[X2go-Dev] [X2go-dev] x2goclient and ssh-agent

Heiko Baumann heiko at oss.hboss.de
Thu Jun 23 10:17:45 CEST 2011 

 Hi Mike,

 first at all sorry for my late answer. i was very busy.

 yes i want to access a "share" on a server in the same subnet as the 
 x2goserver. but not from my x2goclient machine via ssh reverse tunnel. i 
 just want to access the "share" from within my x2goclient session. this 
 is imho a standard use case for a terminal server environment. i can 
 already do this with sshfs from the x2goserver via password 
 authentication. but if the fileserver does not allow ssh password auth 
 it is impossible. for sure i could create another ssh private key on the 
 x2goserver and put the public key part on the fileserver. but this maybe 
 not wanted if you have one identity (ssl cert/ssh key) for each user 
 which should only be securely stored on a smartcard.


 here is how it works:

 Agent pid 8086
 09:52:47 nb-heikob ~ # ssh -A terminalix-hbslx
 terminalix-hbslx ~ # dir /tmp/ssh-tHRmT17232/
 insgesamt 512
 drwx------  2 root root  80 23. Jun 09:52 .
 drwxrwxrwt 14 root root 496 23. Jun 09:52 ..
 srwxr-xr-x  1 root root   0 23. Jun 09:52 agent.17232

 terminalix-hbslx ~ # ssh remotix-hbslx
 remotix-hbslx ~ # logout
 Connection to remotix-hbslx closed.



 if the local ssh agent socket does not exists, login via agent 
 forwarding does not work:

 terminalix-hbslx ~ # rm /tmp/ssh-tHRmT17232/ -r

 terminalix-hbslx ~ # ssh remotix-hbslx
 Permission denied (publickey,gssapi-with-mic,keyboard-interactive).
 terminalix-hbslx ~ #

 to get ssh-agent forwarding working with an old x2goclient version 
 (before using libssh2) i've modified sources to start an additional 
 persistent ssh tunnel to the x2goserver. this works for me but i guess 
 it is a ugly hack and it only works with this old version.

 hope this clears things up.

 regards
 heiko

 On Wed, 01 Jun 2011 11:21:51 +0200, Mike Gabriel 
 <mike.gabriel at das-netzwerkteam.de> wrote:
> Hi Heiko,
>
> On Mo 30 Mai 2011 19:12:44 CEST Heiko Baumann wrote:
>
>> hi,
>>
>> if you enable ssh agent forwarding (ssh option -A or ForwardAgent in 
>> ssh_config) your agent connection is "forwarded" to the remote host.  
>> this way you can use your ssh-agent (and smartcard in my case) to  
>> login (or mount sshfs) to another host using your private key stored  
>> in you local ssh-agent. this works with a socket created in  
>> /tmp/ssh-<somerandomstring>/agent.<pid> on the ssh server/host.
>>
>> if i use a current x2goclient this socket is not created and so i  
>> cannot mount a directory from another host from within my x2gosession.
>
> Is it possible that Alex and you discuss two very separate things?
>
> Alex's topic: By looking at the sources of X2goClient, there
> obviously  is an SSH agent implementation in X2goClient. BUT: that's
> for session  authentication.
>
> Heiko's topic: What you are referrring to in your last sentence is
> using X2go's reverse SSH port forwarding tunnel to access other
> server's shares in the X2go client's sub-LAN? This currently is not
> supported (and probably now wanted, either). Also: if the
> implementation of such a feature became a future endeavour we would
> have really to look at it very closely for considerations on 
> security.
>
> Greets,
> Mike

More information about the x2go-dev mailing list