[X2Go-User] pxe: "Access denied: Authentication that can continue...."

Luciano Gabriel Andino malucosfe at gmail.com
Thu Dec 26 14:59:56 CET 2013


2013/12/24 Stefan Baur <newsgroups.mail2 at stefanbaur.de>

> Am 24.12.2013 02:33, schrieb Luciano Gabriel Andino:
>
>  Hi there)) I am trying to configure x2go/pxe and this is my first
>> question.
>>
>> I did a clientsession in server and scp transfer to pxe server. PXE
>> server is ready, client booted but I can't login cause this message
>> appears (in client):
>>
>> "Access denied: Authentication that can continue...."
>>
>>
>> while it was possible to login from a linux box. The idea is that a any
>> user can access to his account from anyclient. how can I store this
>> publickeys?
>>
>
> I'm not sure what went wrong there, but I'm also not quite sure what
> you're trying to accomplish. So I've typed down the answers to the three
> most likely interpretations of your question that I can come up with. If
> none of this matches what your intention is, please rephrase your question,
> explain in greater detail what you're trying to accomplish (expected
> behavior versus actual behavior), and post again.
>
> --------------------------------
>
> The following is assuming that while you want every user to be able to use
> every client, you *do* want authentication (i.e. every user has a dedicated
> account that no one else should be using):
>
> 1) The easiest way would be using passwords only. You do not HAVE to use
> public key files, though of course they provide greater security WHEN - and
> ONLY WHEN - implemented and used correctly.
>
> 2) If you want to use two-factor authentication, my guess is that you
> could either
> 2a) put the secret keys (the public key of each user needs to be in the
> user's home directory, in a subdirectory called ".ssh", and a file named
> "authorized_keys", with proper restrictive permissions in place) on a USB
> key fob, set up the Thin Client Environment so that it looks for USB
> devices and tries to mount them automatically, and have a symlink from
> .ssh/id_rsa or id_dsa on the TCE user's home directory on the thin client
> point to the mountpoint of the USB device (which needs to contain a linux
> filesystem so the permissions work) or
> 2b) use Smartcard-Based authentication, which requires cards and reader
> hardware. This is something I've never used myself, though, so you should
> contact one of the core developers (Mike Gabriel seems to be the most
> active one these days) about how that works.
>
>
> --------------------------------
>
> Now, assuming that you don't care about security at all, because you want
> everyone to be able to log in as everyone (think Infokiosk), you could of
> course dump all the secret keys for your pseudo-users into id_rsa_something
> or id_dsa_something files (as above, with proper restrictive permissions in
> place), make them part of the TCE NFS image and reference them in your
> sessions file - but that is something you should really only do if you DO
> NOT NEED NOR WANT ANY SECURITY AT ALL and are simply looking for a way that
> users aren't bothered with having to enter a password.
>
> --------------------------------
>
> If you think you should use Keyfiles AND Passwords to the keyfiles, AND
> are looking for a way to centrally store the keyfiles so nobody needs a USB
> key fob or smartcard, you are making your system LESS secure than a
> password-only solution without keyfiles. So if that was your intent, DO NOT
> DO THAT.
> The reason is that while you can regularly change passwords on secret
> keyfiles, ANY copy of a secret keyfile with a known password WILL ALWAYS
> grant access to the account with the matching public keyfile.
> So if anybody at any time gets hold of the keyfile AND the then-current
> password, changing the password on your keyfile DOES NOT LOCK HIM OUT.
> You NEED to generate completely NEW keyfiles in that situation. THIS IS
> BAD. So avoid this approach at all costs.
>
> --------------------------------
>
> Sorry that this message is rather long, but these are some newbie mistakes
> I'm seeing again and again, and I'd like to keep you from making these
> mistakes, if only for the sake of your users.
>
> -Stefan
> _______________________________________________
> X2Go-User mailing list
> X2Go-User at lists.berlios.de
> https://lists.berlios.de/mailman/listinfo/x2go-user
>

hello! thanks for your answer. I will try to explain what I try to do and
maybe you can recommend the best option.
Actually, I'm using thinstation's image for booting diskless station to
access a Linux server using XDMCP.
My LAN has about 25 MSI wind nettop clients, no HD but can boot using PXE.
I am just trying testing x2go to see if there is an important improvement
in terms of graphical response at client side.
At the same time, I'm interesting to access my KDE session from outside
(Internet) with a normal computer. The problem is I don't know which can be
the best option for diskless computers in LAN, thinking that sometimes any
user
needs to access his account from a different station.
Options I understood you told, are:
1) using no public keys (no encryption?) how can be done?

2) In this option, I don't understand if .ssh/authorized_keys must be on
home user directory in server or in usb stick? Is there any documentation
for this? Also seems users need to have their own stick to attach in
station they want to use.

3) I can store session and public keys in exported fs (not recommended).

Also I am in doubt if users change their Linux account's password or they
access from different station, I need to introduce changes in publickeys.


-- 
Saludos!!

Luciano Andino
GNU/Linux user #185103
Santa Fe - Argentina
-----------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20131226/041e1c91/attachment.html>


More information about the x2go-user mailing list