Reported by: Jason Alavaliant <firstname.lastname@example.org>
Date: Mon, 5 Jan 2015 05:10:02 UTC
Tags: patch, pending
Found in version 0.0.2.3
Fixed in version 0.0.3.0
Done: X2Go Release Manager <email@example.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Jason Alavaliant <firstname.lastname@example.org>:
New Bug report received and forwarded. Copy sent to
X2Go Developers <email@example.com>.
(Mon, 05 Jan 2015 05:10:02 GMT) (full text, mbox, link).
Message #5 received at firstname.lastname@example.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: python-x2gobroker Version: 0.0.2.3 Tags: patch One of my users was getting their authentication failing when connecting to an x2go broker using the http plain backend. Testing revealed that their password ended with a space which the web/plain module default code was automatically stripping off before passing through to the authservice. The attached patch disables stripping for the password argument so passwords starting/ending with spaces are no longer incorrectly rejected. Thanks Jason
[x2gobroker-web-plain.py-handle-spaces-at-start-and-end-of-passwords.patch (text/x-diff, attachment)]
Mike Gabriel <email@example.com>:
Extra info received and forwarded to list. Copy sent to
X2Go Developers <firstname.lastname@example.org>.
(Mon, 05 Jan 2015 10:05:04 GMT) (full text, mbox, link).
Message #10 received at email@example.com (full text, mbox, reply):
tag #716 pending fixed #716 0.0.3.0 thanks Hello, X2Go issue #716 (src:x2gobroker) reported by you has been fixed in X2Go Git. You can see the changelog below, and you can check the diff of the fix at: http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=bc47e33 The issue will most likely be fixed in src:x2gobroker (0.0.3.0). light+love X2Go Git Admin (on behalf of the sender of this mail) --- commit bc47e33351c852d720d4e532f5c0aa431d834396 Author: Mike Gabriel <firstname.lastname@example.org> Date: Mon Jan 5 11:04:36 2015 +0100 Don't strip off spaces from password strings. (Fixes: #716). diff --git a/debian/changelog b/debian/changelog index e054d03..b6fab83 100644 --- a/debian/changelog +++ b/debian/changelog @@ -300,6 +300,7 @@ x2gobroker (0.0.3.0-0x2go1) UNRELEASED; urgency=low * New upstream version (0.0.3.0): - Handle spaces in broker login passwords when authservice is used. (Fixes: #706). + - Don't strip off spaces from password strings. (Fixes: #716). -- Mike Gabriel <email@example.com> Fri, 07 Jun 2013 23:25:30 +0200
X2Go Release Manager <firstname.lastname@example.org>:
Extra info received and forwarded to list. Copy sent to
X2Go Developers <email@example.com>.
(Sat, 20 Jun 2015 12:16:49 GMT) (full text, mbox, link).
Message #26 received at firstname.lastname@example.org (full text, mbox, reply):
close #716 thanks Hello, we are very hopeful that X2Go issue #716 reported by you has been resolved in the new release (0.0.3.0) of the X2Go source project »src:x2gobroker«. You can view the complete changelog entry of src:x2gobroker (0.0.3.0) below, and you can use the following link to view all the code changes between this and the last release of src:x2gobroker. http://code.x2go.org/gitweb?p=x2gobroker.git;a=commitdiff;h=30c316e66f4173d0e3577fe85817e73f822a479e;hp=81e28ea24b269fb24559d70c462b846cf2f56edd If you feel that the issue has not been resolved satisfyingly, feel free to reopen this bug report or submit a follow-up report with further observations described based on the new released version of src:x2gobroker. Thanks a lot for contributing to X2Go!!! light+love X2Go Git Admin (on behalf of the sender of this mail) --- X2Go Component: src:x2gobroker Version: 0.0.3.0-0x2go1 Status: RELEASE Date: Sat, 20 Jun 2015 13:58:49 +0200 Fixes: 153 217 275 306 360 379 380 447 449 450 469 470 484 491 493 494 544 545 553 562 665 666 685 686 692 706 716 784 834 835 836 Changes: x2gobroker (0.0.3.0-0x2go1) RELEASED; urgency=low . [ Mike Gabriel ] * New upstream version (0.0.3.0): - Add SSH support to X2Go Session Broker. (Fixes: #153). - Move x2gobroker executable to /usr/bin. - Update x2gobroker man page. - SSH broker: Only allow context change to another user for the magic user (default: x2gobroker). - Fix logrotate script: x2gobroker-wsgi. (Fixes: #275). - Get the cookie based extra-authentication working for SSH mode. - Get the cookie based extra-authentication working for HTTP mode. - Fix output of HTTP based connectivity test. - Do not let the broker crash if an agent is not reachable. Capture X2GoBrokerAgentExceptions when pinging the remote agent. (Fixes: #306). - When calling the agent's suspend_session function, make sure to pass on the remote_agent dictionary. - Provide empty directory /etc/x2go/broker/ssl. - Re-order x2gobroker main file. Move logging further to the back to allow taking command-line options into account. - Modify default x2gobroker-sessionprofiles.conf and provide something that will work with every default setup. - New broker session profile parameter: broker-agent-query-mode. Define agent query methods per session profile. - Rename base broker's use_session_autologin to get_session_autologin. - Fix Python2'isms in three exceptions. Thanks to Mathias Ewald for spotting. - Make test_suite callable via setup.py. - Provide a test function that checks if the basic broker agent setup (SSH private/public key pair) is available. If not, no SSH broker usage will be attempted. - Let a portscan preceed the SSH ping command. This notably reduces timeout duration if the host running the queried broker agent is down). - Catch RequestHandler errors and write them to the error log channel. - Raised verbosity level to INFO for session broker utilities. - Add sanity checks to x2gobroker-pubkeyauthorizer. - Report stderr results to the broker log channel (broker.log). This allows debugging of X2Go Session Broker Agent via the X2Go Session Broker logging instance. (Fixes: #217). - Fix the ping task in x2gobroker-agent.pl, process it without checking the given username. - Fix remote agent detection in case of some agents being down. - Add utils function: matching_hostnames(): test hostname lists for matching hostnames (with/without domain name). - Add fuzzy tolerance when comparing host name lists as found in session profile configuration and as reported by broker agent. - In x2gobroker.conf: describe the manifold ways of providing a second authorized_keys file location in SSH server daemon. Thanks to Stefan Heitmüller for pointing out more recent SSH server's configuration style. - WSGI implementation: keep SCRIPT_NAME in environ, as removing it causes AssertionErrors whenever we trigger a tornado.web.HTTPError. - Add password prompt to x2gobroker-testauth. Password prompt is used if the --password option is not used. - New authentication mechanism: none. Always authenticate a user, even if password is not provided or wrong. - Ship python2.6 asyncore patch (Debian squeeze python2.6 version) in python-x2gobroker's docs folder. - Show correct environment variables in log file prelude when WSGI is used. - Fix check-credentials = false for UCCS web frontend. - Add a start page (,,It works''). - Use IP addresses in apache2 config rather than hostnames. - Add new helper tool: x2gobroker-daemon-debug. - Add man page for x2gobroker-daemon-debug. - WebUI "plain": throw explainative log errors for every 404 http error. - Fix man pages (layout issues on x2gobroker-authservice man page). - Adapt man page installation to moval of x2gobroker(-testauth) from an sbin to a bin directory (executable for any user). - Make the inifile broker backend the default backend. (Fixes: #360). - Support daemonizing of the http broker. - Default to http broker mode when daemonizing the broker. - Support daemonizing of the authservice. - Detect RUNDIR in x2gobroker-authservice and use it for the default location of the authservice socket file. - Detect RUNDIR in x2gobroker Python module and use it for the default location of the authservice socket file. - Let x2gobroker-authservice take care of tidying up its own socket file. - Provide PAM config file for Debian and RHEL separately (as they differ). - Makefile: Clean up x2gobroker-agent binary. - Be more precise in Debian et al. init scripts when checking if the service is already running. - Add JSON WebUI backend for X2Go Session Broker. - JSON WebUI backend renders data of content type "text/json". - Provide configuration alternative to having /etc/defaults/* scripts parsed in by init scripts. Make X2Go Session Broker ready for being run via systemd. - Provide symlink x2gobroker-daemon. - Provide systemd service files for x2gobroker-daemon and x2gobroker-authservice. (Fixes: #379, #380). - Add --drop-privileges feature so that x2gobroker-daemon can drop root privileges when started via systemd. Only drop privileges if x2gobroker(-daemon) is run as uidNumber 0. - Implement dynamic authid for JSON WebUI frontend. Add a generic metadata top level to the JSON output tree. - Store cookies in /var/lib/x2gobroker (path is more appropriate than previously suggested path /var/log/x2gobroker). - Handle selectsessions calls with a non-existent profile ID gracefully. - Session profiles with marker user=BROKER_USER will now auto-fill-in the broker username into the session profile's 'user' option. - Provide tool: x2gobroker-testagent. - Allow for broker clients to send in public SSH keys that the client may use for authentication to X2Go Servers. - broker agent: avoid one option system() calls in Perl. (Fixes: #784). - For user context changes: set the HOME dir of the new user correctly. - Reduce Paramiko/SSH verbosity (logging.ERROR) when connecting to remote broker agents. - Support adding remote broker agent's host keys via the x2gobroker-testagent tool. - If we received an SSH public key from a broker client, mark it as ACCEPTED after we deployed it, so that the client knows that it can its corresponding private key. - Fix https brokerage in x2gobroker-daemon-debug. - Load X2GOBROKER_DAEMON_USER's known_hosts key file before doing remote agent calls. - Fully rewrite agent.py. - Fix broker crashes when no session status is available for certain session profiles. - JSON webUI: run pre and post auth scripts also via this backend. - x2gobroker-daemon: become wrapper script, enable --mode HTTP by default. Provide some intelligence when run as daemon (killing children processes on reception of a SIGTERM, SIGINT, SIGQUIT, EXIT signal). - Rename sections for broker backends in x2gobroker.conf - Make config object of x2gobroker.conf available in authentication mechanism backends. - Fix SSH based broker client. - Fix several failing tests, adapt tests to current code base. - Introduce new global parameter for x2gobroker.conf: my-cookie-file. Allow storing the initial authentication cookie/ID in a read-protected file. - Explicitly set detach_process to True when calling daemon.DaemonContext(). Otherwise the daemons start but don't return to the cmdline prompt. (Fixes: #484). - Change agent API: all functions return a tuple where the first element denotes if the underlying agent call has been successful. - Correctly detect $HOME of the user that runs x2gobroker (including setuid calls via x2gobroker-ssh). - Enforce SSH agent query mode (instead of LOCAL mode) for SSH brokerage (as LOCAL query mode won't work due to a permission koan that has not yet been solved). - Fix interpretation of SSH_CLIENT env variable. - Make x2gobroker-agent usable/installable on non-X2Go server machines. (Fixes: #493). - Provide autologin support for session profiles that have an SSH proxy host configured. (Fixes: #494). - Fix IPv6 binding of the X2Go Session Broker daemon. If no bind port is given via the cmdline, obtain it from other means (via x2gobroker.defaults). - Rename LICENSE file to COPYING. - X2Go Broker Agent: Test if queried username exists on the system before performing the query. - Make sure bind_address and bind_port are correctly detected from /etc/default/x2gobroker-daemon and /etc/x2go/broker/defaults.cfg. - Move split_host_address() code into x2gobroker.utils. - Report to log what the broker agent replied to us. - Provide support for load-balancing to hosts that are all reachable over the same IP address, but different TCP/IP ports (e.g. docker instances or hosts behind a reverse NATed IPv4 gateway). This ended up in a rewrite of the complete selection_session() method of the base broker code. - Use physical host address and port (if provided) for contacting remote broker agent via SSH. - Update README and TODO. - Update copyright holders. Copyright is held only by people who actually contributed to the current code base. - logrotate configs: Rotated logs via "su x2gobroker adm". - Use hostname as hard-coded in server_list (from session profile configuration), don't try to strip off the domain name. - Consolidate x2gobroker.utils.split_host_address() with a test and rewrite completely. - Make sure that without configuration files, the HTTP broker listens to port 8080. - Provide legacy support for deprecated x2gobroker.conf global parameter 'check-credentials'. - Configure broker / authservice environment via .service files. - Load defaults.conf via authservices and for logger configuration, as well. - x2gobroker-authservice: Make sure socket file directory is created before trying to create the socket file itself. - Don't load defaults.conf twice. Only load it when initializing the loggers. - Provide a special PAM configuration file for SUSE systems (identical to the PAM configuration file for Debian). - defaults.conf: Mention X2GOBROKER_DEBUG not only in the global section, but also in the [daemon] and [authservice] section. - x2gobroker-testauth: Don't use hard-coded default backend. Obtain X2GOBROKER_DEFAULT_BACKEND from x2gobroker.defaults instead. - x2gobroker-testauth: Improve help text of --backend option. Display the current backend default. - x2gobroker-authservice: Restructure logging. Enable log messages for authentication requests. - Get several issues around select_session fixed via tests in the broker's backend base.py. - Add tests for broker agent queries. - Fix setting the remote agent's SSH port if the host option is of style "<hostname> (<ip-address>:<port>)". - During select_session: Re-add subdomain (if possible) to the hostname to make sure we can detect the host's <ip-address>:<port> further down in the code. - Properly set (/var)/run/x2gobroker directory permissions when started via systemd. - Fix privilege check for the broker daemon's log directory. - Enable basic/random load-balancing for UCCS broker frontend. Make UCCS frontend aware of host session profile options of the form "host=<fqdn> (<ipaddr>:<port>). - Do a portscan on the remote's SSH port before querying a remote agent via SSH. - Don't return X2Go Servers that are actually down, currently. The X2Go Servers get probed via a short portscan on the remote's SSH port. If that portscan fails, another remote X2Go Server is chosen from the list of available server (if any). This portscanning functionality can be switched off via "default-portscan-x2goservers" in x2gobroker.conf or via "broker-portscan-x2goservers" per session profile. (Fixes: #692). - When load-balancing, switch to chosen server as remote broker agent before deploying SSH keys. - Allow resuming sessions from servers even if one offline server has left bogus in the session DB (plus unit tests). - Fix remote agent detection if one ore more X2Go Servers are offline and hostname does not match host address (plus unit test). - Allow remote agent calls via hostname or host address when using the format "<hostname> (<hostaddr>)" in the session profile. This can be useful if the <hostname> is a valid address on the local network (broker <-> <server> communication), but the host address is valid for clients (client <-> server communication). - Don't check for running/suspended session if the session profile will request a shadowing session. - Disabled broker agent calls and load-balancing for session profiles that will request shadowing sessions. - Mention "usebrokerpass" session profile option in x2gobroker-sessionprofiles.conf. - Provide desktop sharing (shadow session) example in x2gobroker-sessionprofiles.conf. - Makefile: Add installation rules for x2gobroker-loadchecker. - x2gobroker.1: Since systemd there are not only init scripts. Rephrasing man page. - New feature: x2gobroker-loadchecker daemon. (Fixes: #686). - x2gobroker-agent.pl: Use var name server_usage instead of server_load. Reflects better what that var denotes. - agent.py: Completion of several __doc__ strings (missing @return:, @rtype: fields). - X2GoBroker.check_for_sessions(): Fix check for shadow / non-shadow sessions. - x2gobroker.1: Mention x2gobroker-ssh in its man page, differentiate between the different modes (http/ssh) of the x2gobroker application. - Pre-release pyflakes cleanup. - agent.py: Capture login failures in checkload() function. - agent.py: Allow providing a custom logger instance in all functions. - LoadChecker.loadchecker(): Use load checker daemon's logger instance for logging actions taken place in agent.py. - agent.py: Make agent query mode LOCAL behave similar to agent query mode SSH if things go wrong. - agent.py: Set result to None, if SSH connection to broker agent fails. - Calculate our own MemAvailable value in x2gobroker-agent.pl. Only kernels newer than v3.14 offer the MemAvailable: field in /proc/meminfo. - x2gobroker-agent.pl: Fix regexp for detecting number of CPUs and CPU frequency. - x2gobroker-agent.pl: Fall-back CPU detection for virtualized systems (e.g. QEMU hosts). - LoadChecker.loadchecker(): Report about query failures, as well, in query cycle summary. - LoadCheckerServiceHandler(): Add line breaks in per-profile output. Return nothing if the load checker service is unreachable. - agent.py: Let get_servers() return a dictionary with hostnames as keys and number of sessions as values. - Fix X2GoBroker.use_load_checker(): Obtain broker-* option via X2GoBroker.get_profile_broker(), not via X2GoBroker.get_profile(). - Various improvements / fixes for session selection via the load checker daemon. - Adapt tests to new load checker service feature. - Only check for 'load_factors' key in remote_agent dict, if agent query mode is SSH. - Fix detection of running x2gobroker-daemon process in Debian's SystemV init script. - Set default log level to "WARNING", not "DEBUG". - defaults/x2gobroker-logchecker.default: Fix copy+paste errors. - doc/README.x2goclient+broker.getting-started: Mention how to launch PyHoca-GUI in broker mode. - etc/broker/defaults.conf: Fix copy+paste errors. - etc/x2gobroker-wsgi.*.conf: Make host ACLs Apache2.4 compliant. - logrotate/x2gobroker-loadchecker: The loadchecker.log file needs to be owned by user x2gobroker. - rpm/x2gobroker-*.init: Fix copy+paste errors. - man pages: Update date. - If non-load-balanced session profiles reference a non-reachable host, hand-back the system's hostname to X2Go Client / Python X2Go. - Add security notice / disclaimer to x2gbroker.1 man page as suggested by Stefan Baur. (Fixes: #666). - Provide x2gobroker system user public keys to broker agents with SSH options--strongly restricting the key usage--now. Modify x2gobroker- pubkeyauthorizer in a way that it replaces non-option keys with the newly provided optionized/restricted pubkeys. (Fixes: #685). - etc/x2gobroker.conf: Switch over to using dynamic auth cookies by default. - X2GoBroker.get_agent_query_mode(): Immediately return overridden query mode. Avoid logging of the configured query mode. Write the overridden query mode to the logger instance instead. - Don't enforce agent query mode "SSH" for x2gobroker-ssh anymore. - If a single-host is unreachable, return the host address, not the hostname and let X2Go Client release itself, that the host is unreachable. - x2gobroker-loadchecker: Don't freeze if load information for a complete load-balanced server farm is unavailable. - x2gobroker-pubkeyauthorizer: Handle replacement of SSH pubkeys with wrong/ old SSH options. - x2gobroker-agent.pl: Add %U (uidNumber) and %G (primary gidNumber) as further possible substitutions for deriving the full path of the authorized_keys file where X2Go Broker Agent's deploys public SSH user keys to. (Fixes: #665). - agent.py: Use os.fork() instead of threading.Thread() to handle delayed executions of broker agent tasks. This assures that SSH pub keys are removed via the delauthkey broker agent task, if the SSH broker is used. (Fixes: #491). - Add run-optional-script support to SSH broker. - x2gobroker-ssh: When agent query mode is set to LOCAL, Execute x2gobroker-agent via sudo as group "X2GOBROKER_DAEMON_GROUP". (Fixes: #835). - When the x2gobroker-agent command call is shipped via $SSH_ORIGINAL_COMMAND environment var, make sure to strip-off "sh -c" from the command's beginning. - x2gobroker-agent.pl: Fix detection of X2Go's library path (x2gopath lib). - Implement "not-set" value for X2Go Client parameters. If a parameter is set to "not-set", the parameter won't be handed over to X2Go Client. (Fixes: #834, #836). - agent.py: Fix missing "task" parameter for task "ping" against a local broker agent. - Fix task ping when tested via the x2gobroker-testagent script. - Transliterate commands in session profiles to uppercase when checking if the command is supposed to launch a desktop session. * debian/control: + Provide separate bin:package for SSH brokerage: x2gobroker-ssh. + Replace LDAP support with session brokerage support in LONG_DESCRIPTION. + Fix SYNOPSIS texts. + Recommend apache2 and libapache2-mod-wsgi for x2gobroker-wsgi. + Fix position of XS-Python-Version: field. + Rework LONG_DESCRIPTION of bin:package x2gobroker-agent. Imporve line breaks, so that we now have lines that are close to 80 chars long. + Make x2gobroker-daemon a symlink and recognize HTTP mode by the executable's name. + Bump Standards: to 3.9.6. No changes needed. + Add to D (python-x2gobroker): python-urllib3. * debian/copyright: + Update file to match current status quo of upstream source files. * debian/x2gobroker-agent.dirs: + Provide empty log file directory. * debian/x2gobroker-wsgi postinst/postrm: + Make bin:package x2gobroker-wsgi compliant Debian's packaging style of Apache2.4 / Apache2.2. + On package purgal: Disable Apache2 config first and then attempt the removal of the x2gobroker user/group. + Pass $@ to our apacheconf_configure, apacheconf_remove functions to not break apache2-maintscript-helper. * debian/x2gobroker-ssh.postinst: + Assure proper file permissions, owner and group settings for x2gobroker-ssh. * debian/x2gobroker-ssh.prerm: + Drop dpkg-statoverride of /usr/bin/x2gobroker-ssh before package removal. * debian/*.postinst: + Assure that the log directory always exists (no matter what combination of packages got installed). * debian/python-x2gobroker.install: + Install defaults.conf into bin:package python-x2gobroker. * debian/source/format: + Switch to format 1.0. * rpm/*.init: + Provide initscripts that are likely to work on RHEL plus derivatives. * x2gobroker.spec: + Provide x2gobroker.spec file for building RPM packages. Inspired by the packaging work in OpenSuSE. + Split out python-x2gobroker sub-package. + Install Apache2 config symlinks to /etc/httpd (not /etc/apache2). + Make sure x2gobroker-agent wrapper gets installed into x2gobroker-agent sub-package. + Builds for EPEL-7 also have to systemd aware. + Provide separate bin:package for SSH brokerage: x2gobroker-ssh. + Adapt to building on openSUSE/SLES. + Rework Description: of bin:package x2gobroker-agent. Imporve line breaks, so that we now have lines that are close to 80 chars long. + Add x2gobroker-rpmlintrc file. + Don't package x2gobroker-daemon.1 nor x2gobroker-ssh.1 man pages twice. + On SUSE, we have /etc/apache2, not /etc/httpd. + On SUSE, we have to provide our own python-pampy package (and depend on that). In Fedora and RHEL, the same (upstream) software is named python-pam. (Fixes: #562). + For distro versions with systemd, provide /etc/x2go/broker/defaults.conf. For SysV distro versions, use /etc/defaults/* and source them via the init scripts. + No adm group on non-Debian systems by default. Using root instead on RPM based systems. + For Fedora 22 and beyond explicitly call python2 in all shebangs. + Add to BR: sudo (to have /etc/sudoers.d owned by some package). . [ Josh Lukens ] * New upstream version (0.0.3.0): - Add support for dynamic cookie based auth after initial password auth. (Fixes: #447). - Add support to run pre and post authentication scripts. (Fixes: #449). - Add auth mechanism https_get. (Fixes: #450). - Change pre and post scripts to use common codebase across frontends. (Fixes: #469). - Add ability to have script run in select session after server is selected. - Add basic support for pulling https_get authmech config from configuration file. (Fixes: #470). - Fix typos and host/port mixups in the remote_sshproxy logic. (Fixes: #544). - Make sure find_busy_servers in agent.py returns a tuple (recent API change) to not break profiles with multiple servers. (Fixes: #545). - On session resumption take profile's host list into account. Don't resume sessions the profile has not been configured for. (Fixes: #553). . [ Jason Alavaliant ] * New upstream version (0.0.3.0): - Handle spaces in broker login passwords when authservice is used. (Fixes: #706). - Don't strip off spaces from password strings. (Fixes: #716). . [ Mihai Moldovan ] * x2gobroker.spec: + Change all python-pampy references to python-pam on non-SUSE systems. + Fix %build scriptlet: add missing "done" in while; do; done shell script part. + Don't do a weird escape slash dance in sed's replace command. Simply use another separator. * debian/rules: + Try to call common-binary-indep from common-binary-arch.
Send a report that this bug log contains spam.
X2Go Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.