X2Go Bug report logs - #602
X2GoSession clobbers .ssh/known_hosts when add_to_known_hosts is set

Toggle useless messages

Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Matteo Panella <m.panella@level28.org>

To: submit@bugs.x2go.org

Subject: X2GoSession clobbers .ssh/known_hosts when add_to_known_hosts is set

Date: Wed, 10 Sep 2014 09:45:18 +0200

Package: python-x2go
Version: 0.4.0.9

Whenever a host key is registered using pyhoca-cli or pyhoca-gui, the
$HOME/.ssh/known_hosts file gets clobbered: all keys whose type is not
either ssh-dss or ssh-rsa (namely, ECDSA and Ed25519 host keys) are removed.

Steps to reproduce:
1. register some ECDSA/Ed25519 host keys
2. backup .ssh/known_hosts
3. define a new profile in pyhoca-gui selecting "Store SSH host keys
under (unique) X2Go session profile ID"
4. connect to the host and accept the host key
5. run a diff between the old known_hosts file and the current
.ssh/known_hosts file

Expected behaviour:
there should _only_ be an addition for the new ssh host key registered
by python-x2go and no other modification

Actual result:
there is an addition for the new host key registered by python-x2go and
removals for all ecdsa and ed25519 host keys

I suspect this is a problem with paramiko not understanding ECDSA and
Ed25519 keys in known_hosts and summarily discarding them, nevertheless
I'm raising the bug here because the x2go PPA for Ubuntu ships a custom
version of paramiko for precise (also because it should probably be
noted in the release notes and/or worked around in python-x2go if possible).

Client OS Version: Ubuntu 12.04.5 (amd64)
Package source: ppa:x2go/stable
PyHoca-GUI Version: 0.4.0.9 (0.4.0.9-0~1107~ubuntu12.04.1)
python-x2go Version: 0.4.0.9 (0.4.0.9-0~1122~ubuntu12.04.1)
python-paramiko Version: 1.11.0-0~664~precise1 (from ppa:x2go/stable)

The server bits are mostly irrelevant since this is purely a client-side
bug, but it happened with the following server-side configuration:
Server OS Version: Ubuntu 14.04.1 (amd64)
Package source: ppa:x2go/stable
Server x2goserver Version: 4.0.1.15 (4.0.1.15-0~847~ubuntu14.04.1)
Server x2goserver-xsession Version: 4.0.1.15 (4.0.1.15-0~847~ubuntu14.04.1)
Server nx-libs Version: 3.5.0.27 (2:3.5.0.27-0~446~ubuntu14.04.1)
-- 
Matteo Panella

Message #10 received at 602@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: Matteo Panella <m.panella@level28.org>, 602@bugs.x2go.org

Subject: Re: [X2Go-Dev] Bug#602: X2GoSession clobbers .ssh/known_hosts when add_to_known_hosts is set

Date: Fri, 17 Oct 2014 11:28:14 +0000

[Message part 1 (text/plain, inline)]

Hi Matteo,

On  Mi 10 Sep 2014 09:45:18 CEST, Matteo Panella wrote:

> Package: python-x2go
> Version: 0.4.0.9
>
> Whenever a host key is registered using pyhoca-cli or pyhoca-gui, the
> $HOME/.ssh/known_hosts file gets clobbered: all keys whose type is not
> either ssh-dss or ssh-rsa (namely, ECDSA and Ed25519 host keys) are removed.
>
> Steps to reproduce:
> 1. register some ECDSA/Ed25519 host keys
> 2. backup .ssh/known_hosts
> 3. define a new profile in pyhoca-gui selecting "Store SSH host keys
> under (unique) X2Go session profile ID"
> 4. connect to the host and accept the host key
> 5. run a diff between the old known_hosts file and the current
> .ssh/known_hosts file
>
> Expected behaviour:
> there should _only_ be an addition for the new ssh host key registered
> by python-x2go and no other modification
>
> Actual result:
> there is an addition for the new host key registered by python-x2go and
> removals for all ecdsa and ed25519 host keys
>
> I suspect this is a problem with paramiko not understanding ECDSA and
> Ed25519 keys in known_hosts and summarily discarding them, nevertheless
> I'm raising the bug here because the x2go PPA for Ubuntu ships a custom
> version of paramiko for precise (also because it should probably be
> noted in the release notes and/or worked around in python-x2go if possible).
>
> Client OS Version: Ubuntu 12.04.5 (amd64)
> Package source: ppa:x2go/stable
> PyHoca-GUI Version: 0.4.0.9 (0.4.0.9-0~1107~ubuntu12.04.1)
> python-x2go Version: 0.4.0.9 (0.4.0.9-0~1122~ubuntu12.04.1)
> python-paramiko Version: 1.11.0-0~664~precise1 (from ppa:x2go/stable)
>
> The server bits are mostly irrelevant since this is purely a client-side
> bug, but it happened with the following server-side configuration:
> Server OS Version: Ubuntu 14.04.1 (amd64)
> Package source: ppa:x2go/stable
> Server x2goserver Version: 4.0.1.15 (4.0.1.15-0~847~ubuntu14.04.1)
> Server x2goserver-xsession Version: 4.0.1.15 (4.0.1.15-0~847~ubuntu14.04.1)
> Server nx-libs Version: 3.5.0.27 (2:3.5.0.27-0~446~ubuntu14.04.1)

This does not happen with python-paramiko 1.15.1 anymore. I will add a  
versioned dependency for that paramiko version to our upstream release  
python-x2go and then see how to fix our archives.

Thanks for notifying us!
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb

[Message part 2 (application/pgp-signature, inline)]

Message #15 received at 602@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 602-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 602@bugs.x2go.org

Subject: X2Go issue (in src:python-x2go) has been marked as pending for release

Date: Fri, 17 Oct 2014 13:31:48 +0200 (CEST)

tag #602 pending
fixed #602 0.5.0.0
thanks

Hello,

X2Go issue #602 (src:python-x2go) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=d3273c0

The issue will most likely be fixed in src:python-x2go (0.5.0.0).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit d3273c05d7080b628789750bf2c6ad6205a93abd
Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date:   Fri Oct 17 13:31:24 2014 +0200

    debian/control / python-x2go.spec: Update D (python-x2go): python-paramiko (>= 1.15.1-0~). Update R for python-x2go: python-paramiko >= 1.15.1. (Fixes: #602).

diff --git a/debian/changelog b/debian/changelog
index 28df526..a36dfdc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -121,10 +121,12 @@ python-x2go (0.5.0.0-0x2go1) UNRELEASED; urgency=low
     + Add dependencies: python-requests, python-simplejson.
     + Add R (python-x2go): sshfs.
     + Add S (python-x2go): telekinesis-client, mteleplayer-clientside.
+    + Update D (python-x2go): python-paramiko (>= 1.15.1-0~). (Fixes: #602).
   * python-x2go.spec:
     + Add dependencies: python-requests, python-simplejson.
     + Additionally adapt to building on openSUSE/SLES.
     + Add all python packages under R to BR (for epydoc run).
+    + Update R for python-x2go: python-paramiko >= 1.15.1.
 
   [ Mike DePaulo ]
   * New upstream version (0.5.0.0):

Message #27 received at 602@bugs.x2go.org (full text, mbox, reply):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

To: 602-submitter@bugs.x2go.org

Cc: control@bugs.x2go.org, 602@bugs.x2go.org

Subject: X2Go issue (in src:python-x2go) has been marked as closed

Date: Mon, 20 Oct 2014 12:50:25 +0200 (CEST)

close #602
thanks

Hello,

we are very hopeful that X2Go issue #602 reported by you
has been resolved in the new release (0.5.0.0) of the
X2Go source project »src:python-x2go«.

You can view the complete changelog entry of src:python-x2go (0.5.0.0)
below, and you can use the following link to view all the code changes
between this and the last release of src:python-x2go.

    http://code.x2go.org/gitweb?p=python-x2go.git;a=commitdiff;h=3fec411b839b53c0e51a73dd05c7a77dcde800e8;hp=3088eda9bf1494527afecc4b36c56a8caff314d0

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:python-x2go.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:python-x2go
Version: 0.5.0.0-0x2go1
Status: RELEASE
Date: Mon, 20 Oct 2014 12:40:34 +0200
Fixes: 334 358 500 508 532 537 588 602
Changes: 
 python-x2go (0.5.0.0-0x2go1) RELEASED; urgency=low
 .
   [ Mike Gabriel ]
   * New upstream version (0.5.0.0):
     - Split up session profile backend into generic and storage specific
       parts.
     - Fully rework backend concept in Python X2Go. Breaks compatibility
       with earlier versions of Python X2Go concerning backends (probably
       not really used by third-party products, if at all).
     - Fix setting default values in X2GoClientXConfig class.
     - Default to xdg-open as default PDF viewer command.
     - Provide session profile backend for a http broker.
     - Make session profile backends more unicode robust.
     - X2GoSessionProfile.get_server_hostname must return unicode objects.
     - Speed-optimize session profile ID <-> name mapping.
     - Handle injection of PKey (Paramiko SSH key) objects for authentication
       from the broker session profiles backend.
     - Allow catching "connection refused" errors while talking to an X2Go
       Session Broker (X2GoBrokerConnectionException).
     - Support cookie based authentication against a http(s) session broker.
     - On Windows: Improve debugging when a new X-Server port has to be
       allocated.
     - Capture broker connection problems during selectsession calls to the
       broker via a HOOK method.
     - Allow user interaction via a HOOK if broker connection problems occur.
     - Handle broker setups that don't require credentials. Connection can
       be established simply by leaving the password (and authid) empty.
     - Fix detection of matching path names in X2GoIniFiles.
     - Make sure X2GoClientXConfig config file really gets written to disk
       (after we changed the internas of X2GoIniFile for this new major release).
     - Rename hook method HOOK_no_known_xserver_found to
       HOOK_no_installed_xservers_found. Call this new hook if no installed
       X-Servers could be found on the system.
     - Only check running X-Servers that have the same WMI SessionId as the
       current X2Go application.
     - Session profiles: default value type for exports session profile option
       is an empty dictionary.
     - Make X2GoClient's constructor aware of non-usable X-Server ports.
     - Windows: Fix crash while attempting to find the session window.
     - Support SSH proxy autologin feature of X2Go Session Broker.
     - Provide Telekinesis support in Python X2Go.
     - Stop manipulating session profiles in X2GoSshProxy class. Esp. stop
       manipulating session profiles with deprecated session options.
     - Type-hardening of X2GoSshProxy class. Accept hosts as list and strings.
       If hosts are given as a list, a random list element will be taken as
       host (for connecting and for the SSH proxy tunnel setup).
     - Type-hardening of X2GoControlSession class's C{connect()} method.
       Handle hostnames that come in as lists gracefully.
     - Don't construct the sshproxy_tunnel parameter in x2go/utils.py. Leave
       that to higher level classes that know more about X2Go internals.
     - Add support for a subsystem string when setting up port forwarding
       tunnels.
     - Use gevent to spawn the TeKi client start-up process (instead of waiting
       for it to return).
     - Provide support for new session parameter: clipboard. (Fixes: #508).
     - Split up NX output and NX errors into two separate files.
     - Silent ignore it if we cannot detect the local Xlib.display.Display()
       instance (happens with polyinstantiated /tmp dirs).
     - Don't start telekinesis client if not support server-side. Don't attempt
       at starting telekinesis client, if it is not installed.
     - Disallow server-side users to override X2Go Server commands via
       ~/bin (or similar). (Fixes: #334).
     - Handle non-available color depth in X2Go session name gracefully.
       (Fixes: #358).
     - Make sure that the x2gosuspend-session/x2goterminate-session commands
       are sent to the X2Go Server before we take down the NX proxy subprocess.
     - Create a "session.window" file in the session directory. This file for now
       contains one line "ID:<window-id>". The file appears once a session window
       comes up (start/resume), and disappears once the session window closes
       (suspend/terminate).
     - Only enable Telekinesis client debugging if the logger instance is in
       debug mode.
     - Performance tests have shown, that enabling SSH compression is not a
       good idea. NX should handle that instead (and does).
     - Better control the startup bootstrap of the Telekinesis client
       subsystem.
     - Newly understand our own Paramiko/SSH forwarding tunnel code. Become
       aware of handling multiple connects on the same tunnel.
     - Rename LICENSE.txt to COPYING.
     - Be more exact when detecting the NX proxy window id.
     - On non-Windows platforms, enforce usage of the "ares" DNS resolver in
       python-gevent (which is available since Python gevent 1.0~). (Fixes:
       #588).
     - Use Xlib to detect client-side destop geometry.
     - For reverse port forwardings use IPv4 localhost address only.
     - Assure proper NX Proxy cleanup when sessions suspends/
       terminates.
     - Assure proper Telekinesis client cleanup when sessions suspends/
       terminates.
     - Clean up terminal sessions properly when the clean_sessions() method
       of the control session has got called.
     - Don't use compression on  TeKi sshfs mounts.
     - Handle duplicate profile names gracefully (i.e. append a " (1)",
       " (2)", ... to the session profile name). (Fixes: #500).
     - Support server-side Telekinesis versions that ship their own
       (teki-)sftpserver.
     - Use session_name, not session_info object's __str__() method to obtain
       session name (in X2GoTelekinesis).
     - Handle socket errors on the reverse port forwarding tunnels more
       gracefully.
     - Handle sudden control session death during local folder sharing
       gracefully.
     - Don't choke on non-initialized SSH transport objects when initializing
       SFTP client.
     - Fix transport lock release in X2GoControlSession._x2go_sftp_put().
     - Fix session lock release in various methods of the X2GoSession class.
     - Release _share_local_folder_lock on instance X2GoTerminalSession
       destruction.
     - Detect non-installed sshfs (required for Telekinesis).
     - X2GoControlSession: Don't mess with the associated_terminals dict if
       the control session has already died away (i.e. been forcefully
       disconnect).
     - If the listsessions command detects a terminated or suspended session,
       we have to destroy the corresponding X2GoTerminalSession() to trigger
       a proper cleanup of that instance.
     - Fix various hrefs in __doc__ strings.
     - Fix creating/renaming/reconfiguring session profiles. Handle host
       option properly (as list).
     - Make sure we do a deepcopy of the default session profile parameters.
     - Detect more exceptions in the requests module when authenticating against a
       session broker.
     - Only convert the value of the export session profile option if not
       already a Python dictionary.
     - Capture X2GoControlSessionException occurrences during client-side folder
       sharing initializaation while starting/resuming a session.
     - X2GoSessionRegistry: Don't report about sessions that have a not yet
       fully assigned session name / profile name / profile id.
   * debian/control:
     + Add dependencies: python-requests, python-simplejson.
     + Add R (python-x2go): sshfs.
     + Add S (python-x2go): telekinesis-client, mteleplayer-clientside.
     + Update D (python-x2go): python-paramiko (>= 1.15.1-0~). (Fixes: #602).
   * python-x2go.spec:
     + Add dependencies: python-requests, python-simplejson.
     + Additionally adapt to building on openSUSE/SLES.
     + Add all python packages under R to BR (for epydoc run).
     + Update R for python-x2go: python-paramiko >= 1.15.1.
 .
   [ Mike DePaulo ]
   * New upstream version (0.5.0.0):
     - Windows: Fix compatibility with PulseAudio 3.0 & later (Fixes: #532)
     - Windows: Prevent high PulseAudio CPU usage on Windows XP by lowering
       PulseAudio's CPU priority from "high" to "normal" on XP specifically.
       Also do so on Windows Server 2003 (R2) (Fixes: #537)

Send a report that this bug log contains spam.