Control: reassign -1 x2goclient Control: found -1 4.1.1.1 On Di 13 Feb 2018 19:29:45 CET, Walid MOGHRABI wrote: > package: x2gobroker-ssh > version: 0.0.4.0-0~972~ubuntu16.04.1 > priority: bug > > Using the ssh broker is great because it adds the ability for the > x2goclient to interact with the auth mechanism such as PAM so that > you get notified that you need to renew a password for example. > This is great but it doesn't always work well. > > For example, the user don't get the reason why the access is denied. > > Here are different tests I made based on the following setup : > x2gobroker in ssh mode with local PAM auth based on Samba > Winbind/Kerberos. > > I tried both situations to compare : > * with the x2goclient in broker-ssh mode > * with a term rying to connect through SSH > > > 1) Account set for password change with temporary password in Active > Directory, user type wrong password (neither old or new one) > * with x2goclient: get message "Access denied. Authentication that > can continue: publickey,password,keyboard-interactive" > * with term : "Your account has been locked. Please contact your > System administrator. Password: " > > > 2) Account set for password change with temporary password in Active > Directory, user type good password > > * with x2goclient: get a new password form in order to type (and > confirm) the new password. Reseting password works and you get > logged in to the broker with the sessions list displayed. > However, if you click on the "cancel" button, x2goclient freeze and > must be killed, you're not sent back to the login form. > On the other hand, if you change your password and then be logged > in, clicking on the session slot fails because this is the old > password that is relayed to the session slot and not the new one. > When it fails, you get a new login form to enter your password > again, if you type the new password there, it works. > > * with term: > "Password: ******" > "Password expired. You must change it now." > "Enter new password: ******" > "Enter it again: ******" > If you cancel (ctrl+c), nothing happen and you get back to the prompt. > If you enter the good old password, you're prompted to change it > then you're logged in. > If you enter the wrong password, your prompted to retry 2 times then > you get this message "Your account has been locked. Please contact > your System administrator" (this is our security policy, this is > normal behaviour, 2 fauils then blocked for 10mn. > > > 3) Account disabled in Active Directory > * with x2goclient: get message "Access denied. Authentication that > can continue: publickey,password,keyboard-interactive" > * with term : "Your account has been locked. Please contact your > System administrator. Password: " > > > Would be great to fix the issues in 2) and would be great to > retrieve the error message directly from PAM so that we get the > reason. Most of this is unrelated to X2Go Broker. It needs to be worked on in X2Go Client. Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de