X2Go Bug report logs - #966
x2goclient SSH fails with keyboard-interactive + banner

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Andrew Cherry <acherry@alcf.anl.gov>

Date: Fri, 20 Nov 2015 17:05:02 UTC

Severity: normal

Tags: pending

Found in version 4.0.5.1

Fixed in version 4.1.1.0

Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#966; Package x2goclient. (Fri, 20 Nov 2015 17:05:02 GMT) (full text, mbox, link).


Acknowledgement sent to Andrew Cherry <acherry@alcf.anl.gov>:
New Bug report received and forwarded. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 20 Nov 2015 17:05:02 GMT) (full text, mbox, link).


Message #5 received at submit@bugs.x2go.org (full text, mbox, reply):

From: Andrew Cherry <acherry@alcf.anl.gov>
To: <submit@bugs.x2go.org>
Subject: x2goclient SSH fails with keyboard-interactive + banner
Date: Fri, 20 Nov 2015 11:50:49 -0500
Package: x2goclient
Version: 4.0.5.1

On our systems, security policy requires us to use OTP tokens for login, which means that all SSH connections are keyboard-interactive.  In addition, we use /etc/issue.net to print a warning banner before the SSH password prompt.  When x2goclient connects, the string variable containing the output for the password prompt ('pr' in sshmasterconnection.cpp) includes the banner as well, and since the check for "Password: " is a strict equality check, the password prompt is not recognized.

The simple patch below seems to do the trick to get around this issue:


--- sshmasterconnection.cpp	2015-11-20 11:37:44.000000000 -0500
+++ /Users/acherry/sshmasterconnection.cpp	2015-11-20 11:37:24.000000000 -0500
@@ -866,7 +866,7 @@
             x2goDebug<<"Prompt[0]: |"<<prompt<<"|"<<endl;
 #endif
             QString pr=prompt;
-            if(pr=="Password: ")
+            if(pr.endsWith("Password: "))
             {
 #ifdef DEBUG
                 x2goDebug<<"Password request"<<endl;
@@ -874,7 +874,7 @@
                 ssh_userauth_kbdint_setanswer(my_ssh_session,0,pass.toAscii());
                 return userChallengeAuth();
             }
-            if(pr=="Verification code: ")
+            if(pr.endsWith("Verification code: "))
             {
 #ifdef DEBUG
                 x2goDebug<<"Verification code request"<<endl;


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#966; Package x2goclient. (Sat, 17 Sep 2016 14:00:02 GMT) (full text, mbox, link).


Acknowledgement sent to Mike DePaulo <mikedep333@gmail.com>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sat, 17 Sep 2016 14:00:03 GMT) (full text, mbox, link).


Message #10 received at 966@bugs.x2go.org (full text, mbox, reply):

From: Mike DePaulo <mikedep333@gmail.com>
To: 966@bugs.x2go.org
Subject: worksforme
Date: Sat, 17 Sep 2016 09:56:36 -0400
Hi Andrew,

Sorry for the long delay.

I ran a test with X2Go Client 4.0.5.1, and the connection was
successful. This is the output from the command-line ssh:

$ ssh 192.168.1.20
Test banner!
Password:
Last login: Sat Sep 17 09:43:55 2016
[mike@dropship ~]$

Note that the banner is configured with "Banner /etc/issue.net" in sshd_config.

Also note that there has been restructuring of our code, both before
and after 4.0.5.1's release, to improve our handling of
keyboard-interactive authentication. Specifically, commits 10405481 &
c5ee1ba6 (2016-01-29, before 4.0.5.1) and 044f22fd (2016-06-19, after
4.0.5.1, part of bug #1027).

If you are still having trouble, please copy & paste the output from
the command-line ssh. If you have Windows clients, use cygwin ssh.
Also, please confirm that you are using "Banner /etc/issue.net" in
order to display the banner.

-Mike


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#966; Package x2goclient. (Tue, 29 Aug 2017 17:05:01 GMT) (full text, mbox, link).


Acknowledgement sent to "Cherry, Andrew J." <acherry@alcf.anl.gov>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 29 Aug 2017 17:05:02 GMT) (full text, mbox, link).


Message #15 received at 966@bugs.x2go.org (full text, mbox, reply):

From: "Cherry, Andrew J." <acherry@alcf.anl.gov>
To: "966@bugs.x2go.org" <966@bugs.x2go.org>
Subject: Banner issue update
Date: Tue, 29 Aug 2017 16:52:08 +0000
I've done some additional testing, prompted by your mention of the banner being configured using the Banner option in sshd_config.  It turns out we are *not* using the sshd config option -- instead, we are displaying the banner using the pam_echo module, configured with the following line in /etc/pam.d/sshd:

auth        optional    pam_echo.so file=/etc/issue.net

What I've found so far is that the same /etc/issue.net plays nice with x2go when configured via the Banner option, but causes an auth failure when configured using pam_echo.so.

I'm going to do some more digging to see if I can figure out what the difference is.  Oddly, if I cut/paste the output from the OpenSSH client (on Linux) up to and including the Password: prompt, and do a diff between the two, they are byte-for-byte identical.

By the way, the reason we use pam_echo.so instead of the Banner option is because we actually have two banners -- /etc/issue/net for the standard security boilerplate which is always displayed, and /etc/issue.alcf which is normally empty but is populated with information during our scheduled maintenance windows when logins are disabled.  However, I've confirmed that the problem still occurs even if I configure pam_echo.so to only display /etc/issue.net

-Andrew


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#966; Package x2goclient. (Tue, 29 Aug 2017 20:20:01 GMT) (full text, mbox, link).


Acknowledgement sent to "Cherry, Andrew J." <acherry@alcf.anl.gov>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Tue, 29 Aug 2017 20:20:02 GMT) (full text, mbox, link).


Message #20 received at 966@bugs.x2go.org (full text, mbox, reply):

From: "Cherry, Andrew J." <acherry@alcf.anl.gov>
To: "Cherry, Andrew J." <acherry@alcf.anl.gov>
Cc: "966@bugs.x2go.org" <966@bugs.x2go.org>
Subject: Re: Banner issue update
Date: Tue, 29 Aug 2017 20:17:55 +0000
One more note about reproducing this -- I've found that pam_echo.so only prints the banner *before* the password prompt if sshd is configured with "ChallengeResponseAuthentication yes" (which we happen to have due to our CryptoCard token usage).

-Andrew

> On Aug 29, 2017, at 12:52 PM, Cherry, Andrew J. <acherry@alcf.anl.gov> wrote:
> 
> I've done some additional testing, prompted by your mention of the banner being configured using the Banner option in sshd_config.  It turns out we are *not* using the sshd config option -- instead, we are displaying the banner using the pam_echo module, configured with the following line in /etc/pam.d/sshd:
> 
> auth        optional    pam_echo.so file=/etc/issue.net
> 
> What I've found so far is that the same /etc/issue.net plays nice with x2go when configured via the Banner option, but causes an auth failure when configured using pam_echo.so.
> 
> I'm going to do some more digging to see if I can figure out what the difference is.  Oddly, if I cut/paste the output from the OpenSSH client (on Linux) up to and including the Password: prompt, and do a diff between the two, they are byte-for-byte identical.
> 
> By the way, the reason we use pam_echo.so instead of the Banner option is because we actually have two banners -- /etc/issue/net for the standard security boilerplate which is always displayed, and /etc/issue.alcf which is normally empty but is populated with information during our scheduled maintenance windows when logins are disabled.  However, I've confirmed that the problem still occurs even if I configure pam_echo.so to only display /etc/issue.net
> 
> -Andrew
> 


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#966; Package x2goclient. (Wed, 30 Aug 2017 02:15:02 GMT) (full text, mbox, link).


Acknowledgement sent to "Cherry, Andrew J." <acherry@alcf.anl.gov>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Wed, 30 Aug 2017 02:15:02 GMT) (full text, mbox, link).


Message #25 received at 966@bugs.x2go.org (full text, mbox, reply):

From: "Cherry, Andrew J." <acherry@alcf.anl.gov>
To: "966@bugs.x2go.org" <966@bugs.x2go.org>
Cc: "Cherry, Andrew J." <acherry@alcf.anl.gov>
Subject: Re: Banner issue update
Date: Wed, 30 Aug 2017 02:10:24 +0000
I did some more experimentation, and it looks like the following specific conditions are needed to reproduce the problem we're having:

1. Banner configured in /etc/pam.d/sshd using pam_echo.so, e.g.:

   auth optional pam_echo.so file=/etc/issue.net

2. The following config changes in sshd_config:

   ChallengeResponseAuthentication yes
   PasswordAuthentication no

> On Aug 29, 2017, at 4:17 PM, Cherry, Andrew J. <acherry@alcf.anl.gov> wrote:
> 
> One more note about reproducing this -- I've found that pam_echo.so only prints the banner *before* the password prompt if sshd is configured with "ChallengeResponseAuthentication yes" (which we happen to have due to our CryptoCard token usage).
> 
> -Andrew
> 
>> On Aug 29, 2017, at 12:52 PM, Cherry, Andrew J. <acherry@alcf.anl.gov> wrote:
>> 
>> I've done some additional testing, prompted by your mention of the banner being configured using the Banner option in sshd_config.  It turns out we are *not* using the sshd config option -- instead, we are displaying the banner using the pam_echo module, configured with the following line in /etc/pam.d/sshd:
>> 
>> auth        optional    pam_echo.so file=/etc/issue.net
>> 
>> What I've found so far is that the same /etc/issue.net plays nice with x2go when configured via the Banner option, but causes an auth failure when configured using pam_echo.so.
>> 
>> I'm going to do some more digging to see if I can figure out what the difference is.  Oddly, if I cut/paste the output from the OpenSSH client (on Linux) up to and including the Password: prompt, and do a diff between the two, they are byte-for-byte identical.
>> 
>> By the way, the reason we use pam_echo.so instead of the Banner option is because we actually have two banners -- /etc/issue/net for the standard security boilerplate which is always displayed, and /etc/issue.alcf which is normally empty but is populated with information during our scheduled maintenance windows when logins are disabled.  However, I've confirmed that the problem still occurs even if I configure pam_echo.so to only display /etc/issue.net
>> 
>> -Andrew
>> 
> 


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#966; Package x2goclient. (Fri, 01 Sep 2017 06:15:01 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 01 Sep 2017 06:15:01 GMT) (full text, mbox, link).


Message #30 received at 966@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: "Cherry, Andrew J." <acherry@alcf.anl.gov>, 966@bugs.x2go.org
Subject: Re: [X2Go-Dev] Banner issue update
Date: Fri, 1 Sep 2017 08:13:38 +0200
[Message part 1 (text/plain, inline)]
On 08/30/2017 04:10 AM, Cherry, Andrew J. wrote:
> I did some more experimentation, and it looks like the following specific
> conditions are needed to reproduce the problem we're having:
> 
> 1. Banner configured in /etc/pam.d/sshd using pam_echo.so, e.g.:
> 
> auth optional pam_echo.so file=/etc/issue.net
> 
> 2. The following config changes in sshd_config:
> 
> ChallengeResponseAuthentication yes PasswordAuthentication no

This sort of makes sense.

If challenge response auth is turned on and normal password authentication is
turned off, X2Go Client expects a certain challenge response string to come up.
If none of the built-in strings match, authentication is marked as failed, since
it cannot proceed with password authentication (i.e., the keyboard-interactive
method.)

The patch you initially provided merely ignores whatever data comes first and
then matches on the password prompt.


Am I correct that in any case challenge auth is being used?


The problem certainly is that pam_echo.so outputs data before the prompt.

I'm reluctant to apply your patch, since I'm not sure that this is actually good
practice. Allowing arbitrary data before the password prompt doesn't make a lot
of sense to me, although I could probably do that.

We have a set of hardcoded prompts that are recognized as challenge auth
prompts, namely these listed here:
https://code.x2go.org/gitweb?p=x2goclient.git;a=blob;f=src/sshmasterconnection.cpp;h=0556299002e6402e332efe478d8ec7f83ab0ac57;hb=HEAD#l59


The requirement is that challenge auth prompts either contain *challenge* or
that they *start* with the known prompts.

Maybe it would make sense to check each consecutive *line* explicitly?

Would that make sense to you? I guess that would fix your problem.



Mihai

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#966; Package x2goclient. (Fri, 01 Sep 2017 06:35:01 GMT) (full text, mbox, link).


Acknowledgement sent to Mihai Moldovan <ionic@ionic.de>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Fri, 01 Sep 2017 06:35:01 GMT) (full text, mbox, link).


Message #35 received at 966@bugs.x2go.org (full text, mbox, reply):

From: Mihai Moldovan <ionic@ionic.de>
To: 966-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 966@bugs.x2go.org
Subject: X2Go issue (in src:x2goclient) has been marked as pending for release
Date: Fri, 1 Sep 2017 08:32:47 +0200 (CEST)
tag #966 pending
fixed #966 4.1.0.1
thanks

Hello,

X2Go issue #966 (src:x2goclient) reported by you has been
fixed in X2Go Git. You can see the changelog below, and you can
check the diff of the fix at:

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=ad62687

The issue will most likely be fixed in src:x2goclient (4.1.0.1).

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
commit ad6268711062cbabbe0ec67d67d1f0df38b43217
Author: Mihai Moldovan <ionic@ionic.de>
Date:   Fri Sep 1 08:32:14 2017 +0200

    src/sshmasterconnection: ignore "garbage", but require at least one line to start with a known challenge auth prompt. Fixes: #966.

diff --git a/debian/changelog b/debian/changelog
index 0b11622..9ed36f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -182,6 +182,8 @@ x2goclient (4.1.0.1-0x2go1) UNRELEASED; urgency=medium
       effect on this behavior, so removing it again.
     - Makefile: add comment explaining why we need to do this in the first
       place and why it's so complicated.
+    - src/sshmasterconnection: ignore "garbage", but require at least one line
+      to start with a known challenge auth prompt. Fixes: #966.
   * x2goclient.spec:
     - Respect %{optflags} and pass QMAKE_STRIP=: to fix missing debug info
       issues.


Added tag(s) pending. Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Fri, 01 Sep 2017 06:35:02 GMT) (full text, mbox, link).


Marked as fixed in versions 4.1.0.1. Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Fri, 01 Sep 2017 06:35:02 GMT) (full text, mbox, link).


Message sent on to Andrew Cherry <acherry@alcf.anl.gov>:
Bug#966. (Fri, 01 Sep 2017 06:35:02 GMT) (full text, mbox, link).


No longer marked as fixed in versions 4.1.0.1. Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Sun, 29 Oct 2017 07:20:01 GMT) (full text, mbox, link).


Marked as fixed in versions 4.1.1.0. Request was from Mihai Moldovan <ionic@ionic.de> to control@bugs.x2go.org. (Sun, 29 Oct 2017 07:20:01 GMT) (full text, mbox, link).


Information forwarded to x2go-dev@lists.x2go.org, X2Go Developers <x2go-dev@lists.x2go.org>:
Bug#966; Package x2goclient. (Sun, 29 Oct 2017 07:50:09 GMT) (full text, mbox, link).


Acknowledgement sent to X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>:
Extra info received and forwarded to list. Copy sent to X2Go Developers <x2go-dev@lists.x2go.org>. (Sun, 29 Oct 2017 07:50:09 GMT) (full text, mbox, link).


Message #51 received at 966@bugs.x2go.org (full text, mbox, reply):

From: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>
To: 966-submitter@bugs.x2go.org
Cc: control@bugs.x2go.org, 966@bugs.x2go.org
Subject: X2Go issue (in src:x2goclient) has been marked as closed
Date: Sun, 29 Oct 2017 08:45:52 +0100 (CET)
close #966
thanks

Hello,

we are very hopeful that X2Go issue #966 reported by you
has been resolved in the new release (4.1.1.0) of the
X2Go source project »src:x2goclient«.

You can view the complete changelog entry of src:x2goclient (4.1.1.0)
below, and you can use the following link to view all the code changes
between this and the last release of src:x2goclient.

    http://code.x2go.org/gitweb?p=x2goclient.git;a=commitdiff;h=eafcb63c2ac63ae7ce43886949945e710c81bd3d;hp=add03ee78f3dcbee3317bf17a08dcb2cbeb12ee7

If you feel that the issue has not been resolved satisfyingly, feel
free to reopen this bug report or submit a follow-up report with
further observations described based on the new released version
of src:x2goclient.

Thanks a lot for contributing to X2Go!!!

light+love
X2Go Git Admin (on behalf of the sender of this mail)

---
X2Go Component: src:x2goclient
Version: 4.1.1.0-0x2go1
Status: RELEASE
Date: Sun, 29 Oct 2017 08:43:45 +0100
Fixes: 31 499 592 870 930 966 1093 1100 1119 1121 1152 1165 1185 1186
Changes:
 x2goclient (4.1.1.0-0x2go1) RELEASED; urgency=medium
 .
   [ Mihai Moldovan ]
   * New upstream version (4.1.1.0):
     - src/sshmasterconnection.cpp: use ssh_channel_listen_forward () instead
       of ssh_forward_listen () for newer libssh versions. Fixes: #870.
     - src/sshmasterconnection.cpp: with libssh 0.6.0 and newer, get the public
       key via ssh_get_server_publickey () (0.8.0 and higher) or
       ssh_get_publickey () (0.7.x and lower) and its hash via
       ssh_get_publickey_hash () instead of using the deprecated
       ssh_get_pubkey_hash () function. Additionally, replace free () with the
       more appropriate ssh_string_free_char () function after using
       ssh_get_hexa (). This will break on very old systems with a hopelessly
       outdated libssh version, but we do not care about these systems in the
       first place.
     - src/sshmasterconnection.cpp: replace string_free () with its successor
       ssh_string_free (). Will break on ancient systems, but we don't care.
     - src/sshmasterconnection.cpp: replace deprecated channel_new () function
       with ssh_channel_new (). Might break on ancient systems, but we don't
       care. Also, add error handling in case ssh_channel_new () failed...
     - src/sshmasterconnection.cpp: replace deprecated channel_open_forward ()
       function with ssh_channel_open_forward (). Might break on ancient
       systems, but we don't care.
     - src/sshmasterconnection.cpp: replace deprecated channel_open_session ()
       function with ssh_channel_open_session (). Might break on ancient
       systems, but we don't care.
     - src/sshmasterconnection.cpp: replace deprecated channel_request_exec ()
       function with ssh_channel_request_exec (). Might break on ancient
       systems, but we don't care.
     - src/sshmasterconnection.cpp: replace deprecated channel_poll () function
       with ssh_channel_poll (). Might break on ancient systems, but we don't
       care.
     - src/sshmasterconnection.cpp: replace deprecated channel_read () function
       with ssh_channel_read (). Might break on ancient systems, but we don't
       care.
     - src/sshmasterconnection.cpp: replace deprecated channel_is_eof ()
       function with ssh_channel_is_eof (). Might break on ancient systems, but
       we don't care.
     - src/sshmasterconnection.cpp: replace deprecated channel_write ()
       function with ssh_channel_write (). Might break on ancient systems, but
       we don't care.
     - src/sshmasterconnection.cpp: replace deprecated channel_send_eof ()
       function with ssh_channel_send_eof (). Might break on ancient systems,
       but we don't care.
     - src/sshmasterconnection.cpp: replace deprecated channel_close ()
       function with ssh_channel_close (). Might break on ancient systems, but
       we don't care.
     - src/sshmasterconnection.cpp: replace deprecated channel_free () function
       with ssh_channel_free (). Might break on ancient systems, but we don't
       care.
     - src/sshmasterconnection.cpp: use QString::arg () to insert function name
       and thus deduplicate error translation messages. Also re-add the full
       stop sign and remove it when needed for x2goDebug.
     - src/sshmasterconnection.cpp: fix up some debug strings.
     - src/sshmasterconnection.cpp: port more occurrences of "QString to C
       string" akin to 1b21d75f2c10609f3586f5b5e0b4ceb7fca83fdd.
     - src/sshmasterconnection.cpp: enable parsing of ~/.ssh/config.
       Fixes: #1121. Shorthands as host names and other bells and whistles like
       inferred port or user name values are now supported.
     - src/{onmainwindow,httpbrokerclient}.cpp: fix up error/warning message
       displayed when the server-specified key is unknown, but we have another
       key type stored already.
     - src/pulsemanager.cpp: fix up a debug string. Qt drops a space where I'd
       like to have one and inserts a space where I'd like none, so work around
       that fancifully.
     - src/sshmasterconnection.cpp: libssh < 0.6.0 does not have the
       ssh_options_get () API, but instead expects users to pull out
       information directly from the ssh_session structure. This fixes compile
       issues on systems with older libssh versions.
     - src/sshmasterconnection.cpp: turns out libssh < 0.6.0 doesn't support
       fetching the host, port and username parameters at all. We're in the
       clear for non-SSH-proxied connections and can use config file parsing,
       but have to disable config file parsing in the proxy settings, as
       there's no way to query the remote endpoint information. As a result we
       will be unable to open a new socket to the remote endpoint and proxying
       will fail badly.
     - src/x2goutils.cpp: ensure that add_to_path () also processes the first
       value passed. Fixes startup problems in MacPorts. Fixes: #1093.
     - res/i18n/x2goclient_et.ts: various fixups for the Estonian translation
       file.
     - res/i18n/x2goclient_*.ts: go the extra mile and fix up translation files
       manually after the "anothertype" fix in
       8e503d89ee2d03a313c3deff11f0516fce503022.
     - {src/{onmainwindow,httpbrokerclient}.cpp,res/i18n/x2goclient_*.ts}: fix
       another occurrence of a string missing a space separator between words
       and update translation files.
     - src/onmainwindow.cpp: don't duplicate depth warning message needlessly,
       use correct plural forms in translations and split string up in a
       translation-friendly form. I'll leave translators to handle this beast,
       as languages are unique in the number of plural forms and the like.
     - {src/printdialog.cpp,res/i18n/x2goclient_*.ts}: drop spurious left-over
       parenthesis in warning message and adapt translations.
     - src/onmainwindow.cpp: make the "not loading translator" message
       non-translatable, as it doesn't make a lot of sense to actually
       translate it.
     - {src/{configdialog,x2goutils}.cpp,res/i18n/x2goclient_*.ts}: change
       XQuartz project homepage references, adapt translations.
     - src/pulsemanager.{cpp,h}: make get_* () functions const.
     - src/pulsemanager.{cpp,h}: make is_server_running () const.
     - src/pulsemanager.{cpp,h}: add new pulse_version_valid_ boolean class
       member variable, set it correctly and use it whenever the version is
       accessed.
     - src/pulsemanager.cpp: make fetch_pulseaudio_version () more resilient.
       Instead of aborting hard when the version number could not be detected,
       break out of the loops only. We can make stuff work, even if the version
       is unknown. Or just continue without PA support as such.
     - src/pulsemanager.{cpp,h}: add show_startup_warning () for both PA server
       and (debug) startup sound playback.
     - src/pulsemanager.cpp: check server_binary_ before using it and jump over
       code that assumes the PA server binary to be available.
     - src/pulsemanager.cpp: don't fail hard on OS X if the PA server binary
       could not be found in the constructor. We can live without PA and will
       show a warning message to the user later on when PA is supposed to be
       started.
     - src/pulsemanager.cpp: deduplicate warning/error messages - make use of
       show_startup_warning (). This does imply changes to the translation
       files, coming up next.
     - res/i18n/x2goclient_*.ts: regenerate translation files and fix up some
       SSH and PulseManager messages manually, where possible.
     - src/x2ogutils.h: guard UNUSED macro definition.
     - {macbuild.sh,src/{x2goutils.h,{pulsemanager,onmainwindow}.cpp},
        x2goclient.pro}: make MacPorts prefix selectable at compile time. Much
       cleaner for downstream package maintainers (like, for instance, MacPorts
       itself.)
     - res/i18n/x2goclient_fi.ts: remove outdated comment.
     - src/sshprocess.cpp: bind direct tunnel socket to localhost instead of
       any address. Fixes: #31.
     - src/onmainwindow.cpp: check for sessionExplorer->getLastSession() to be
       valid in all places but obvious ones. Fixes: #499.
     - src/sshmasterconnection.cpp: use new PKI-based libssh API for public key
       authentication for libssh 0.6.0 and higher. Fixes: #1119.
     - src/sshmasterconnection.cpp: add YubiKey challenge auth prompt.
     - src/sshmasterconnection.cpp: fix compile errors on pre-libssh-0.6.0
       systems and add a TOCTU-race check to see if the file exists prior to
       calling privatekey_from_file () on such systems. Additionally fix a type
       issue.
     - macbuild.sh: fix long-standing issue that made the DMG bundle contain a
       symlink made up of only a space to /Applications.
     - res/img/icons/dmg: add new image disk.svg, used as the basis for the new
       OS X DMG bundle icon.
     - res/img/icons/dmg: add new disk-drive-and-x2goclient icon for use as the
       volume icon of the OS X DMG bundle.
     - macbuild.sh: use the new volume icon that actually also looks like a
       disk drive. Fixes: #930.
     - src/onmainwindow.cpp: typo fix only.
     - src/onmainwindow.cpp: do not automatically set login user name to
       current system user if empty. Unbreaks default user name fetching via
       libssh. Might break some use cases (especially RDP, XDMCP).
     - src/x2goclient.cpp: revert change bypassing the UNIX cleanup helper.
     - src/onmainwindow.cpp: revert old behavior and select user name field
       after a session has been suspended/terminated if user name was not
       provided. Do not insert an user name, though, but leave it to
       autodetection by default.
     - src/sshmasterconnection.cpp: fix SSH-proxied connections with port
       numbers of zero.
       In order to authenticate the remote server, SSH-proxied connections must
       be reset to their remote host and port values after connecting via the
       SSH tunnel. If the original port value was zero, setting it was skipped,
       leading to connections like $REMOTE_HOST:$PROXY_PORT, which is certainly
       wrong. Fetch the inferred port value and set this instead, fixing this
       issue.
     - Makefile: add new QMAKE_OPTS variable so that packagers can pass
       additional options to qmake directly.
     - src/sshmasterconnection.cpp: typo fix in log message only.
     - src/sshmasterconnection.cpp: don't leak ssh_session data, free it once
       we're done with it.
     - Makefile: qmake seems to act weird if QMAKE_C(XX)FLAGS starts with a
       space followed by additional non-whitespace characters. Refactor the
       variables a bit to work around this issue.
     - Makefile: turns out the only somewhat portable way to do something like
       this is via shell hackery.
     - Makefile: reset to the original state and make sure that we don't pass
       CXXFLAGS on to the actual build process to not override the values
       generated by qmake.
     - Makefile: the only way to prevent variables on the command line to be
       passed down seems to be to remove them from MAKEOVERRIDES.
       .MAKEOVERRIDES is the FreeBSD-make-equivalent variable. MAKEFLAGS has no
       effect on this behavior, so removing it again.
     - Makefile: add comment explaining why we need to do this in the first
       place and why it's so complicated.
     - src/sshmasterconnection: ignore "garbage", but require at least one line
       to start with a known challenge auth prompt. Fixes: #966.
     - x2goclient.pro: add libssh_threads library. We need this since X2Go
       Client is multi-threaded.
     - copy-deps-win32.bat: also copy libssh_threads.dll to go with the
       previous change.
     - src/{onmainwindow,sshmasterconnection}.{cpp,h}: correctly initialize and
       finalize libssh. We ought to do both only once - in our main thread.
       Previously, we initialized libssh in a new thread, which might be
       problematic.
     - src/sessionexplorer.cpp: open the correct tab when editing a session
       from the exports menu.
     - src/onmainwindow.cpp: try to workaround window placement if settings
       contain a (newly) invalid position (e.g., a position that refers to a
       disconnected display.)
     - src/onmainwindow.cpp: try to find a display that can hold the window's
       position fetched from the sizes settings. Use the default if none could
       be found.
     - src/onmainwindow.cpp: fix up main window position check; use
       QRect.intersects ().
     - src/pulsemanager.{cpp,h}: rename shutdownState to shutdown_state_,
       reorder in initializer list.
     - res/i18n/: regenerate translations.
     - res/i18n/x2goclient_es.ts: fixup Spanish translation file.
     - res/i18n/x2goclient_et.ts: fixup some typos in the Estonian translation
       file.
     - res/i18n/x2goclient_sv.ts: add singular form to translation entry as
       discussed on list.
     - res/i18n/x2goclient_es.ts: add singular form to translation entry as
       discussed off list.
     - res/i18n/x2goclient_nl.ts: various fixups for Dutch translation file.
     - res/i18n/x2goclient_nb_no.ts: various fixups for Bokmål (Norway)
       translation file.
     - res/i18n/x2goclient_nl.ts: fix whitespace issues in Dutch translation
       file and re-add numerus form translation.
     - res/i18n/x2goclient_nb_no.ts: various fixups for Bokmål (Norway)
       translation file, including numerus form.
     - src/sshmasterconnection.cpp: for proxied connections, fetch the user
       name matching the given host, not proxy host.
     - res/i18n/x2goclient_fi.ts: various fixups for Finnish translation file.
     - res/i18n/x2goclient_fi.ts: another tiny whitespace fixup for Finnish
       translation file.
     - src/onmainwindow.cpp: fix "XMDCP" typo.
     - res/i18n/x2goclient_de.ts: various fixups for German translation file.
     - src/onmainwindow.cpp: fix "loose" vs. "lose" spelling mistake.
     - res/i18n/x2goclient_et.ts: remove obsolete and wrongly capitalized
       "x2go" part from an Estonian translation message.
     - res/i18n/x2goclient_sv.ts: minor whitespace fixup.
     - res/i18n/x2goclient_*.ts: apply "XMDCP" -> "XDMCP" fix manually to
       translation files.
     - res/i18n/x2goclient_nb_no.ts: remove obsolete comments (leading to
       problems when regenerating translation files.)
     - res/i18n/x2goclient_nl.ts: remove obsolete comments (leading to problems
       when regenerating translation files.)
     - res/i18n/x2goclient_*.ts: regenerate translations.
     - res/i18n/x2goclient_fi.ts: various fixups for Finnish translation file.
     - src/sshmasterconnection.cpp: spelling fix. (Quiting -> Quitting)
     - x2gobrowserplugin-2.4_1/src/qtbrowserplugin.cpp: spelling fix.
       (convertable -> convertible)
   * x2goclient.spec:
     - Respect %{optflags} and pass QMAKE_STRIP=: to fix missing debug info
       issues.
 .
   [ Oleksandr Shneyder ]
   * New upstream version (4.1.1.0):
     - Interaction with SSH server (for example for changing
       expired password). Fixes: #592.
     - Fixing setting widget style issue in InteractionDialog on
       Windows client.
     - SSH Interaction for SSH Broker and SSH Server.
     - SSH Iteraction for method keyboard-interactive.
     - Move PulseManager MsgBox functions to main window:
       GUI functions should be used only from main thread.
     - Check "norecord" option on the first start of PulseAudio.
     - Disable/Enable PulseAudio in config dialog.
       New command line options:
       --disable-pulse to disable start of PulseAudio
       --disable-pulse-record to disable audio input.
     - Check if PulseAudio running at session start and resuming
       when sound is enabled. Show warning if PulseAudio not running
       and disable the sound support for the session to avoid
       session freezes.
     - Add session config file option "sshproxysamekey". With this option
       client will use for proxy authentication same key as for X2Go server.
       This is important in first case for broker users, where key can be
       generated "on the fly". Maybe it makes sence to add this option in UI
       and command line later.
     - Correct negative display coordinates for FS sessions.
 .
   [ Robert Parts ]
   * New upstream version (4.1.1.0):
     - res/i18n/x2goclient_et.ts: update Estonian translation file.
     - res/i18n/x2goclient_et.ts: update Estonian translation file.
 .
   [ Martti Pitkänen ]
   * New upstream version (4.1.1.0):
     - res/i18n/x2goclient_fi.ts: update Finnish translation file.
     - res/i18n/x2goclient_fi.ts: update Finnish translation file.
     - res/i18n/x2goclient_fi.ts: update Finnish translation file.
 .
   [ Mike DePaulo ]
   * New upstream version (4.1.1.0):
     - Windows: Upgrade PulseAudio from 6.0 to 7.1
       Fixes: #1152 Issues with audio when playing HTML5 videos
     - Windows: Remove uninstaller from start menu.
       It is still available in "Programs and Features".
     - Windows: Upgrade Win32 OpenSSL from 1.0.1t to 1.0.2k
       Fixes numerous CVEs
     - Windows: Upgrade libssh from 0.7.0 to 0.7.4 (while maintaining
       Pageant support).
       The possibly relevant changes are:
         + CVE-2016-0739 was fixed
         + improved id_ed25519 support
         + numerous bug fixes
     - Windows: Update PuTTY from 0.67 to 0.68
       The possibly relevant changes are:
         + CVE-2016-6167 was fixed (did not affect X2Go Client by
           default because the installation dir is not writeable by
           users)
         + CVE-2017-6542 was fixed
     - Don't override PATH for the actual session or application
       command.
       Fixes: #1100
 .
   [ Walid Moghrabi ]
   * New upstream version (4.1.1.0):
     - {src/{help.cpp,onmainwindow.{cpp,h}},man/man1/x2goclient.1}: let
       --background take a directory and randomly pick an SVG file in there.
       Fixes: #1165.
     - {src/{help.cpp,onmainwindow.{cpp,h}},man/man1/x2goclient.1}:
       pass-through broker credentials when connecting to a direct RDP session.
       Fixes: #1185.
       Adds a new  --broker-use-creds-for-session parameter.
     - src/onmainwindow.cpp: support --close-disconnect for direct RDP
       sessions. Fixes: #1186.
 .
   [ Daniel Lindgren ]
   * New upstream version (4.1.1.0):
     - res/i18n/x2goclient_sv.ts: update Swedish translation file.
 .
   [ Ricardo Díaz Martín ]
   * New upstream release (4.1.1.0):
     - res/i18n/x2goclient_es.ts: update Spanish translation file.
 .
   [ Jos Wolfkamp ]
   * New upstream version (4.1.1.0):
     - res/i18n/x2goclient_nl.ts: update Dutch translation file.
     - res/i18n/x2goclient_nl.ts: update Dutch translation file.
 .
   [ Klaus Ade Johnstad ]
   * New upstream version (4.1.1.0):
     - res/i18n/x2goclient_nb_no.ts: update Bokmål (Norway) translation file.
     - res/i18n/x2goclient_nb_no.ts: update Bokmål (Norway) translation file.
 .
   [ Stefan Baur ]
   * New upstream release (4.1.1.0):
     - res/i18n/x2goclient_de.ts: update German translation file.
 .
   [ Sébastien Ducoulombier ]
   * New upstream version (4.1.1.0):
     - res/i18n/x2goclient_fr.ts: update French translation file.


Marked Bug as done Request was from X2Go Release Manager X2Go Release Manager <git-admin@x2go.org> to control@bugs.x2go.org. (Sun, 29 Oct 2017 07:50:10 GMT) (full text, mbox, link).


Notification sent to Andrew Cherry <acherry@alcf.anl.gov>:
Bug acknowledged by developer. (Sun, 29 Oct 2017 07:50:11 GMT) (full text, mbox, link).


Message sent on to Andrew Cherry <acherry@alcf.anl.gov>:
Bug#966. (Sun, 29 Oct 2017 07:50:20 GMT) (full text, mbox, link).


Bug archived. Request was from Debbugs Internal Request <owner@bugs.x2go.org> to internal_control@bugs.x2go.org. (Mon, 27 Nov 2017 06:24:03 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Fri Mar 29 04:36:40 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.