X2Go Bug report logs - #731
Kerbers cred delegation fails on Linux

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Fri, 9 Jan 2015 23:10:01 UTC

Severity: important

Found in version 4.0.3.1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#731; Package x2goclient. (Fri, 09 Jan 2015 23:10:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Gabriel <mike.gabriel@das-netzwerkteam.de>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 09 Jan 2015 23:10:02 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.x2go.org (full text, mbox):

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: if KRB5CCNAME is not set client-side, don't trigger the KRB5 delegation code
Date: Fri, 09 Jan 2015 23:09:15 +0000
[Message part 1 (text/plain, inline)]
Package: x2goclient
Severity: important
Version: 4.0.3.1

If the $KRB5CCNAME envvar is not set, X2Go Client nonetheless tries to  
push the KRB5CCNAME file to the X2Go Server.

This results in a Qt error message window, because the copy command  
(cp $KRB5CCNAME $KRBFL just before executing x2goruncommand) is only  
evoked with one parameter ($KRBFL, $KRB5CCNAME is unset).

"""
x2go-DEBUG-../sshprocess.cpp:449> ssh finished: false - "cp: Fehlender  
ZieldateiOperand hinter  
/home/mike/.x2go/C-mike-52-1420843691_stDMATE_dp24/krb5cc
cp --help liefert weitere Informationen.
" (5).
"""


Mike


-- 

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
[Message part 2 (application/pgp-signature, inline)]

Changed Bug title to 'Kerbers cred delegation fails on Linux' from 'if KRB5CCNAME is not set client-side, don't trigger the KRB5 delegation code' Request was from Mike Gabriel <mike.gabriel@das-netzwerkteam.de> to 739-submit@bugs.x2go.org. (Mon, 12 Jan 2015 04:30:05 GMT) Full text and rfc822 format available.

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#731; Package x2goclient. (Wed, 18 Jan 2017 20:20:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Orion Poplawski <orion@cora.nwra.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 18 Jan 2017 20:20:02 GMT) Full text and rfc822 format available.

Message #12 received at 731@bugs.x2go.org (full text, mbox):

From: Orion Poplawski <orion@cora.nwra.com>
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 731@bugs.x2go.org
Subject: Re: [X2Go-Dev] Bug#731: if KRB5CCNAME is not set client-side, don't trigger the KRB5 delegation code
Date: Wed, 18 Jan 2017 13:17:05 -0700
On 01/09/2015 04:09 PM, Mike Gabriel wrote:
> Package: x2goclient
> Severity: important
> Version: 4.0.3.1
> 
> If the $KRB5CCNAME envvar is not set, X2Go Client nonetheless tries to push
> the KRB5CCNAME file to the X2Go Server.
> 
> This results in a Qt error message window, because the copy command (cp
> $KRB5CCNAME $KRBFL just before executing x2goruncommand) is only evoked with
> one parameter ($KRBFL, $KRB5CCNAME is unset).
> 
> """
> x2go-DEBUG-../sshprocess.cpp:449> ssh finished: false - "cp: Fehlender
> ZieldateiOperand hinter /home/mike/.x2go/C-mike-52-1420843691_stDMATE_dp24/krb5cc
> cp --help liefert weitere Informationen.
> " (5).
> """

I'm not sure if any of this is necessary:


     if(sshConnection->useKerberos() && sshConnection->get_kerberosDelegation())
    {
        krbFwString="KRB5CCNAME=`echo $KRB5CCNAME |sed 's/FILE://g'` \
        KRBFL=$HOME/.x2go/C-"+resumingSession.sessionId+"/krb5cc ;\
        cp -a $KRB5CCNAME $KRBFL;KRB5CCNAME=$KRBFL ";
    }

I believe that SSH will handle the delegation of GSSAPI/Kerberos credentials.
In my case, I'm using the modern keyring credentials cache:

KRB5CCNAME=KEYRING:persistent:22603

so I get:

cp: cannot stat √ĘKEYRING:persistent:22603:22603√Ę: No such file or directory

however my credentials are present on the remote machine and I can get to them
if I unset KRB5CCNAME.

-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@nwra.com
Boulder, CO 80301                   http://www.nwra.com


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Dec 13 14:12:22 2018; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.