[X2Go-User] Some basics questions

Stefan Baur X2Go-ML-1 at baur-itcs.de
Tue Sep 29 16:41:21 CEST 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Am 29.09.2015 um 15:51 schrieb Alain Aupeix:
> Hi,
> 
> After some try, and a few problems, I made my connections possible,
> but I have some questions:
> 
> 1) On the machine where I install ssh, I always disable, for
> security reason, the possibility to connect using the user
> password. After some unsuccessfull tries, I saw that to be able to
> connect, I must enable the connection with the password (on server
> side).
> 
> Is-it normal ? I don't like a simple password protection. I prefer 
> public key.

No, you can use Public Key authentication, either with or without an
additional password on top, and either via a specified key file or via
SSH auth agent.

Please have a look at our Wiki.
http://wiki.x2go.org/doku.php/doc:usage:x2goclient#getting_started_my_fi
rst_session_profile

> 2) In my first tries, I had a curious message, and it was
> impossible to connect. The problem was in known-host. Deleting it
> done the trick, but analysing the difference between the previous
> and the one generated during x2go connection, I say a difference
> between records.
> 
> When using ssh in console to connect, the record looks like this :
> 
> |1|TaiGrqxL3igpSgVZ4Y6WahmwxEw=|M6tIFGIbg/ZQJI4HTLwLC55AAeY= 
> ecdsa-sha2-nistp256 AAAAE2VjZHNhLX
> 
> When connecting with x2go, looks like that:
> 
> [192.168.1.53]:22461 ssh-rsa AAAAB3NzaC1yc2E .....
> 
> Now, with my last tests, if I have a first form of record, I have
> this message :
> 
> The host key for this server was not found but anothertype of key 
> exists. An attacker might have changed the default server key to
> trick your client into thinking the key does not exist yet.
> 
> For security reasons, it is recommended to stop the connection
> attempt.
> 
> Do you want to terminate the connection?
> 
> 
> Accepting, a new record is added to known host with the second form
> of record.
> 
> I noticed that a record created by x2go in a fresh known_hosts is
> used without problem with ssh
> 
> 
> Why a such difference ?

This is nothing X2Go-specific.  Modern-day ssh implementations do not
use a plaintext format for the known_hosts file any more.  Please
refer to the documentation of your Linux distribution.
The key, in its hashed form, most likely contained a non-rsa key,
maybe ecdsa or dsa, which is why SSH (not X2Go per se) prompts you to
make a decision.


> Will the ip address be updated during a future connection, as the 
> provider changes our public IP for time to time ?

No.  Each time you server receives a new IP, you will be asked to
confirm the connection on the client.  Again, nothing X2Go-specific,
but rather plain SSH.  The way around this is setting up a dynamic DNS
entry, you might want to read up on that.


> 3) Using x2go graphic window, when I choose a profile to connect,
> x2go first present the box to enter the key, but user password
> hasn't yet been entered, so we must cancel the key box and the
> error box, and then enter the user password to have again the key
> box. This is very curious, and more curious, entering the key
> doesn't work, x2go always want me to enter the key. In fact, just
> cancelling this box and the connection is ok. I suppose it's due to
> known_host, but the way to connect is very strange.

This is due to a setup error on your side, probably due to not
following the instructions and choosing a combination of options that
do not really make sense for your setup.

If you authenticate via password, there's no need to enter a path to a
key file, nor to check "try auto-login".

On the other hand, if you intend to authenticate via public key, you
should either:
- - have a running SSH auth agent with the key already loaded (please
*do not* specify a path and file name to your keyfile in that case),
or
- - set a valid path and name for the keyfile (which needs to have the
proper restrictive ownership/group and permission settings to be
accepted - usually youruser:youruser and 600)

For public key authentication, you should not enter a password in the
user/password box at all.

If you're using an SSH auth agent, there will be no prompt for the
password, even if your keyfile is protected with one, as you already
entered the password when loading the key into the agent, and it
remains unencrypted there (that being the idea of having an SSH auth
agent - not having to re-type the password over and over).

If you're not using an SSH auth agent, and a password-protected
keyfile, you will receive a pop-up dialog box prompting you to enter
the password for the key *after* you clicked the button.  Again, *do
not* enter a password directly in the field under the username field
when using this authentication method.

- -Stefan

- -- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWCqMRAAoJEG7d9BjNvlEZmXkH/ikGlxNq8+bZ22QKFRwsJKgF
dQlfHAoMtJ7rNAZyMZVonyDjMZW3zIjtGxxhpkE1zboc5cOxgv4t2eCE1LlRMFJ7
Okn64smxAOd8qqyR81Ji+XNtoISB4OeNYqLXEC5lW9s4UHyQI1tPpEfQE9b/Y360
QRnpmxRPju2eYEpo/Rv3Nps2D/z4HVT2K6cLhAsi4YgcF5yR+TRPqZETEuDhy0KL
cZ2QraQeIMoAKllqI5aWVCcrCA4yO3dm9W53uWHiFiXRStE3GmbZUZODgcn2/QNW
i9MYC7qbI3qMsfYJ1sb20lnpcD6e1/72c0d9ave/KkI+1RIz6yLjvM7s7Q1nxV0=
=uK4K
-----END PGP SIGNATURE-----

More information about the x2go-user mailing list