[X2Go-Dev] X2Go Server contains some IPv4/non-IPv6 logic for creating ports.

Mihai Moldovan ionic at ionic.de
Sun Jan 10 08:48:42 CET 2016


On 30.12.2015 10:21 AM, Mike Gabriel wrote:
> On  So 23 Aug 2015 23:10:59 CEST, git-admin wrote:
>> [...]
>> commit bfe3ba761c1d3e9143285ca17edc87ac763ce35d
>> Author: Mihai Moldovan <ionic at ionic.de>
>> Date:   Sun Aug 23 23:08:45 2015 +0200
>>
>>     x2goserver/bin/x2gostartagent: changes to Robert Nowotny's  
>> SSH_PORT patch. Fixes: #922.
>> [...]
> 
> Haven't looked at X2Go Server code for a while... Today I found the below...
> 
>> +# Get server IP address.
>> +get_server_ip_address() {
>> [...]
> 
> Has anyone of you ever heard of IPv6? And has anyone ever seen setups  
> where the IPv6 traffic is routed via a different interface compared to  
> IPv4 traffic?

Yes, and this is exactly why that function is not used by default. Instead, the "real" port randomization is used.
IPv4-address-based randomization can be enabled by setting "randomize_ssh_port" to "0", but administrators have to edit
the script manually to do this. Even though the comment says otherwise, I think it shouldn't be configurable in
x2goserver.conf either for exactly this reason.


> Furthermore, within the last years, I never had any problems with  
> server-side ports being the same on different servers. I mostly  
> connect through PyHoca. So if there is a problem in X2Go Client  
> regarding server-side SSH tunnel ports, why--the hack--do you fix that  
> in X2Go Server?
> 
> If the port allocation is a problem at all, it certainly is a problem  
> that requires fixing in X2Go Client, not X2Go Server.
> 
> Please consider reverting this flawed patch!!!

I don't think port randomization is bad per se, so I'd like to keep it.

It's true that the real problem lies within x2goclient and I should eventually get rid of that, too, by checking whether
a port is already in use and incrementing it, though.


On 30.12.2015 10:40 AM, Mike Gabriel wrote:
> Since when does X2Go promote Google??? Or even depend on them?
>
> As this patch is IPv6-flawed anyway, the next request is pointless...
> In case the patch is kept, please make this configurable and use the
> IP address of japsand.x2go.org or some other static IP on the internet
> that is more political correct, please.

I don't promote or depend upon Google in any way. As the comment makes clear, the IPv4 address provided there is not
contacted in any way, I just need some address predictably outside of any local network to get the default outgoing
address from the routing table.

I chose 8.8.8.8 instead of Japsand's address or any other address, because I didn't want users with malicious intents to
try to attack whatever address is written in the source code "for fun", assuming that 8.8.8.8 is well-known and well
protected. Any other address would have made us "responsible" for "providing" the address if an attack was based on that
information.



Mihai

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20160110/a9be8821/attachment.pgp>


More information about the x2go-dev mailing list