x2go-commits January 2019

x2go-commits@lists.x2go.org

3 participants
114 discussions

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 06 Jan '19

06 Jan '19

A page in your DokuWiki was added or changed. Here are the details: Date : 2019/01/06 13:10 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.9.4 IP-Address : 149.172.203.221 Hostname : HSI-KBW-149-172-203-221.hsi13.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1546780152 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] moved fixed issue to bottom of page User : stefanbaur @@ -1157,10 +1157,8 @@ FIXME Parsing the output of e.g. <code>udevadm info --query path /dev/sdb /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/host2/target2:0:0/2:0:0:0/block/sdb cat /sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/serial</code> allows to determine the serial number of a USB device. Those SHOULD be unique, but sadly, they aren't (and sometimes, they are missing entirely). Therefore, a USB serial number can't be used for authentication, but it could be used for "weak" identification - so it could be used to set a default user name or a default session, or to download a particular sessions file. Authentification and "hard" identification could be implemented using OpenPGP cards, ''scdaemon'' and a script based on ''/usr/share/doc/scdaemon/examples/scd-event''. For Status ''NOCARD'', suspend the session (kill x2goclient or send a signal that means "suspend", if available, or maybe sighup nxproxy), for status ''USABLE'', run ''gpg --card-status 2>&1 | awk '$1=="Serial" && $2=="number" {print $4}''' to determine the card's serial number, then act based on that (pull new sessions file or set default user, for example, and restart x2goclient). - - FIXME <del>Automount script expansion is in the works. Will fully support VFAT, NTFS, hfs, hpfs, will offer read-only support for ext* via fuseext2 (that way, file ownership/permissions are ignored).</del> fixed. FIXME <del>Maybe we should add symlinks to the mount points created by the automounter: Currently, we create ''/media/vendor_model_name/sdxn'' as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the ''//x//'' in ''sdxn'' may change any time. We should replace ''//sdx//'' with ''//partition//'' (or have corresponding symlinks created), but what should we do for //superfloppies// that only have ''sdx'' with no partition number? We could mount them as ''/media/vendor_model_name/partition/'' or directly at ''/media/vendor_model_name/''. Also, symlinks using labels and uuids, similar to ''/dev/by-*'' would be handy for scripting. Another problem: when replacing ''sdx'', what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''/media/vendor_model_name/1/partitionn'' or ''/media/vendor_model_name-1/partitionn''</del> Fixed. When a label is detected, a symlink is now created under ''/media/vendor_model_name/label'' that points to ''/media/vendor_model_name/partitionn''. FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions (this would have to happen right before the ''lb build'' call). Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. It would only really make sense for Netboot installations, and also not for a MiniDesktop in any way, because you have to block the user from accessing the TCE's local environment/files. @@ -1188,9 +1186,10 @@ FIXME <del>''copysecring'' currently does not work in MiniDesktop-Mode, as it copies the keys to the wrong user's homedir.</del> fixed in github repo, soon in x2go repo FIXME <del>copying ssh private keys seems to fail in MiniDesktop-Mode - possibly because of the priming/pruning/cleanup action performed on the homedirectory by the minidesktop init scripts?</del> should already be fixed in github repo, soon in x2go repo + FIXME <del>Automount script expansion is in the works. Will fully support VFAT, NTFS, hfs, hpfs, will offer read-only support for ext* via fuseext2 (that way, file ownership/permissions are ignored).</del> fixed. FIXME <del>''homepageurl='' (only available in MiniDesktop-Mode) is currently undocumented. Supports multiple URLs separated with pipes.</del> <note>The live-config "builtin" command ''live-config.nottyautologin'' does not do the same as our ''nouser'' command. ''live-config.nottyautologin'' means "there's a login prompt, but you just need to enter username ''user'' and password ''live'' to login" - this is not what we want. We need a solution to entirely block user logons. </note> -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 06 Jan '19

06 Jan '19

A page in your DokuWiki was added or changed. Here are the details: Date : 2019/01/06 13:09 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.9.4 IP-Address : 149.172.203.221 Hostname : HSI-KBW-149-172-203-221.hsi13.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1546779857 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] moved fixed issues to bottom of page User : stefanbaur @@ -1150,9 +1150,8 @@ * To specify a keyfile, either: * use ''~/.ssh/keyfilename'' as path and use ''copysecring'', or * do not use ''copysecring'' and use ''/media/vendor_model_name/sdxn/path/to/keyfile'' (or ''/media/vendor_model_name/partlabel/path/to/keyfile'', if you assigned a partition label - which is recommended for this use case) as keyfile path/name - FIXME <del>copying ssh private keys seems to fail in MiniDesktop-Mode - possibly because of the priming/pruning/cleanup action performed on the homedirectory by the minidesktop init scripts?</del> should already be fixed in github repo, soon in x2go repo FIXME ''2200-xserver-xorg-getxorgconf'' should be taught to understand ''file:<nowiki>//</nowiki>'' URLs. FIXME Parsing the output of e.g. <code>udevadm info --query path /dev/sdb @@ -1172,24 +1171,26 @@ FIXME Even though we set the hostname to ''localhost'' using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://blog.schlomo.schapiro.org/2013/11/setting-hostname-from-dhcp-in-debi… FIXME <del>At least</del> when building a stretch TCE<del> on a jessie system,</del> you need to add kernel parameters ''net.ifnames=0 biosdevname=0'' to the image's kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. <del>This might not be necessary when building a stretch TCE on stretch.</del> For a jessie TCE on jessie, it is not required. - - FIXME <del>There might be a race condition between the scripts handling the sshd keyfile and the ssh private key file copy task (/config ...), causing one to umount the fixed disk before the other is done reading/copying. What's weird is that there already is code that is supposed to keep this from happening, but it doesn't.</del> fixed in github repo, soon in x2go repo - - FIXME <del>Setting the time via NTP will fail if the TC can't establish a connection to an NTP server via the internet. It would make sense to allow specifying an internal NTP server via a boot parameter.</del> fixed in github repo, soon in x2go repo - - FIXME <del>''copysecring'' currently does not work in MiniDesktop-Mode, as it copies the keys to the wrong user's homedir.</del> fixed in github repo, soon in x2go repo FIXME ''broker-url='', ''ldap='', ''ldap1='', ''ldap2='', ''session='', ''throttle='', are currently unsupported in MiniDesktop-Mode. This could be changed, given enough tuits. Probably the easiest way would be to outsource as many of them as possible into scripts under ''/etc/X11/Xsession.d/'' (currently, they reside in ''/lib/live/config/2900-x2go-thinclientconfig'' - which doesn't exist in the MiniDesktop branches - and from there, they get written to ''~/.xsession'' FIXME ''audioout='', ''blank='', ''*blankdpmsfix'', ''nodpms'', ''xinerama='', are currently unsupported in MiniDesktop-Mode, but this is being worked on, using the method described above. FIXME ''nomagicpixel='' is currently unsupported in MiniDesktop-Mode and probably will be unsupported there forever, as it doesn't make sense for MiniDesktop-Mode. FIXME ''bg='' and ''branding='' are currently unsupported in MiniDesktop-Mode. Adding support for these doesn't need many tuits. A third option for the desktop background could be added as well - possibly for regular TCE mode as well, overriding our default blue. + + FIXME <del>There might be a race condition between the scripts handling the sshd keyfile and the ssh private key file copy task (/config ...), causing one to umount the fixed disk before the other is done reading/copying. What's weird is that there already is code that is supposed to keep this from happening, but it doesn't.</del> fixed in github repo, soon in x2go repo + + FIXME <del>Setting the time via NTP will fail if the TC can't establish a connection to an NTP server via the internet. It would make sense to allow specifying an internal NTP server via a boot parameter.</del> fixed in github repo, soon in x2go repo + + FIXME <del>''copysecring'' currently does not work in MiniDesktop-Mode, as it copies the keys to the wrong user's homedir.</del> fixed in github repo, soon in x2go repo + + FIXME <del>copying ssh private keys seems to fail in MiniDesktop-Mode - possibly because of the priming/pruning/cleanup action performed on the homedirectory by the minidesktop init scripts?</del> should already be fixed in github repo, soon in x2go repo FIXME <del>''homepageurl='' (only available in MiniDesktop-Mode) is currently undocumented. Supports multiple URLs separated with pipes.</del> <note>The live-config "builtin" command ''live-config.nottyautologin'' does not do the same as our ''nouser'' command. ''live-config.nottyautologin'' means "there's a login prompt, but you just need to enter username ''user'' and password ''live'' to login" - this is not what we want. We need a solution to entirely block user logons. </note> -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 06 Jan '19

06 Jan '19

A page in your DokuWiki was added or changed. Here are the details: Date : 2019/01/06 13:04 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.9.4 IP-Address : 149.172.203.221 Hostname : HSI-KBW-149-172-203-221.hsi13.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1546779714 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] Added WiP for some boot parameters and minidesktop mode User : stefanbaur @@ -1179,9 +1179,11 @@ FIXME <del>Setting the time via NTP will fail if the TC can't establish a connection to an NTP server via the internet. It would make sense to allow specifying an internal NTP server via a boot parameter.</del> fixed in github repo, soon in x2go repo FIXME <del>''copysecring'' currently does not work in MiniDesktop-Mode, as it copies the keys to the wrong user's homedir.</del> fixed in github repo, soon in x2go repo - FIXME ''audioout='', ''blank='', ''blankdpmsfix'', ''broker-url='', ''ldap='', ''ldap1='', ''ldap2='', ''nodpms'', ''session='', ''throttle='', ''xinerama='', are currently unsupported in MiniDesktop-Mode. This could be changed, given enough tuits. Probably the easiest way would be to outsource as many of them as possible into scripts under ''/etc/X11/Xsession.d/'' (currently, they reside in ''/lib/live/config/2900-x2go-thinclientconfig'' - which doesn't exist in the MiniDesktop branches - and from there, they get written to ''~/.xsession'' + FIXME ''broker-url='', ''ldap='', ''ldap1='', ''ldap2='', ''session='', ''throttle='', are currently unsupported in MiniDesktop-Mode. This could be changed, given enough tuits. Probably the easiest way would be to outsource as many of them as possible into scripts under ''/etc/X11/Xsession.d/'' (currently, they reside in ''/lib/live/config/2900-x2go-thinclientconfig'' - which doesn't exist in the MiniDesktop branches - and from there, they get written to ''~/.xsession'' + + FIXME ''audioout='', ''blank='', ''*blankdpmsfix'', ''nodpms'', ''xinerama='', are currently unsupported in MiniDesktop-Mode, but this is being worked on, using the method described above. FIXME ''nomagicpixel='' is currently unsupported in MiniDesktop-Mode and probably will be unsupported there forever, as it doesn't make sense for MiniDesktop-Mode. FIXME ''bg='' and ''branding='' are currently unsupported in MiniDesktop-Mode. Adding support for these doesn't need many tuits. A third option for the desktop background could be added as well - possibly for regular TCE mode as well, overriding our default blue. -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 06 Jan '19

06 Jan '19

A page in your DokuWiki was added or changed. Here are the details: Date : 2019/01/06 13:01 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.9.4 IP-Address : 149.172.203.221 Hostname : HSI-KBW-149-172-203-221.hsi13.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1544927319 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] added some more thoughts on how to handle encrypted portable media User : stefanbaur @@ -1163,9 +1163,9 @@ FIXME <del>Automount script expansion is in the works. Will fully support VFAT, NTFS, hfs, hpfs, will offer read-only support for ext* via fuseext2 (that way, file ownership/permissions are ignored).</del> fixed. FIXME <del>Maybe we should add symlinks to the mount points created by the automounter: Currently, we create ''/media/vendor_model_name/sdxn'' as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the ''//x//'' in ''sdxn'' may change any time. We should replace ''//sdx//'' with ''//partition//'' (or have corresponding symlinks created), but what should we do for //superfloppies// that only have ''sdx'' with no partition number? We could mount them as ''/media/vendor_model_name/partition/'' or directly at ''/media/vendor_model_name/''. Also, symlinks using labels and uuids, similar to ''/dev/by-*'' would be handy for scripting. Another problem: when replacing ''sdx'', what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''/media/vendor_model_name/1/partitionn'' or ''/media/vendor_model_name-1/partitionn''</del> Fixed. When a label is detected, a symlink is now created under ''/media/vendor_model_name/label'' that points to ''/media/vendor_model_name/partitionn''. - FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions. Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. + FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions (this would have to happen right before the ''lb build'' call). Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. It would only really make sense for Netboot installations, and also not for a MiniDesktop in any way, because you have to block the user from accessing the TCE's local environment/files. FIXME ''x2gocdmanager'' is currently not part of the image, but should become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs. FIXME ''pinentry-x2go'' and ''x2gosmartcardrules'' probably need further investigation to make smartcard authentication work. -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

x2go-commits January 2019