[X2Go-Dev] SSH Agent (auth+forwarding) support in Python X2Go / PyHoca-GUI

Mike Gabriel mike.gabriel at das-netzwerkteam.de
Thu Oct 11 12:10:33 CEST 2012 

Hi all,

during the last couple of days I have added SSH Agent  
(forwarding+auth) support to Python X2Go (and so to PyHoca-GUI and  
PyHoca-CLI).

The feature is already available in the nightly-build (Debian)  
archive. The Ubuntu nightly-built packages should follow soon.

For SSH agent forwarding you need the not-yet-released Paramiko  
version 1.8.0. For Debian I have packaged a Git snapshot and it is  
available with the nightly-build of python-x2go.

Try it out:

   place your SSH pubkey on machine-1 and machine-2 (which can be reached via
   machine-1) into the (for this demo) otherwise empty files:

     user-1 at machine-1:~user-1/.ssh/authorized_keys

   and

     user-2 at machine-2:~user-2/.ssh/authorized_keys

   Back on your local client:

   $ ssh-add [<priv-keyfile>]
   $ pyhoca-gui

   Enable SSH agent forwarding in connection tab of a session profile for
   machine-1. Use a simple TERMINAL session command.

   Connect to user-1 at machine-1 and start a session on machine-1

   $ echo $SSH_AUTH_SOCK
   /tmp/ssh-<hash>/agent.<pid>

   $ ssh <user-2>@<machine-2>
   (should work without password)

   For the authentication from user-1 at machine-1 to user-2 at machine-2 you use a
   SSH agent connection that is tunneled back through Python X2Go to  
your client
   machine (the machine you run PyHoca-GUI on). So, the SSH agent on  
your client
   machine serves a challenge/response request from SSH client programs within
   X2Go sessions.

   Note: if you try the above with a GNOME desktop (XFCE4 probably as well) the
   gnome-keyring will hijack the SSH agent functionality and ignore forwarded
   SSH agent connections (with x2goserver-xsession package installed).

   Use this command to disable SSH agent feature in gnome-keyring (within the
   X2Go Session):

   $ gconftool-2 -s /apps/gnome-keyring/daemon-components/ssh false   
--type bool

   After you have applied this gconf change, logout and start a new GNOME
   session. Now SSH agent stuff is handled through ssh-agent and it should also
   be aware of SSH agent forwarding connections.

Have fun!
Mike

-- 

DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel at das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digitale PGP-Unterschrift
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20121011/4b956985/attachment.pgp>

More information about the x2go-dev mailing list