X2Go Bug report logs - #966
x2goclient SSH fails with keyboard-interactive + banner

version graph

Package: x2goclient; Maintainer for x2goclient is X2Go Developers <x2go-dev@lists.x2go.org>; Source for x2goclient is src:x2goclient.

Reported by: Andrew Cherry <acherry@alcf.anl.gov>

Date: Fri, 20 Nov 2015 17:05:02 UTC

Severity: normal

Tags: pending

Found in version 4.0.5.1

Fixed in version 4.1.1.0

Done: X2Go Release Manager X2Go Release Manager <git-admin@x2go.org>

Bug is archived. No further changes may be made.

Full log


🔗 View this message in rfc822 format

X-Loop: owner@bugs.x2go.org
Subject: Bug#966: Banner issue update
Reply-To: "Cherry, Andrew J." <acherry@alcf.anl.gov>, 966@bugs.x2go.org
Resent-From: "Cherry, Andrew J." <acherry@alcf.anl.gov>
Resent-To: x2go-dev@lists.x2go.org
Resent-CC: X2Go Developers <x2go-dev@lists.x2go.org>
X-Loop: owner@bugs.x2go.org
Resent-Date: Tue, 29 Aug 2017 17:05:01 +0000
Resent-Message-ID: <handler.966.B966.15040260235309@bugs.x2go.org>
Resent-Sender: owner@bugs.x2go.org
X-X2Go-PR-Message: followup 966
X-X2Go-PR-Package: x2goclient
X-X2Go-PR-Keywords: 
Received: via spool by 966-submit@bugs.x2go.org id=B966.15040260235309
          (code B ref 966); Tue, 29 Aug 2017 17:05:01 +0000
Received: (at 966) by bugs.x2go.org; 29 Aug 2017 17:00:23 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=3.0 tests=BAYES_20,DKIM_SIGNED,
	DKIM_VALID,RCVD_IN_DNSWL_BLOCKED,URIBL_BLOCKED autolearn=ham
	autolearn_force=no version=3.4.1
Received: from localhost (localhost [127.0.0.1])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTP id 57EBE5DACF
	for <966@bugs.x2go.org>; Tue, 29 Aug 2017 19:00:16 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at ymir.das-netzwerkteam.de
Received: from ymir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (ymir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 8xfFd03UJ3zF for <966@bugs.x2go.org>;
	Tue, 29 Aug 2017 19:00:03 +0200 (CEST)
X-Greylist: delayed 466 seconds by postgrey-1.35 at ymir.das-netzwerkteam.de; Tue, 29 Aug 2017 19:00:03 CEST
Received: from mailrelay.anl.gov (mailrelay.anl.gov [130.202.101.22])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id 238BE5DACE
	for <966@bugs.x2go.org>; Tue, 29 Aug 2017 19:00:02 +0200 (CEST)
Received: from mailgateway.anl.gov (mailgateway.anl.gov [130.202.101.28])
	(using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by mailrelay.anl.gov (Postfix) with ESMTPS id 7A822200032
	for <966@bugs.x2go.org>; Tue, 29 Aug 2017 11:52:12 -0500 (CDT)
X-IronPort-AV: E=Sophos;i="5.41,445,1498539600"; 
   d="scan'208";a="164257768"
Received: from hybrid-george.anl.gov (HELO GEORGE.anl.gov) ([146.137.81.15])
  by mailgateway.anl.gov with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Aug 2017 11:52:12 -0500
Received: from gcc01-dm2-obe.outbound.protection.outlook.com (23.103.198.49)
 by hybridexchange.anl.gov (146.137.81.15) with Microsoft SMTP Server (TLS) id
 14.3.319.2; Tue, 29 Aug 2017 11:52:11 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ArgonneDOE.onmicrosoft.com; s=selector1-alcf-anl-gov;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version;
 bh=0ilPaVwpon2t7SDVJLZWJQ4G+Eg8f2DBTxdey5ek2tk=;
 b=ZigbZ2QDwDNebGvNh9aRO0Tmlxis26zoa09hpbL8P87EJbZXGpFdVt1lrQbSFOlYfFnHmspib4eD+toXbexgB4tZrnsALrdDeDhhWIoqjDvygeq+2NpCsdYDZLCO0tUKCw1bNXhSya83JWlgsdmBBbCM51ENKFmnEi7lgowzn7Q=
Received: from BN3PR09MB0401.namprd09.prod.outlook.com (10.160.115.21) by
 BN3PR09MB0401.namprd09.prod.outlook.com (10.160.115.21) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id
 15.20.13.10; Tue, 29 Aug 2017 16:52:09 +0000
Received: from BN3PR09MB0401.namprd09.prod.outlook.com ([10.160.115.21]) by
 BN3PR09MB0401.namprd09.prod.outlook.com ([10.160.115.21]) with mapi id
 15.20.0013.010; Tue, 29 Aug 2017 16:52:09 +0000
From: "Cherry, Andrew J." <acherry@alcf.anl.gov>
To: "966@bugs.x2go.org" <966@bugs.x2go.org>
Thread-Topic: Banner issue update
Thread-Index: AQHTIOcnJ12TQgEw8kug353BsJcRzQ==
Date: Tue, 29 Aug 2017 16:52:08 +0000
Message-ID: <F6769B3D-89EA-4E1B-831A-84EBBB985A96@anl.gov>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=acherry@alcf.anl.gov; 
x-originating-ip: [69.141.60.239]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN3PR09MB0401;20:AoQs49OiAZsSyQyq/nX+FaX4D0pUpg3z56qZMhGywexGEgFatHa5HdMLyYUr4iGCG4F6rbcweA387XK6tcy3fhkj6ZCdMCjBGTH0wklPAbLZ6o4bghZKc+wmsmLTQg+4ENG9ZyNoInCOTJdKbSQy/3qhZp23P8JGKezGxSYWH7M=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;SSOR;
x-forefront-antispam-report: SFV:SKI;SCL:-1;SFV:NSPM;SFS:(10009020)(6009001)(189002)(199003)(97736004)(14454004)(68736007)(86362001)(5640700003)(25786009)(189998001)(6116002)(102836003)(3846002)(3660700001)(2351001)(15650500001)(3280700002)(551544002)(83716003)(2501003)(110136004)(99286003)(2906002)(6916009)(42882006)(53936002)(9686003)(6512007)(6506006)(6436002)(6486002)(77096006)(305945005)(54356999)(7736002)(50986999)(81156014)(81166006)(8676002)(7116003)(5660300001)(33656002)(3480700004)(36756003)(8936002)(2900100001)(478600001)(66066001)(101416001)(82746002)(105586002)(106356001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN3PR09MB0401;H:BN3PR09MB0401.namprd09.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en;
x-ms-office365-filtering-correlation-id: 76a2138f-f6bc-48ae-6a10-08d4eefe499f
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095);SRVR:BN3PR09MB0401;
x-ms-traffictypediagnostic: BN3PR09MB0401:
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-microsoft-antispam-prvs: <BN3PR09MB0401473FE2D93B375862F839999F0@BN3PR09MB0401.namprd09.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(100000703101)(100105400095)(10201501046)(93006095)(93001095)(6041248)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123560025)(20161123558100)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN3PR09MB0401;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN3PR09MB0401;
x-forefront-prvs: 0414DF926F
received-spf: None (protection.outlook.com: alcf.anl.gov does not designate
 permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-ID: <44A92D9BBCA3834181DBAEA196BAD647@namprd09.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2017 16:52:08.9589
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0cfca185-25f7-49e3-8ae7-704d5326e285
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR09MB0401
X-OriginatorOrg: alcf.anl.gov
I've done some additional testing, prompted by your mention of the banner being configured using the Banner option in sshd_config.  It turns out we are *not* using the sshd config option -- instead, we are displaying the banner using the pam_echo module, configured with the following line in /etc/pam.d/sshd:

auth        optional    pam_echo.so file=/etc/issue.net

What I've found so far is that the same /etc/issue.net plays nice with x2go when configured via the Banner option, but causes an auth failure when configured using pam_echo.so.

I'm going to do some more digging to see if I can figure out what the difference is.  Oddly, if I cut/paste the output from the OpenSSH client (on Linux) up to and including the Password: prompt, and do a diff between the two, they are byte-for-byte identical.

By the way, the reason we use pam_echo.so instead of the Banner option is because we actually have two banners -- /etc/issue/net for the standard security boilerplate which is always displayed, and /etc/issue.alcf which is normally empty but is populated with information during our scheduled maintenance windows when logins are disabled.  However, I've confirmed that the problem still occurs even if I configure pam_echo.so to only display /etc/issue.net

-Andrew

Send a report that this bug log contains spam.


X2Go Developers <owner@bugs.x2go.org>. Last modified: Thu Mar 28 10:40:34 2024; Machine Name: ymir.das-netzwerkteam.de

X2Go Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.