From unknown Mon May 18 04:57:42 2026 X-Loop: owner@bugs.x2go.org Subject: Bug#405: X2GO Client pollutes .ssh/authorized_keys Reply-To: Mike Gabriel , 405@bugs.x2go.org Resent-From: Mike Gabriel Resent-To: x2go-dev@lists.x2go.org Resent-CC: X2Go Developers X-Loop: owner@bugs.x2go.org Resent-Date: Thu, 08 Jan 2015 14:05:01 +0000 Resent-Message-ID: Resent-Sender: owner@bugs.x2go.org X-X2Go-PR-Message: followup 405 X-X2Go-PR-Package: x2goclient X-X2Go-PR-Keywords: Received: via spool by 405-submit@bugs.x2go.org id=B405.142072574827296 (code B ref 405); Thu, 08 Jan 2015 14:05:01 +0000 Received: (at 405) by bugs.x2go.org; 8 Jan 2015 14:02:28 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 251105DB53; Thu, 8 Jan 2015 15:02:26 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 9CC6112356; Thu, 8 Jan 2015 15:02:25 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 79E533BAED; Thu, 8 Jan 2015 15:02:25 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGpnTH2l23lD; Thu, 8 Jan 2015 15:02:24 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 966F33C8A4; Thu, 8 Jan 2015 15:02:24 +0100 (CET) Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Thu, 08 Jan 2015 14:02:24 +0000 Date: Thu, 08 Jan 2015 14:02:24 +0000 Message-ID: <20150108140224.Horde.MLAtxVhvtoyFimrbtQjO9Q8@mail.das-netzwerkteam.de> From: Mike Gabriel To: 405@bugs.x2go.org Cc: 405-submitter@bugs.x2go.org User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 178.62.101.154 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_z5h12zGu__g_kmsJ5J2ySg1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_z5h12zGu__g_kmsJ5J2ySg1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Control: tag -1 confirmed Control: reassign -1 x2goserver Control: retitle -1 x2gomountdirs/sshfs hangs indefinitely if=20=20 client-side=20sshd is down Hi, I have spent the last 1.5 days with hunting down the cause for #405. The phenomenon is: o client-side is Linux (or maybe Mac OS X) o sshd ist not running on the client machine o the session profile has printing or client-side folder sharing enabled If X2Go Client launches a remote session it does the following things: o set up a reverse port forwarding tunnel that allows : -> : o if sshd is not running, the above will still work... o then x2gomountdirs is evoked... o ... which attempts to run sshfs against : o however, in X2Go Client this triggers an I/O error because the client-= side sshd is not listening / not running I studied the X2Go Client code (sshmasterconnection.cpp and=20=20 sshprocess.cpp)=20very deeply and added several new debug messages +=20=20 improved=20the debugging output of existing messages. In X2Go Client, the mounting of a client-side folder uses two SSH=20=20 channel=20inside this reverse port forwarding tunnel: o one SSH channel for the tunnel itself o one SSH channel per x2gomountdirs command call evoked on the server Furthermore, X2Go Client can detect if failures occur in x2gomountdirs=20= =20 this=20way: o something strange happens while executing the command (SSH=20=20 disconnects=20etc.) o the stdOut of the evoked command (x2gomountdirs) is empty while=20=20 stdErr=20is not So, (and I did not know this), all X2Go Server side commands=20=20 (/usr/bin/x2go*)=20should properly write to stderr if things go wrong=20=20 and=20leave stdOut untouched at the same time. The problem now is: if x2gomountdirs is not detected as "failing"=20=20 (which=20it is not), the sshfs pubkey required for client-side folder=20=20 sharing=20is not removed from the .ssh/authorized_keys file. Furthermore, X2Go Client detects the I/O errors on the sshfs tunnel=20=20 channel,=20but cannot relate to that to the x2gomountdirs command evoked=20= =20 via=20the SSH command channel. My first attempts targetted getting X2Go Client to tidy up the=20=20 authorized_keys=20file whenever a tunnel failure occurs. X2Go Client=20=20 should=20be able to detect this, but this would require a partial=20=20 redesign=20of the complete reverse port forwarding mechanism. I=20=20 disrecommend=20doing this for the current X2Go Client implementation,=20=20 but=20we should keep it in the back of our heads for a later redesign.=20= =20 It=20took about 8h to come to this conclusion. My second approach (and I will commit soon is this): o evoke sshfs command with "timeout 30 sshfs " o print error messages to STDERR (not to STDOUT) o and make sure we unregister the mount point if sshfs fails (with=20=20 fusermount=20-u) Wit this approach, X2Go Client tries to call x2gomountdirs,=20=20 x2gomountdirs=20fails after 30 seconds with error messages printed to=20=20 STDERR.=20This gets caught by X2Go Client and then the=20=20 post-startX2goMount=20code is triggered which removes the used pubkey=20=20 from=20~/.ssh/authorized_keys. Commit will come in a minute... Greets, Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_z5h12zGu__g_kmsJ5J2ySg1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJUro3vAAoJEJr0azAldxsxFJ0QAIjQQ2HbJ2O8Z2oHk7E5PLoj kudKpF5+z/rGQ+KtX/TpS1PXmMfROISLkVvDIM4HgMVVLloWklsB7kYIcuxi5KLY vAH/zwJV8uximXZcDfvxpGKtkp8C1PjIt17kQgRBf0ox52RpjpKXp6xhqa3/vNPi pxZ+DzrCHuOSci03Nv+f5Nl2Je49DH1eXJ52SQNNnqSt4gSpEi6B1Fj0tjY5wwwd pZYZ7VfIfaHzidIGoSjgEApx/BNEGPkCmy9+Bu/1teKribt12CasyPfNLSm9eMSf FdUlg+KBMNO+wijfJJ/q4jhRAKo/4XHoF2Goqi/Cy0syM4HrkOmJRdqEx23UUeKW Vye99xPEUGtAm9/CuRn0CLcmEeLYB836WpdF0jYG70NXwcpFyZoLHN/Nr6IWeqF+ MWz1VbwKYPYV7rIoXZgFVe69ITKW1AjkzRWPRSAgWKqbzR3UM+/UaDjLtikui6z8 YRTwAWyWHLbaQBVq1hteu0T3EmaOR20rjXMvXLc53eUzSYKJmY3PCggtMiTA8DIC DOynRrIzYnIek0bj4rUtzdCPB2LvM01YElz+/ioYctovR6+Hd2ENjjxNjt+Ni9bI pVvezmR7BLk2Gr14XP6JisNtyxhIBwdMB8fSI5pPkNVoe/M+auHAmBESpWQe1iEf 1eLZ0YpoMlR21xTMjk4q =xD8p -----END PGP SIGNATURE----- --=_z5h12zGu__g_kmsJ5J2ySg1--