x2go-commits November 2017

x2go-commits@lists.x2go.org

3 participants
217 discussions

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:49 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511182069 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] … [View More]updated x2gocdmanager entry User : stefanbaur @@ -1028,13 +1028,13 @@ FIXME Maybe we should add symlinks to the mount points created by the automounter: Currently, we create ''/media/vendor_model_name/sdxn'' as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the ''//x//'' in ''sdxn'' may change any time. We should replace ''//sdx//'' with ''//partition//'' (or have corresponding symlinks created), but what should we do for //superfloppies// that only have ''sdx'' with no partition number? We could mount them as ''/media/vendor_model_name/partition/'' or directly at ''/media/vendor_model_name/''. Also, symlinks using labels and uuids, similar to ''/dev/by-*'' would be handy for scripting. Another problem: when replacing ''sdx'', what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''media/vendor_model_name/1/partitionn/'' or ''media/vendor_model_name-1/partitionn/''. FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions. Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. - FIXME ''x2gocdmanager'' is currently not part of the image (I think), but should probably become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs. + FIXME ''x2gocdmanager'' is currently not part of the image, but should become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs. FIXME ''pinentry-x2go'' and ''x2gosmartcardrules'' probably need further investigation to make smartcard authentication work. FIXME Even though we set the hostname to localhost using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://blog.schlomo.schapiro.org/2013/11/setting-hostname-from-dhcp-in-debi… FIXME At least when building a stretch TCE on a jessie system, you need to add kernel parameters ''net.ifnames=0 biosdevname=0'' to the image's kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. This might not be necessary when building a stretch TCE on stretch. For a jessie TCE on jessie, it is not required. -- This mail was generated by DokuWiki at https://wiki.x2go.org/ [View Less]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:47 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511182005 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] … [View More]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:46 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181792 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] … [View More]updated SSH Private Keys FIXME User : stefanbaur @@ -1000,24 +1000,13 @@ * additional scripts could be added that work "automagically" if there's no PXE/TFTP/HTTP/FTP server yet - maybe in a separate package x2go-tce-setup-aids.deb which then has dependencies on atftpd and apache|lighttpd, ... FIXME To be checked: Does the live-config "builtin" command ''live-config.nottyautologin'' do the same as our ''nouser'' command? If yes, ''nouser'' could be removed. Note that ''live-config.nottyautologin'' **might** mean "there's a login prompt, but you just need to enter username ''user'' and password ''live'' to login" - this is not what we want. We need a solution to entirely block user logons. - FIXME It would be cool if there was some kind of autodetection for SSH private keys, on local storage media and/or on USB media. + FIXME autodetection for SSH Private Keys might need some more bells and whistles. For USB media, this may require adding an automounter. - * Stefan once wrote a script 2500-x2go-keychange for this, but it only handles local storage media, also, it needs to be adapted to the current TCE. - * 1150-openssh-readsshprivatekeys or 1150-x2go-readsshprivatekeys would probably be the proper names - * Maybe it would be better to split the process into 2 scripts, one that fetches the keys from local storage/USB media, and one that patches the sessions file - * 2800-x2go-thinclientconfig would also have to be changed so it uses the keyfile(s) when in broker mode (''--broker-ssh-key'') - * https://packages.debian.org/jessie/usbmount might come in handy - needs to be configured to mount everything read-only - * udev can be used to trigger an action when a block device gets plugged in or plugged out: /lib/udev/rules.d/80-do-something.rules ''SUBSYSTEM=="block", RUN+="/usr/bin/some-command"'' (command to trigger devices that were already plugged in at boot: ''udevadm trigger --action=add'') - * all keys found on "real" (non-USB) disks that weren't already mounted should be copied to the ramdisk, mimicking the directory structure, and the device should be umounted immediately afterwards (so we don't interfere with the update script when running from NTFS) - * once a key has been selected, it should be copied to /home/user/.ssh/id_[d|r]sa, and all other in-memory copies of keys should be wiped + * how about a script that patches the sessions file to enable autologin for all sessions when keys have been found? + * 2800-x2go-thinclientconfig needs to be changed so it uses the keyfile(s) when in broker mode (''--broker-ssh-key'') * directory scan - * scan USB devices first - * scan already mounted block devices belonging to fixed disks next (parse output of ''df'' or ''/proc/mounts'') - * then start ro-mounting remaining partitions - * scan for .ssh and ssh folders in /, /home/*/ and /*/ (in case /home was a separate mount point), but no subdirectories underneath them - * check every file using the ''file'' command - output ends e.g. in ''PEM RSA private key'' * should we abort on first match? * how do we treat multiple keys? * no keys on USB and exactly one key on disk -> use key * exactly one key on USB -> takes precedence over key/keys found on disk? Or present chooser based on gxmessage? @@ -1025,8 +1014,9 @@ * problem with gxmessage as chooser is that it can only display 6 buttons on 640x480 (Which we should assume as minimum screen size) * 4 key choices, back, next? * oooooor we might just load all keys into ssh-agent and let it figure out which one it needs? * next problem: How do we prompt for passwords of such keys? + FIXME 2200-xserver-xorg-getxorgconf should be taught to understand file:<nowiki>//</nowiki> URLs. FIXME Parsing the output of e.g. <code>udevadm info --query path /dev/sdb /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/host2/target2:0:0/2:0:0:0/block/sdb -- This mail was generated by DokuWiki at https://wiki.x2go.org/ [View Less]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:43 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181721 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] … [View More]removed FIXME that has been fixed User : stefanbaur @@ -997,18 +997,8 @@ * /usr/share/x2go-tcebuilder/template-scripts (scripts we ship, with a big fat header that they should not be changed, but copied) * store the results somewhere under /var/lib/x2go-tcebuilder/ or whatever the proper place according to FHS and Debian would be * turning it into a package would mean we could add dependencies as well, so the manual apt-get install would not be neccessary * additional scripts could be added that work "automagically" if there's no PXE/TFTP/HTTP/FTP server yet - maybe in a separate package x2go-tce-setup-aids.deb which then has dependencies on atftpd and apache|lighttpd, ... - - FIXME To avoid re-generating SSH Server keys on each ThinClient on every boot, they could be stored - * in a file on a HTTP(S)/FTP/RSYNC server - * on local storage (/etc/ssh) - * a script 1155-openssh-readsshserverkeys would have to inject them before the server starts Tricky parts: - * reading to local media means you need a way to determine where to read them from (in case of "toram", look for ntfs-uuid and findiso path) - * reading from a remote server means you should use https, rsync, and/or some kind of signature check - * a script 1165-openssh-writesshserverkeys would have to save them to local media/upload them after initial generation. Tricky parts: - * saving to local media means you need a way to determine where to save them (in case of "toram", look for ntfs-uuid and findiso path) - * saving to a remote server means you need some kind of login credentials that could be abused FIXME To be checked: Does the live-config "builtin" command ''live-config.nottyautologin'' do the same as our ''nouser'' command? If yes, ''nouser'' could be removed. Note that ''live-config.nottyautologin'' **might** mean "there's a login prompt, but you just need to enter username ''user'' and password ''live'' to login" - this is not what we want. We need a solution to entirely block user logons. FIXME It would be cool if there was some kind of autodetection for SSH private keys, on local storage media and/or on USB media. -- This mail was generated by DokuWiki at https://wiki.x2go.org/ [View Less]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:42 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181542 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] … [View More]updated automounter script FIXME User : stefanbaur @@ -1042,9 +1042,9 @@ /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/host2/target2:0:0/2:0:0:0/block/sdb cat /sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/serial</code> allows to determine the serial number of a USB device. Those SHOULD be unique, but sadly, they aren't (and sometimes, they are missing entirely). Therefore, a USB serial number can't be used for authentication, but it could be used for "weak" identification - so it could be used to set a default user name or a default session, or to download a particular sessions file. Authentification and "hard" identification could be implemented using OpenPGP cards, ''scdaemon'' and a script based on ''/usr/share/doc/scdaemon/examples/scd-event''. For Status ''NOCARD'', suspend the session (kill x2goclient or send a signal that means "suspend", if available, or maybe sighup nxproxy), for status ''USABLE'', run ''gpg --card-status 2>&1 | awk '$1=="Serial" && $2=="number" {print $4}''' to determine the card's serial number, then act based on that (pull new sessions file or set default user, for example, and restart x2goclient). - FIXME Automount script currently only understands VFAT and NTFS (and possibly hfs and iso9660?) - mounting other file systems will fail due to the uid= and uni_xlate mount options being unknown. Should be extended to support more file systems. ext* is problematic as it doesn't allow you to force an owner/group at mount. fuse's fuseext2 module might, though. Needs to be investigated further. However, it looks like fuseext2 only understands rw+, or rw,force as options, and write support is experimental. Update: fuseext2 will ignore access permissions, so chmod 600 root:root is still readable by the user that ran fuseext2. This is good for e.g. reading SSH keys from ext*-formatted USB media. Regarding write support, maybe a warning popup or a boot parameter should be added for those daring enough to enable it. + FIXME Automount script expansion is in the works. Will fully support VFAT, NTFS, hfs, hpfs, will offer read-only support for ext* via fuseext2 (that way, file ownership/permissions are ignored). FIXME Maybe we should add symlinks to the mount points created by the automounter: Currently, we create ''/media/vendor_model_name/sdxn'' as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the ''//x//'' in ''sdxn'' may change any time. We should replace ''//sdx//'' with ''//partition//'' (or have corresponding symlinks created), but what should we do for //superfloppies// that only have ''sdx'' with no partition number? We could mount them as ''/media/vendor_model_name/partition/'' or directly at ''/media/vendor_model_name/''. Also, symlinks using labels and uuids, similar to ''/dev/by-*'' would be handy for scripting. Another problem: when replacing ''sdx'', what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''media/vendor_model_name/1/partitionn/'' or ''media/vendor_model_name-1/partitionn/''. FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions. Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. -- This mail was generated by DokuWiki at https://wiki.x2go.org/ [View Less]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:39 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181486 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] … [View More]updated x2gocdmanager entry User : stefanbaur @@ -1048,13 +1048,13 @@ FIXME Maybe we should add symlinks to the mount points created by the automounter: Currently, we create ''/media/vendor_model_name/sdxn'' as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the ''//x//'' in ''sdxn'' may change any time. We should replace ''//sdx//'' with ''//partition//'' (or have corresponding symlinks created), but what should we do for //superfloppies// that only have ''sdx'' with no partition number? We could mount them as ''/media/vendor_model_name/partition/'' or directly at ''/media/vendor_model_name/''. Also, symlinks using labels and uuids, similar to ''/dev/by-*'' would be handy for scripting. Another problem: when replacing ''sdx'', what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''media/vendor_model_name/1/partitionn/'' or ''media/vendor_model_name-1/partitionn/''. FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions. Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. - FIXME ''x2gocdmanager'' is currently not part of the image (I think), but should probably become part of it. While optical media are on their way out, they still exist and thus we should support them. + FIXME ''x2gocdmanager'' is currently not part of the image (I think), but should probably become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs. FIXME ''pinentry-x2go'' and ''x2gosmartcardrules'' probably need further investigation to make smartcard authentication work. FIXME Even though we set the hostname to localhost using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://blog.schlomo.schapiro.org/2013/11/setting-hostname-from-dhcp-in-debi… FIXME At least when building a stretch TCE on a jessie system, you need to add kernel parameters ''net.ifnames=0 biosdevname=0'' to the image's kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. This might not be necessary when building a stretch TCE on stretch. For a jessie TCE on jessie, it is not required. -- This mail was generated by DokuWiki at https://wiki.x2go.org/ [View Less]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:38 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181339 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] … [View More]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:35 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511180919 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: added section regarding persistent SSH Host Keys … [View More]User : stefanbaur @@ -717,8 +717,12 @@ So just do ''dd if=./original-x2go-tce-live-image-i386.hybrid.iso of=/dev/targetdevice'' and wait until it finishes. Also, when using iso-hybrid and USB media, there are a few "cheats" to reclaim unused space on the USB media, and to turn it into a solution that allows you to run X2GoClient in portable mode on Windows, and boot it as X2Go-TCE, with a shared configuration file. + + ===== Persistent SSH Host Keys ===== + As there is no simple way to have individual, persistent SSH Host Keys per ThinClient, and sharing secret host keys across machines is a bad idea, too, the default behavior is to generate a new key pair upon boot. If you need to SSH into ThinClients often, this may soon become annoying. + Therefore, X2Go-TCE-Live comes with a script that, during the boot process, will scan for USB media and fixed disk media (with fixed disk media taking precedence, unlike the ''copysecring'' boot parameter that copies SSH //Client// Private Keys when set) for a directory ''config/sshdkeys''. The volume must be labeled ''X2GO-TCE-LIVE'' and may use any supported file system, though write support is required if you want to store the keys from within X2Go-TCE-Live. If you're booting from fixed disk media/internal flash, you may put the folder directly in the root directory of your boot drive - just don't forget to change the volume label to the "magic value" ''X2GO-TCE-LIVE''. If the directory exists, but is empty, all current SSH Host Keys will be copied into it (missing ones will be generated on the fly). Any SSH Host Keys found in the ''config/sshdkeys'' directory will be copied into ''/etc/ssh/'' (in the ramdisk), with proper permissions and ownerships for sshd, and sshd will be told to reload its config if required. ===== Boot Parameters for X2Go-TCE ===== <note important>**These are always required for security reasons, unless you are working on a debug image:** * ''noroot'' - do not allow the local user account on the ThinClient (named "user") to become root, e.g. using sudo **Always set this unless you are debugging an image and need to log in locally!** -- This mail was generated by DokuWiki at https://wiki.x2go.org/ [View Less]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:28 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511180584 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [What options are available under FURTHER-… [View More]OPTIONS-GO-HERE?] User : stefanbaur @@ -748,9 +748,9 @@ === These are entirely optional === * ''bg=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-bg.svg'' - use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace theblue background theme of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. **Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients.** To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate. * ''blank=n|n:n:n'' - Will disable (''blank=0'') or set screensaver timeout. Use ''blank=n:n:n'' to set DPMS Standby/Suspend/Off values. Standby value equals screensaver timeout value. All values are given in seconds. * ''branding=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-branding.svg'' - use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace the seal icon in the lower left of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. **Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients.** To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate. - * ''copysecring'' - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories: ''config/ssh'', 'ssh', ''.ssh''. The volume must be labeled ''X2GO-TCE-LIVE'' or ''PORTABLEAPP'' and may use any supported file system. Any SSH Secret Keys found there will be copied into /home/user/.ssh (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/don't want to have to re-insert it before each session startup. **Attention: This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys).** To mitigate this risk,be sure to power-cycle the ThinClient once you are done. You //should// specify this parameter when booting X2Go-TCE-Live from portable media when you want to use SSH Secret Keys, to make sure your secret key on the VAT/NTFS partition is available. But as stated above, b e sure to power-cycle the machine once you're done. + * ''copysecring'' - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories: ''config/ssh'', 'ssh', ''.ssh''. The volume must be labeled ''X2GO-TCE-LIVE'' or ''PORTABLEAPP'' and may use any supported file system. Any SSH Secret Keys found there will be copied into ''/home/user/.ssh'' (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/don't want to have to re-insert it before each session startup. **Attention: This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys).** To mitigate this risk,be sure to power-cycle the ThinClient once you are done. You //should// specify this parameter when booting X2Go-TCE-Live from portable media when you want to use SSH Secret Keys, to make sure your secret key on the VAT/NTFS partition is available. But as stated above, be sure to power-cycle the machine once you're done. * ''ldap=ldap.example.com:389:cn=cngoeshere,dc=example,dc=com'' - this allows you to specify an LDAP server to connect to - note that this is not needed for LDAP-based authentication, only when you intend to store entire session profiles in LDAP. You should really consider using the X2Go Session Broker instead. * ''ldap1=ldap-backupserver-1.example.com:389'' - this allows you to specify the first of up to two LDAP backup servers when using LDAP authentication * ''ldap2=ldap-backupserver-2.example.com:389'' - this allows you to specify the second of up to two LDAP backup servers when using LDAP authentication * ''nodpms'' - Will not touch DPMS settings at all (by default, ''blank=0'' does both ''xset s off'' and ''xset -dpms''). Use this along with ''blank=n'' if you do want to blank the screen, but your screen is confused by DPMS settings. -- This mail was generated by DokuWiki at https://wiki.x2go.org/ [View Less]

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:23 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511177029 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: added volume name requirement and description … [View More]for portablemode for copysecring User : stefanbaur @@ -748,9 +748,9 @@ === These are entirely optional === * ''bg=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-bg.svg'' - use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace theblue background theme of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. **Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients.** To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate. * ''blank=n|n:n:n'' - Will disable (''blank=0'') or set screensaver timeout. Use ''blank=n:n:n'' to set DPMS Standby/Suspend/Off values. Standby value equals screensaver timeout value. All values are given in seconds. * ''branding=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-branding.svg'' - use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace the seal icon in the lower left of the login screen. See below for how to add this file to your HTTP, HTTPS, or FTP server. **Attention: Whoever manages to spoof the server name can inject rogue images into your ThinClients.** To mitigate this risk, use HTTPS, where the attacker would have to spoof both server name and matching certificate. - * ''copysecring'' - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories: ''config/ssh'', 'ssh', ''.ssh''. Any SSH Secret Keys found there will be copied into /home/user/.ssh (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/don't want to have to re-insert it before each session startup. **Attention: This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys).** To mitigate this risk,be sure to power-cycle the ThinClient once you are done. + * ''copysecring'' - this will scan for USB media and fixed disk media (with USB media taking precedence) at boot for one or more of the following directories: ''config/ssh'', 'ssh', ''.ssh''. The volume must be labeled ''X2GO-TCE-LIVE'' or ''PORTABLEAPP'' and may use any supported file system. Any SSH Secret Keys found there will be copied into /home/user/.ssh (in the ramdisk), with proper permissions and ownerships for the default user account. This may come in handy when you are using SSH Secret Keys on USB media, but need to log in and out of sessions often, and don't want to leave the USB media plugged in all the time/don't want to have to re-insert it before each session startup. **Attention: This poses a security risk when other people are using your ThinClient afterwards (as they will have access to your keys).** To mitigate this risk,be sure to power-cycle the ThinClient once you are done. You //should// specify this parameter when booting X2Go-TCE-Live from portable media when you want to use SSH Secret Keys, to make sure your secret key on the VAT/NTFS partition is available. But as stated above, be sure to power-cycle the machine once you're done. * ''ldap=ldap.example.com:389:cn=cngoeshere,dc=example,dc=com'' - this allows you to specify an LDAP server to connect to - note that this is not needed for LDAP-based authentication, only when you intend to store entire session profiles in LDAP. You should really consider using the X2Go Session Broker instead. * ''ldap1=ldap-backupserver-1.example.com:389'' - this allows you to specify the first of up to two LDAP backup servers when using LDAP authentication * ''ldap2=ldap-backupserver-2.example.com:389'' - this allows you to specify the second of up to two LDAP backup servers when using LDAP authentication * ''nodpms'' - Will not touch DPMS settings at all (by default, ''blank=0'' does both ''xset s off'' and ''xset -dpms''). Use this along with ''blank=n'' if you do want to blank the screen, but your screen is confused by DPMS settings. -- This mail was generated by DokuWiki at https://wiki.x2go.org/ [View Less]

1 0

← Newer
1
...
7
8
9
10
11
12
13
...
22
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

x2go-commits November 2017