From mike.gabriel@das-netzwerkteam.de Sat Jan 10 00:46:10 2015 Received: (at submit) by bugs.x2go.org; 9 Jan 2015 23:46:12 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 4C2175DEAA for ; Sat, 10 Jan 2015 00:46:10 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C30B8CFB for ; Sat, 10 Jan 2015 00:46:09 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 5FB403C841 for ; Sat, 10 Jan 2015 00:46:09 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HKSDtXLfkg0b for ; Sat, 10 Jan 2015 00:46:09 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 06F6D3C7CB for ; Sat, 10 Jan 2015 00:46:09 +0100 (CET) Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Fri, 09 Jan 2015 23:46:08 +0000 Date: Fri, 09 Jan 2015 23:46:08 +0000 Message-ID: <20150109234608.Horde.CwbnkVeqWOg1DOPhlm9Gug1@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org Subject: SSH GSSAPI: use master+slave sockets User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 178.62.101.154 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_JtuaahOuIS_NTpJDmujaig1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_JtuaahOuIS_NTpJDmujaig1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: x2goclient Severity: wishlist Version: 4.0.3.1 Control: block #732 by -1 Currently, X2Go Client SSH GSSAPI code does repetetive authentications=20= =20 against=20the X2Go Server (via GSSAPI) when setting up an X2Go Session. Instead of requiring an authentication for each SSH command evocation,=20= =20 it=20would be more handy to do one authentication in=20=20 sshmasterconnection.cpp=20(already there), set all ssh option (e.g.=20=20 PubkeyAuthentication=3Dno, etc.) there (because the=20=20 sshmasterconnection.cpp=20is aware of session properties like=20=20 autologin=3Dtrue|false, key file, etc.) and then use the master/slave=20=20 concept=20in SSH for every follow up SSH command. IMHO, we need to implement the above, before we can fix #732 [1]. Mike [1] http://bugs.x2go.org/732 --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_JtuaahOuIS_NTpJDmujaig1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJUsGhAAAoJEJr0azAldxsxiUwP/10zEX7IdS66Gcg9cj7csa2P XJVzTMg75vebE6h1/00dY2v4Vcnx9jtK3/rwFjy0/4SOcgC22OMAPKRDS0ciuLRm yNGa4eDsO9fR6rrjXnv1KLdrztuGsgc3DqT3seE4wzDYjupGnuhwygaGdcYqk+kQ FdPiXOJb0Jk2r1UA1GnUx4gxqqb6s7AAUQGMhcplOrDlVtXoO+/MJrCga2zN1nO8 qdrgJhosmji5ddVHTr75jAzF2r6f0GxtTtysmDNy5qnKTWaFyAwQPi1/msixhxko kmvSgiB5VXITTdWKOsIsmwCvQLB2lvoyBPAeKnBtYNvrBmP2volHZopAHL1N5SFO TmOFDaxtuMrm3IVNASUAk/5PJK13tAgvx0doApJC3bIRp5w12ejjFG++TlLROyol RpIxjRNCHd2KJQnDgsq7wu+yoQOn4TREP2W0Uwa1T2PSkobFx2otWYGhYtgXnFzY 9r6zFXlbEISOEinOsyJQBvJhsTlbiGkXnqTk+oRMb+AuBtjOqnCWTuAZ0KZXUGhe qCZ78k5DEyrZOSmEnx9v1Jl2p8/y6kKhwpwHll4cw4x/VRVrAQOHZZNO3C6y9pKu XSmwL1OJjN2PtQY7F0EKdyvHpla9+771BzwyIgZsctQpgp2SlXAIx/t0wfJshJGb qMZLRHWkErujQR5BsTTc =FcNM -----END PGP SIGNATURE----- --=_JtuaahOuIS_NTpJDmujaig1-- From mike.gabriel@das-netzwerkteam.de Sat Jan 10 01:16:04 2015 Received: (at submit) by bugs.x2go.org; 10 Jan 2015 00:16:10 +0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on ymir.das-netzwerkteam.de X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED autolearn=ham version=3.3.2 Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199]) by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 3CF385DEAA for ; Sat, 10 Jan 2015 01:16:04 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98]) by freya.das-netzwerkteam.de (Postfix) with ESMTPS id C38723221 for ; Sat, 10 Jan 2015 01:16:03 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 577FD3C841 for ; Sat, 10 Jan 2015 01:16:03 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de Received: from grimnir.das-netzwerkteam.de ([127.0.0.1]) by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2dBVQ1ripacU for ; Sat, 10 Jan 2015 01:16:03 +0100 (CET) Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1]) by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id 16E873C7AB for ; Sat, 10 Jan 2015 01:16:03 +0100 (CET) Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP; Sat, 10 Jan 2015 00:16:03 +0000 Date: Sat, 10 Jan 2015 00:16:03 +0000 Message-ID: <20150110001603.Horde.RZlmXfUQgaeCAysehUiZAg1@mail.das-netzwerkteam.de> From: Mike Gabriel To: submit@bugs.x2go.org Subject: ssh-agent gets used although GSSAPI is enabled and agent-auth is disabled User-Agent: Internet Messaging Program (IMP) H5 (6.2.2) Accept-Language: en,de Organization: DAS-NETZWERKTEAM X-Originating-IP: 178.62.101.154 X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0 Content-Type: multipart/signed; boundary="=_ZI207iYB578XC0gbl5eTHw1"; protocol="application/pgp-signature"; micalg=pgp-sha1 MIME-Version: 1.0 This message is in MIME format and has been PGP signed. --=_ZI207iYB578XC0gbl5eTHw1 Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Package: x2goclient Version: 4.0.3.1 Severity: important Control: block -1 by 733 I have... autologin=3Dfalse krblogin=3Dtrue _plus_ a running ssh-agent, loaded with my private SSH key. The X2Go Server has the public SSH key belonging to the private key=20=20 loaded=20into the agent. If the remote server does not support GSSAPIauthentication (set to=20=20 "no"=20via sshd_config), then X2Go Client should fall back to=20=20 username+password=20(KbdInteractiveAuthentication). At the time of writing this, X2Go Client nonetheless uses the running=20=20 ssh-agent=20and performs a PubkeyAuthentication. However, this breaks GSSAPI credentials delegation... Mike --=20 DAS-NETZWERKTEAM mike=20gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x= fb --=_ZI207iYB578XC0gbl5eTHw1 Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJUsG9CAAoJEJr0azAldxsxY20P/2djPGzQVt5aOJKFf6R7mAXA 1Fj6u9okdawZU2hVTD3Ba76BCbcknZXDt+tpn/QgvJb2bnU1/OLUlYb/x99ss8iN mbZWA6v98c6VDQ9trQTOZfgcPmG5qwxHaOrF0SSGnwQyIkgdkI0Q7WOl0dwlfTsQ V9Fxg62VCKO4Z0mJy+q3buERC5BAWcAz7/yIaMHidR/nJp5+zKhlFU1vc/taFFwL xzhAKZigprW32Ch5yUwsRlMXmRyDgctkCIJ+nhRr64oXmDId0wWp/aoByDAGT5nj wPUrvI+O+mcL3H2s0O6JgXyGDU/M5AMtpfouXrMu3sorHPikbx2D0v2TPPp8B9Ql 0Xx3AyJ3K8bl0ooY5/PQLMT0hzhHiT72PYtRgpwMuKjbz/M7xN8EJAtDb38Xkw0v E4ySg/9zSjwigz4NWmEXbfgdlswcD1pjA/CvxTdV5yz6ZNWrhS7KzR8rlEteQhWh kiMI5yxR8DG8Qm9y5yE8cQwxsHGnPpxG/OPCU+77nVkiklOP/qjuUejI/eiX+uJK 73pL/QwZjAjXYtPH0/Nl2K64mQLJK+NBnMRwOe4tvslKxdahAmG4Ddr0SBcQuKPW 6zgl1hrd8hfn9MOzb9LO/S+m/TbM04iZB9xr1238EgxRMppeSErEcSaSSrx3PQ1s s+I2xjvDmJd3Q78nrtS8 =59y8 -----END PGP SIGNATURE----- --=_ZI207iYB578XC0gbl5eTHw1--