[X2Go-User] Help need with Linux-Linux Kerberos Authentication

Thu Jan 24 13:42:29 CET 2019

Am 24.01.19 um 13:24 schrieb rubens.zanatta at grad.ufsc.br:
> Hello again Stefan, thanks for looking into this.
> 
>> First, confirm that a regular SSH login using the same username, client,
>> and server, with Kerberos enabled, works.
> 
> Yes, I am able to connect client and server though SSH with Kerberos
> auth, wihtout being prompted for a password. I had changed some of the
> config options you mentioned but the it was already working before and
> the error still persists with X2go. The ssh verbose prompts these lines
> that prove that gssapi is working: 
> 
>> debug1: Next authentication method: gssapi-with-mic
>> debug1: Authentication succeeded (gssapi-with-mic).
>> Authenticated to newhost ([SERVER IP]:22).

Okay, that's good.

>> Second, can you create an account on the server that does not need to
>> authenticate via Kerberos, and attempt a regular user/password or SSH
>> Public Keyfile login, to see if that works?  If that doesn't work, then
>> your X2Go installation (server, client, or both) is botched somehow, and
>> the issue is independent of Kerberos.
> 
> I'm not sure if I got that right. If you're asking me to create another
> user account (on the X2Go server) and attempt a regular X2Go login,
> without kerberos, then yes, it does work fine with X2Go and SSH with
> password authentication. 

Yes, that was what I was asking for.  Thanks for confirming that this
works as well.

> One thing that I noticed on the SSH Logs on the server is that the
> failed X2Go kerberos authentication attemps are actually sucessfull but
> disconnect IMMEDIATLY after being done. This does not happen with a
> password based X2Go connection. Take a look: 
> 
>> Jan 24 09:43:04 newhost sshd[10146]: Authorized to remoto, krb5 principal remoto at KERBEROS.COM (krb5_kuserok) 
>> Jan 24 09:43:04 newhost sshd[10146]: Accepted gssapi-with-mic for remoto from [CLIENT IP] port 33428 ssh2: remoto at KERBEROS.COM 
>> Jan 24 09:43:04 newhost sshd[10146]: pam_unix(sshd:session): session opened for user remoto by (uid=0) 
>> Jan 24 09:43:04 newhost systemd-logind[554]: New session 12 of user remoto. 
>> Jan 24 09:43:04 newhost sshd[10210]: Received disconnect from [CLIENT IP] port 33428:11: disconnected by user 
>> Jan 24 09:43:04 newhost sshd[10210]: Disconnected from user remoto [CLIENT IP] port 33428 
>> Jan 24 09:43:04 newhost sshd[10144]: dispatch_protocol_error: type 90 seq 3 [preauth] 
>> Jan 24 09:43:04 newhost sshd[10146]: pam_unix(sshd:session): session closed for user remoto 
>> Jan 24 09:43:04 newhost systemd-logind[554]: Removed session 12.
> 
> Could this be related to that socket error mentioned on the X2Go --debug
> verbose? 

Like I said, I am not exactly knowledgeable about Kerberos.  However,
there were two bug reports and changes related to Kerberos that I was
able to find in the bug tracker.  So maybe the fix for the regression
doesn't fully work, or you are still using the version with the regression?

To find out, the answers to the following questions would be helpful:

What's the *client* Operating System/Distribution/Version that you are
using? (If it's a Linux system, 'cat /etc/os-release' should provide all
the necessary info.)

What's the X2GoClient version you are using?
(Run 'LANG=C x2goclient --version' in the shell to find out.)

One outcome might be that we'll have to get you to change to an older or
newer version of X2GoClient and try that.

Another option is that I set up a small demo Kerberos environment myself
and try to replicate the issue there, as time permits.  No guarantees on
the time frame, though.

Last, we could get commercial support involved - if you are willing and
able to pay (Rates are usually around 125 EUR/h, taxes not included).

Kind Regards,
Stefan Baur

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243