 2013 08:34:34 +0100 (CET)
Received: from nocatv2.tng.de (nocatv2.tng.de [213.178.75.58]) by
 mail.das-netzwerkteam.de (Horde Framework) with HTTP; Mon, 16 Dec 2013
 07:34:34 +0000
Date: Mon, 16 Dec 2013 07:34:34 +0000
Message-ID: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: Reinhard Tartler <siretart@gmail.com>, 372@bugs.x2go.org
Cc: o.schneyder@phoca-gmbh.de
Subject: Re: [X2Go-Dev] Bug#372: x2goadmin writes to users homes
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
In-Reply-To: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
User-Agent: Internet Messaging Program (IMP) H5 (6.1.4)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 213.178.75.58
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:23.0) Gecko/20100101
 Firefox/23.0 Iceweasel/23.0
Content-Type: multipart/signed; boundary="=_90GagPUWvFr4ZipUbb0qGg6";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0
[Message part 1 (text/plain, inline)]
Hi Reinhard,

On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:

> Package: x2goserver
> Severity: serious
>
> Hi,
>
> my understanding of the x2goadmin code [code], end of sub add_user, is
> that the code tries to write the sql password in users homes. This
> will fail for installations that have the user homes on NFS with the
> option "rootsquash" mounted.
>
> I set the severity to "serious" because I imagine that this is a
> rather common scenario.
>
> Also, this approach has another problem: Imagine you want to give
> access to the unix group "staff"? According to the documentation, you
> can use the options "--addgroup" and "--rmgroup" for this. What if a
> new employee joins the company later and wants to use x2go? In this
> case you need to call x2godbadmin for this new user again, which is
> suboptimal.
>
> Is there really no way to get around generated user passwords?
>
> [code]  
> http://code.x2go.org/gitweb?p=x2goserver.git;a=blob;f=x2goserver/sbin/x2godbadmin

I install x2goserver on the file servers and run x2godbadmin there  
daily in a cron job.

If you have distributed file servers, one should test for the $HOME to  
be accessible in x2godbadmin.

If needed, we could split out x2godbadmin from the x2goserver package  
and provide it as a standalone package.

As this is a workaround and not a solution to your question above,  
let's see if Alex has a comment on this.

Mike
-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#372; Package x2goserver. (Mon, 16 Dec 2013 12:48:02 GMT) (full text, mbox, link).


Acknowledgement sent to Reinhard Tartler <siretart@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 16 Dec 2013 12:48:02 GMT) (full text, mbox, link).


Message #15 received at 372@bugs.x2go.org (full text, mbox, reply):

Received: (at 372) by bugs.x2go.org; 16 Dec 2013 12:33:42 +0000
From siretart@gmail.com  Mon Dec 16 13:33:41 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from mail-qe0-f41.google.com (mail-qe0-f41.google.com [209.85.128.41])
	by ymir (Postfix) with ESMTPS id C141B5DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 13:33:41 +0100 (CET)
Received: by mail-qe0-f41.google.com with SMTP id gh4so3869259qeb.0
        for <372@bugs.x2go.org>; Mon, 16 Dec 2013 04:33:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=vUu7kxlB/O6GBRNVY5zrM4KU39cghbNSeYTo4xwQGVc=;
        b=TxQyBn5ogbQG23lB3HKXM9FBg6obaNZ9xVg8NZ7bxBoZKI367SorJ8cC+QPq8fincQ
         0hj9K7FfNqTTsdcMr8LwqpJrewNn/tCKJmuAXL4ng8W9mmypGHHrOTvqbc6MUXK7pSuR
         rMHxv0T1oT+g2XDT1Afm95SIzFeW+8xysXCre7IgmMZapcq9mzFFQ6FbajkAN3EQr813
         QgfBmEhWeAzXJru7cRZs5DYMwhlGg/ejQ0T+ilsELQtfG3ppmXTTVzzgrIpGxqPLdCrp
         rhb8fkAPtDbJ50Epf9FQD5jYoAAKhi4UkATgrmmMXBi9/5zrKkKAqLaonux1bPUXKhZb
         JTlw==
MIME-Version: 1.0
X-Received: by 10.224.34.71 with SMTP id k7mr8897497qad.15.1387197220438; Mon,
 16 Dec 2013 04:33:40 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 04:33:40 -0800 (PST)
In-Reply-To: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
	<20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
Date: Mon, 16 Dec 2013 07:33:40 -0500
Message-ID: <CAJ0cceY7Y36-Kd7gq=NQWLXx5tE3C9GtmikAkso-9ANqqkEy8A@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#372: x2goadmin writes to users homes
From: Reinhard Tartler <siretart@gmail.com>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de
Content-Type: text/plain; charset=ISO-8859-1
On Mon, Dec 16, 2013 at 2:34 AM, Mike Gabriel
<mike.gabriel@das-netzwerkteam.de> wrote:
> I install x2goserver on the file servers and run x2godbadmin there daily in
> a cron job.
>
> If you have distributed file servers, one should test for the $HOME to be
> accessible in x2godbadmin.

What to do if it isn't accesible? Then the user won't get a password
to access the postgres, and x2godbadmin will fail silently. That's
even worse!

> If needed, we could split out x2godbadmin from the x2goserver package and
> provide it as a standalone package.

I don't see any benefit in doing so other than moving the problem
around instead of solving it.

Cheers,

-- 
regards,
    Reinhard


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#372; Package x2goserver. (Mon, 16 Dec 2013 14:18:01 GMT) (full text, mbox, link).


Acknowledgement sent to Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 16 Dec 2013 14:18:01 GMT) (full text, mbox, link).


Message #20 received at 372@bugs.x2go.org (full text, mbox, reply):

Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:06:02 +0000
From snalwuer@stud.informatik.uni-erlangen.de  Mon Dec 16 15:06:02 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2
X-Greylist: delayed 381 seconds by postgrey-1.34 at ymir; Mon, 16 Dec 2013 15:06:02 CET
Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103])
	by ymir (Postfix) with ESMTPS id 3584E5DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:06:02 +0100 (CET)
Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90])
	by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id ECA986803AC;
	Mon, 16 Dec 2013 14:59:40 +0100 (CET)
Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763)
	id D46882BC0D6; Mon, 16 Dec 2013 14:59:40 +0100 (CET)
Date: Mon, 16 Dec 2013 14:59:40 +0100
From: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 372@bugs.x2go.org,
	x2go-dev@lists.berlios.de
Cc: Reinhard Tartler <siretart@gmail.com>, o.schneyder@phoca-gmbh.de
Subject: Re: [X2Go-Dev] Bug#372:  Bug#372: x2goadmin writes to users homes
Message-ID: <20131216135940.GF24005@cip.informatik.uni-erlangen.de>
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
 <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory
 dimona cocaine guantanamo centrifuge holy war pigs mossad nsa
X-Echelon-Result: Belligerent
User-Agent: Mutt/1.5.21 (2010-09-15)
On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> Hi Reinhard,
> 
> On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> 
> >Package: x2goserver
> >Severity: serious
> >
> >Hi,
> >
> >my understanding of the x2goadmin code [code], end of sub add_user, is
> >that the code tries to write the sql password in users homes. This
> >will fail for installations that have the user homes on NFS with the
> >option "rootsquash" mounted.
> >
> >I set the severity to "serious" because I imagine that this is a
> >rather common scenario.
> >
> >Also, this approach has another problem: Imagine you want to give
> >access to the unix group "staff"? According to the documentation, you
> >can use the options "--addgroup" and "--rmgroup" for this. What if a
> >new employee joins the company later and wants to use x2go? In this
> >case you need to call x2godbadmin for this new user again, which is
> >suboptimal.
> >
> >Is there really no way to get around generated user passwords?

There is a way that could work: If configured correctly, postgresql can
use GSSAPI (Kerberos) Authentication. That way, the user is
authenticated using his login ticket cache which is created anyways.
If necessary, one could also provide a keyfile for the cleanup-cronjob
so that it can at least access the database with sufficient permissions. 

But I have never tried this with x2go and don't know if it would work.



Ciao,

Alexander Wuerstlein.


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#372; Package x2goserver. (Mon, 16 Dec 2013 14:33:02 GMT) (full text, mbox, link).


Acknowledgement sent to Reinhard Tartler <siretart@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 16 Dec 2013 14:33:02 GMT) (full text, mbox, link).


Message #25 received at 372@bugs.x2go.org (full text, mbox, reply):

Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:31:50 +0000
From siretart@gmail.com  Mon Dec 16 15:31:49 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham
	version=3.3.2
Received: from mail-qa0-f46.google.com (mail-qa0-f46.google.com [209.85.216.46])
	by ymir (Postfix) with ESMTPS id B7FF85DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:31:49 +0100 (CET)
Received: by mail-qa0-f46.google.com with SMTP id f11so1564074qae.12
        for <372@bugs.x2go.org>; Mon, 16 Dec 2013 06:31:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=79zbFEr13g+A8tDAF9uYzV/fmYhjxGC86Te6xe91a5g=;
        b=PEPp8bzxfBLqO3oadnAck8fwiV4QR4OCVuaQ00frT/qABFvwdq/7ouHgx9qLfN8/ut
         f3YfOkVgrzFlLViiQE4FrEYvOH6H8xm7NFafYHT66pYTNHFWmTxxQRHMffD7zUkwoBK2
         ASDzt8nzXHp7GhmIjArEIVQC+Okubs0hnrxdcdF7nl9/ccPrYWdGTzwHyBoZxVucBPjN
         cfUQoVJhDlyrnkpAc6UqdJmLwUW6Z1q2WkvHxPc/+0N9tSmV/d71iTytSQyXOcZpEcJ4
         +uYmTfE8Go5FDqsgq95rLQ7i36s8YA4VjYk8oS70Ese3Q8PnSDBU6J+CmeV6PrNLOr1v
         7MiA==
MIME-Version: 1.0
X-Received: by 10.224.37.1 with SMTP id v1mr32729366qad.29.1387204308479; Mon,
 16 Dec 2013 06:31:48 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:31:48 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:31:48 -0800 (PST)
In-Reply-To: <20131216135940.GF24005@cip.informatik.uni-erlangen.de>
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
	<20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
	<20131216135940.GF24005@cip.informatik.uni-erlangen.de>
Date: Mon, 16 Dec 2013 09:31:48 -0500
Message-ID: <CAJ0ccebpO+3_0oJYq2m9oomhFMi4KW-MsafT7mBpMKdi5qYRMA@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes
From: Reinhard Tartler <siretart@gmail.com>
To: Alexander Wuerstlein <snalwuer@cip.informatik.uni-erlangen.de>
Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de, 
	Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, x2go-dev@lists.berlios.de
Content-Type: multipart/alternative; boundary=001a11c2b25609b5a804eda7acef
[Message part 1 (text/plain, inline)]
On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <
snalwuer@cip.informatik.uni-erlangen.de> wrote:
>
> On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> > Hi Reinhard,
> >
> > On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> >
> > >Package: x2goserver
> > >Severity: serious
> > >
> > >Hi,
> > >
> > >my understanding of the x2goadmin code [code], end of sub add_user, is
> > >that the code tries to write the sql password in users homes. This
> > >will fail for installations that have the user homes on NFS with the
> > >option "rootsquash" mounted.
> > >
> > >I set the severity to "serious" because I imagine that this is a
> > >rather common scenario.
> > >
> > >Also, this approach has another problem: Imagine you want to give
> > >access to the unix group "staff"? According to the documentation, you
> > >can use the options "--addgroup" and "--rmgroup" for this. What if a
> > >new employee joins the company later and wants to use x2go? In this
> > >case you need to call x2godbadmin for this new user again, which is
> > >suboptimal.
> > >
> > >Is there really no way to get around generated user passwords?
>
> There is a way that could work: If configured correctly, postgresql can
> use GSSAPI (Kerberos) Authentication. That way, the user is
> authenticated using his login ticket cache which is created anyways.
> If necessary, one could also provide a keyfile for the cleanup-cronjob
> so that it can at least access the database with sufficient permissions.

That would be an option if you are OK to break passwordless ssh key
authentication logins.

If you really wanted to go the kerberos route, you would have to create
special db principals that can only access the db, and stash a passwordless
keyfile in the users home.

>
> But I have never tried this with x2go and don't know if it would work.
>
>
>
> Ciao,
>
> Alexander Wuerstlein.
[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#372; Package x2goserver. (Mon, 16 Dec 2013 14:48:01 GMT) (full text, mbox, link).


Acknowledgement sent to Alexander Wuerstlein <arw@cs.fau.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 16 Dec 2013 14:48:01 GMT) (full text, mbox, link).


Message #30 received at 372@bugs.x2go.org (full text, mbox, reply):

Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:40:27 +0000
From snalwuer@stud.informatik.uni-erlangen.de  Mon Dec 16 15:40:26 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,
	RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham version=3.3.2
Received: from faui03.informatik.uni-erlangen.de (faui03.informatik.uni-erlangen.de [131.188.30.103])
	by ymir (Postfix) with ESMTPS id A79565DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:40:26 +0100 (CET)
Received: from faui0sr0.informatik.uni-erlangen.de (faui0sr0.informatik.uni-erlangen.de [131.188.30.90])
	by faui03.informatik.uni-erlangen.de (Postfix) with ESMTP id 794C768057D;
	Mon, 16 Dec 2013 15:40:26 +0100 (CET)
Received: by faui0sr0.informatik.uni-erlangen.de (Postfix, from userid 31763)
	id 720EA2BC0D6; Mon, 16 Dec 2013 15:40:26 +0100 (CET)
Date: Mon, 16 Dec 2013 15:40:26 +0100
From: Alexander Wuerstlein <arw@cs.fau.de>
To: Reinhard Tartler <siretart@gmail.com>
Cc: 372@bugs.x2go.org, o.schneyder@phoca-gmbh.de,
	Mike Gabriel <mike.gabriel@das-netzwerkteam.de>,
	x2go-dev@lists.berlios.de
Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes
Message-ID: <20131216144026.GG24005@cip.informatik.uni-erlangen.de>
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
 <20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
 <20131216135940.GF24005@cip.informatik.uni-erlangen.de>
 <CAJ0ccebpO+3_0oJYq2m9oomhFMi4KW-MsafT7mBpMKdi5qYRMA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAJ0ccebpO+3_0oJYq2m9oomhFMi4KW-MsafT7mBpMKdi5qYRMA@mail.gmail.com>
X-Echelon-Scan: plutonium bomb osama revenge dirty allah satan iran victory
 dimona cocaine guantanamo centrifuge holy war pigs mossad nsa
X-Echelon-Result: Belligerent
User-Agent: Mutt/1.5.21 (2010-09-15)
On 13-12-16 15:33, Reinhard Tartler <siretart@gmail.com> wrote:
> On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <
> snalwuer@cip.informatik.uni-erlangen.de> wrote:
> >
> > On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de> wrote:
> > > Hi Reinhard,
> > >
> > > On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> > >
> > > >Package: x2goserver
> > > >Severity: serious
> > > >
> > > >Hi,
> > > >
> > > >my understanding of the x2goadmin code [code], end of sub add_user, is
> > > >that the code tries to write the sql password in users homes. This
> > > >will fail for installations that have the user homes on NFS with the
> > > >option "rootsquash" mounted.
> > > >
> > > >I set the severity to "serious" because I imagine that this is a
> > > >rather common scenario.
> > > >
> > > >Also, this approach has another problem: Imagine you want to give
> > > >access to the unix group "staff"? According to the documentation, you
> > > >can use the options "--addgroup" and "--rmgroup" for this. What if a
> > > >new employee joins the company later and wants to use x2go? In this
> > > >case you need to call x2godbadmin for this new user again, which is
> > > >suboptimal.
> > > >
> > > >Is there really no way to get around generated user passwords?
> >
> > There is a way that could work: If configured correctly, postgresql can
> > use GSSAPI (Kerberos) Authentication. That way, the user is
> > authenticated using his login ticket cache which is created anyways.
> > If necessary, one could also provide a keyfile for the cleanup-cronjob
> > so that it can at least access the database with sufficient permissions.
> 
> That would be an option if you are OK to break passwordless ssh key
> authentication logins.
> 
> If you really wanted to go the kerberos route, you would have to create
> special db principals that can only access the db, and stash a passwordless
> keyfile in the users home.

Yes, that is correct. One more thing that could also work, but is ugly,
would be 'ident' authentication in postgresql. But that would of course
mean that one needs a sufficiently trustable identd on all machines.



Ciao,

Alexander Wuerstlein.


Information forwarded to x2go-dev@lists.berlios.de, X2Go Developers <x2go-dev@lists.berlios.de>:
Bug#372; Package x2goserver. (Mon, 16 Dec 2013 14:48:02 GMT) (full text, mbox, link).


Acknowledgement sent to Reinhard Tartler <siretart@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.berlios.de>. (Mon, 16 Dec 2013 14:48:02 GMT) (full text, mbox, link).


Message #35 received at 372@bugs.x2go.org (full text, mbox, reply):

Received: (at 372) by bugs.x2go.org; 16 Dec 2013 14:46:38 +0000
From siretart@gmail.com  Mon Dec 16 15:46:37 2013
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,
	HTML_MESSAGE,RCVD_IN_DNSWL_LOW,T_DKIM_INVALID,URIBL_BLOCKED autolearn=ham
	version=3.3.2
Received: from mail-qe0-f53.google.com (mail-qe0-f53.google.com [209.85.128.53])
	by ymir (Postfix) with ESMTPS id 728E45DB16
	for <372@bugs.x2go.org>; Mon, 16 Dec 2013 15:46:37 +0100 (CET)
Received: by mail-qe0-f53.google.com with SMTP id nc12so3922524qeb.12
        for <372@bugs.x2go.org>; Mon, 16 Dec 2013 06:46:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=TaK4h7jbhFGzNNbtAj0239+DZpy+g1ayKBl6SMtBJz4=;
        b=XMr91eKuv8lhN/Z/GRNfr1Csx8yqwh9IsY3yXplkLzAXk2zJS7mmM8mo74+xuSdkZ+
         C0CSuPNz/VuytoII4VMXjlhucP0TRgUWod3uJNxRxYGdOJ2FqPl5In/+6DIikGXpXTBH
         XT6kNCWEBEOcdSQADLFSxZAnFNEoSB4zP5+zS2DCQhCGkxOSEjUNk2L6hdDJMTSSSdp2
         rjbMpKETUac3OEQ1Sb6b7XWv308f1pz+5ECv90eM8RIPhkJ5iE/C++p2Ar7n6aJIhUpa
         pP71lFBuPVznY+RU5riu6RE+Rsgrxs6fAuUdjW2jmuhWpYvGI6QSwA9CUEcF/141ZFrk
         QKuA==
MIME-Version: 1.0
X-Received: by 10.224.47.73 with SMTP id m9mr32458954qaf.23.1387205196459;
 Mon, 16 Dec 2013 06:46:36 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:46:36 -0800 (PST)
Received: by 10.96.78.227 with HTTP; Mon, 16 Dec 2013 06:46:36 -0800 (PST)
In-Reply-To: <20131216144026.GG24005@cip.informatik.uni-erlangen.de>
References: <CAJ0cceZBqnQ1MfvTFfP7i55MtTi-cyjyABD8TtjHbi9kcxg=2A@mail.gmail.com>
	<20131216073434.Horde.PERNE-ga0mmuL2Mohe-6VA2@mail.das-netzwerkteam.de>
	<20131216135940.GF24005@cip.informatik.uni-erlangen.de>
	<CAJ0ccebpO+3_0oJYq2m9oomhFMi4KW-MsafT7mBpMKdi5qYRMA@mail.gmail.com>
	<20131216144026.GG24005@cip.informatik.uni-erlangen.de>
Date: Mon, 16 Dec 2013 09:46:36 -0500
Message-ID: <CAJ0cceZDX4YZz3=-f3fk9yyg3YA74-4h2icdhH0NgnBPmPQyfg@mail.gmail.com>
Subject: Re: [X2Go-Dev] Bug#372: Bug#372: x2goadmin writes to users homes
From: Reinhard Tartler <siretart@gmail.com>
To: Alexander Wuerstlein <arw@cs.fau.de>
Cc: 372@bugs.x2go.org, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 
	o.schneyder@phoca-gmbh.de, x2go-dev@lists.berlios.de
Content-Type: multipart/alternative; boundary=001a1134a7faf74fd704eda7e0e8
[Message part 1 (text/plain, inline)]
On Dec 16, 2013 9:40 AM, "Alexander Wuerstlein" <arw@cs.fau.de> wrote:
>
> On 13-12-16 15:33, Reinhard Tartler <siretart@gmail.com> wrote:
> > On Dec 16, 2013 8:59 AM, "Alexander Wuerstlein" <
> > snalwuer@cip.informatik.uni-erlangen.de> wrote:
> > >
> > > On 13-12-16 08:49, Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
wrote:
> > > > Hi Reinhard,
> > > >
> > > > On  So 15 Dez 2013 01:13:35 CET, Reinhard Tartler wrote:
> > > >
> > > > >Package: x2goserver
> > > > >Severity: serious
> > > > >
> > > > >Hi,
> > > > >
> > > > >my understanding of the x2goadmin code [code], end of sub
add_user, is
> > > > >that the code tries to write the sql password in users homes. This
> > > > >will fail for installations that have the user homes on NFS with
the
> > > > >option "rootsquash" mounted.
> > > > >
> > > > >I set the severity to "serious" because I imagine that this is a
> > > > >rather common scenario.
> > > > >
> > > > >Also, this approach has another problem: Imagine you want to give
> > > > >access to the unix group "staff"? According to the documentation,
you
> > > > >can use the options "--addgroup" and "--rmgroup" for this. What if
a
> > > > >new employee joins the company later and wants to use x2go? In this
> > > > >case you need to call x2godbadmin for this new user again, which is
> > > > >suboptimal.
> > > > >
> > > > >Is there really no way to get around generated user passwords?
> > >
> > > There is a way that could work: If configured correctly, postgresql
can
> > > use GSSAPI (Kerberos) Authentication. That way, the user is
> > > authenticated using his login ticket cache which is created anyways.
> > > If necessary, one could also provide a keyfile for the cleanup-cronjob
> > > so that it can at least access the database with sufficient
permissions.
> >
> > That would be an option if you are OK to break passwordless ssh key
> > authentication logins.
> >
> > If you really wanted to go the kerberos route, you would have to create
> > special db principals that can only access the db, and stash a
passwordless
> > keyfile in the users home.
>
> Yes, that is correct. One more thing that could also work, but is ugly,
> would be 'ident' authentication in postgresql. But that would of course
> mean that one needs a sufficiently trustable identd on all machines.

Only on the x2go server, not the machine the user is connecting from.

For me, this seems perfectly appropriate in this case.

Reinhard
[Message part 2 (text/html, inline)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#372; Package x2goserver. (Sun, 28 Jan 2018 04:10:01 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 12:42:18 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.