[X2Go-Dev] X2Go Client - new features and bugfix
Alexander Wuerstlein
snalwuer at cip.informatik.uni-erlangen.de
Thu Dec 12 15:04:53 CET 2013
On 13-12-12 14:44, Stefan Baur <newsgroups.mail2 at stefanbaur.de> wrote:
> Am 12.12.2013 14:20, schrieb Oleksandr Shneyder:
>
> >1. Support for GSSApi (Kerberos 5) authentication.
>
> Care to explain what that can be used for, to the non-initiated? :-)
Single-Sign-On done right. You log on with your Kerberos password, which
creates an ephemeral "ticket" that allows password-less login to
other services. Services might be e.g. ssh, but also websites,
SMTP/IMAP/POP3 and quite a lot more.
Hypothetical scenario: You log in to your thin client running x2go with
your username and password (smartcard would also be possible
theoretically). Thats the only time you need to type a password. You
then connect to the x2go session broker, authenticated by your ticket,
which assigns you to a server. On that server you log in with your
ticket. You start a web browser and open your IMAP webclient,
authenticated by your ticket wich is forwarded from your thinclient over
the ssh/x2go connection to your browser. The IMAP webclient also
authenticates via a forwarded ticket to the IMAP server where you read
your Email.
Of course this is somewhat hypothetical still because not every piece of
software supports ticket forwarding and I'm not sure if x2go already
does all that. Also, services like the x2go session broker would have to
be extended to support this kind of authentication I guess. But what
should generally work is passwordless x2go in places where passwordless
ssh already works via Kerberos.
Ciao,
Alexander Wuerstlein.
More information about the x2go-dev
mailing list