X2Go Bug report logs - #731
Kerbers cred delegation fails on Linux

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Fri, 9 Jan 2015 23:10:01 UTC

Severity: important

Found in version 4.0.3.1

Full log


Message #12 received at 731@bugs.x2go.org (full text, mbox, reply):

Received: (at 731) by bugs.x2go.org; 18 Jan 2017 20:17:20 +0000
From orion@cora.nwra.com  Wed Jan 18 21:17:18 2017
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from localhost (localhost [127.0.0.1])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id E504F3CDDB
	for <731@bugs.x2go.org>; Wed, 18 Jan 2017 21:17:17 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de
Received: from ymir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id JD9NjsI9WWYa for <731@bugs.x2go.org>;
	Wed, 18 Jan 2017 21:17:09 +0100 (CET)
Received: from mail.nwra.com (mail.nwra.com [72.52.192.72])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id E38983CDDA
	for <731@bugs.x2go.org>; Wed, 18 Jan 2017 21:17:08 +0100 (CET)
Received: from barry.cora.nwra.com (inferno.cora.nwra.com [208.187.183.84])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.nwra.com (Postfix) with ESMTPS id 10A983406A0;
	Wed, 18 Jan 2017 12:17:06 -0800 (PST)
Subject: Re: [X2Go-Dev] Bug#731: if KRB5CCNAME is not set client-side, don't
 trigger the KRB5 delegation code
To: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>, 731@bugs.x2go.org
References: <20150109230915.Horde.hJBgffJkVdw_BXnxyAtfUQ1@mail.das-netzwerkteam.de>
From: Orion Poplawski <orion@cora.nwra.com>
Message-ID: <d7406566-966a-8c8a-16d7-0eced2e8d131@cora.nwra.com>
Date: Wed, 18 Jan 2017 13:17:05 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101
 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <20150109230915.Horde.hJBgffJkVdw_BXnxyAtfUQ1@mail.das-netzwerkteam.de>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
On 01/09/2015 04:09 PM, Mike Gabriel wrote:
> Package: x2goclient
> Severity: important
> Version: 4.0.3.1
> 
> If the $KRB5CCNAME envvar is not set, X2Go Client nonetheless tries to push
> the KRB5CCNAME file to the X2Go Server.
> 
> This results in a Qt error message window, because the copy command (cp
> $KRB5CCNAME $KRBFL just before executing x2goruncommand) is only evoked with
> one parameter ($KRBFL, $KRB5CCNAME is unset).
> 
> """
> x2go-DEBUG-../sshprocess.cpp:449> ssh finished: false - "cp: Fehlender
> ZieldateiOperand hinter /home/mike/.x2go/C-mike-52-1420843691_stDMATE_dp24/krb5cc
> cp --help liefert weitere Informationen.
> " (5).
> """

I'm not sure if any of this is necessary:


     if(sshConnection->useKerberos() && sshConnection->get_kerberosDelegation())
    {
        krbFwString="KRB5CCNAME=`echo $KRB5CCNAME |sed 's/FILE://g'` \
        KRBFL=$HOME/.x2go/C-"+resumingSession.sessionId+"/krb5cc ;\
        cp -a $KRB5CCNAME $KRBFL;KRB5CCNAME=$KRBFL ";
    }

I believe that SSH will handle the delegation of GSSAPI/Kerberos credentials.
In my case, I'm using the modern keyring credentials cache:

KRB5CCNAME=KEYRING:persistent:22603

so I get:

cp: cannot stat âKEYRING:persistent:22603:22603â: No such file or directory

however my credentials are present on the remote machine and I can get to them
if I unset KRB5CCNAME.

-- 
Orion Poplawski
Technical Manager                          720-772-5637
NWRA, Boulder/CoRA Office             FAX: 303-415-9702
3380 Mitchell Lane                       orion@nwra.com
Boulder, CO 80301                   http://www.nwra.com


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Mar 29 15:28:51 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.