x2go-commits

x2go-commits@lists.x2go.org

37910 discussions

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 18:07 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511186972 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [Configuring the Build] add support for stretch builds and default to feature/openbox-magic-pixel-workaround User : stefanbaur @@ -38,39 +38,47 @@ ==== Configuring the Build ==== <code> # Select ONE of the following git reposities # this one loosely corresponds to "stable" - export LBX2GO_CONFIG='git://code.x2go.org/live-build-x2go.git::feature/openbox-with-magic-pixel-w…' + # Select ONE of the following git reposities + # this one loosely corresponds to "stable" + export LBX2GO_CONFIG='git://code.x2go.org/live-build-x2go.git::feature/openbox-magic-pixel-workar…' # this one loosely corresponds to "heuler" - #export LBX2GO_CONFIG='https://github.com/LinuxHaus/live-build-x2go::feature/openbox-with-magic-pi…' + #export LBX2GO_CONFIG='https://github.com/LinuxHaus/live-build-x2go::feature/openbox-magic-pixel-w…' + # NOTE: Add "-stretch" to the end of the LBX2GO_CONFIG string to create a stretch build - # Select ONE of the following LBX2GO_ARCH lines and comment out the others + # Select ONE of the following LBX2GO_ARCH lines and comment out the others # (feel free to use long or short options) # for 64-Bit builds, use: - # export LBX2GO_ARCH='-a amd64 -k amd64' + export LBX2GO_ARCH='-a amd64 -k amd64' # 32-Bit, larger memory footprint, but faster performance on i686 and newer # export LBX2GO_ARCH='-a i386 -k 686-pae' # 32-Bit, smallest memory footprint - export LBX2GO_ARCH='--architectures i386 --linux-flavours 586' + # export LBX2GO_ARCH='--architectures i386 --linux-flavours 586' + + if [ -z "${LBX2GO_CONFIG##*-stretch}" ] ; then + export LBX2GO_DEBVERSION="stretch" + else + export LBX2GO_DEBVERSION="jessie" + fi # These options are meant to reduce the image size. # Feel free to adapt them after consulting "man lb_config" export LBX2GO_SPACE='--apt-indices none --apt-recommends false - --cache false + --cache false --checksums none --firmware-binary false --memtest none --win32-loader false' # These are default values that should not require tuning - export LBX2GO_DEFAULTS='--backports true + export LBX2GO_DEFAULTS="--backports true --firmware-chroot true --initsystem sysvinit --security true --updates true - --distribution jessie' - # you can create stretch builds by appending ''-stretch'' (no leading blank) to LBX2GO_CONFIG and changing jessie to stretch here. + --distribution $LBX2GO_DEBVERSION" export LBX2GO_ARCHIVE_AREAS="main contrib non-free" # This is to optimize squashfs size, based on a suggestion by intrigeri from the TAILS team @@ -88,9 +96,9 @@ # When using iPXE, you can use http instead of TFTP. # This is especially helpful if you want to netboot via http and cannot use the server's IP, but must specify a DNS name - as "fetch=..." only understands IPs. export LBX2GO_NOSQUASHFS="false" - # Select ONE of the following LBX2GO_IMAGETYPE lines and comment out the others + # Select ONE of the following LBX2GO_IMAGETYPE lines and comment out the others # to create an iso image: # export LBX2GO_IMAGETYPE='iso' # to create an iso image that can also be dd'ed to USB media: # export LBX2GO_IMAGETYPE='iso-hybrid' @@ -101,9 +109,8 @@ # in a "build failed" message, even though the build might have worked): # export LBX2GO_IMAGETYPE='hdd' # to create a tar file only (seems to be broken in live-build): # export LBX2GO_IMAGETYPE='tar' - </code> ==== Live-Patching the Build ==== This patch is required if you need USB mount capability on the ThinClient while [[http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1136|Bug #1136]] is still unresolved. -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 14:09 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511182172 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [Live-Patching the Build] updated USB media mount patch User : stefanbaur @@ -243,13 +243,49 @@ # prepare mount points mkdir("/media"); mkdir("/media/$name"); mkdir("/media/$name/$ldev"); + # mount the USB device - if(system("mount $dev /media/$name/$ldev -o uid=$user,sync,uni_xlate")==0) + # sync is supported by all file systems + # uid is supported by vfat (via fat),ntfs,hfs,hpfs + # uni_xlate is supported by vfat,ntfs + # we must not trigger on iso9660 and udf, or else hybrid USB media + # would only cause a mount of the iso9660 raw device, + # blocking the mount of individual partitions + # real optical media ->x2gocdmanager/x2gothinclient-cdmanager package + + if(system("mount -tvfat,ntfs $dev /media/$name/$ldev -o uid=$user,sync,uni_xlate")==0) { - syslog('notice', "USB device $name ($ldev) successfully mounted"); + syslog('notice', "USB device $name ($ldev) successfully mounted (probably vfat or ntfs)"); + # if mounted, inform x2goclient about it... + system("touch $mntdir/$ldev.mounted"); + open (D,">",expand_filename("~$user/export/$name.$ldev")); + print D "export=/media/$name/$ldev\n"; + close (D); + } + elsif(system("mount -t hfs $dev /media/$name/$ldev -o uid=$user,sync")==0) + { + syslog('notice', "USB device $name ($ldev) successfully mounted (hfs detected)"); + # if mounted, inform x2goclient about it... + system("touch $mntdir/$ldev.mounted"); + open (D,">",expand_filename("~$user/export/$name.$ldev")); + print D "export=/media/$name/$ldev\n"; + close (D); + } + elsif(system("mount -t hpfs $dev /media/$name/$ldev -o uid=$user,sync")==0) + { + syslog('notice', "USB device $name ($ldev) successfully mounted (hpfs detected)"); + # if mounted, inform x2goclient about it... + system("touch $mntdir/$ldev.mounted"); + open (D,">",expand_filename("~$user/export/$name.$ldev")); + print D "export=/media/$name/$ldev\n"; + close (D); + } + elsif(system("fuseext2 $dev /media/$name/$ldev -o ro")==0) + { + syslog('notice', "USB device $name ($ldev) successfully mounted readonly (ext*fs detected)"); # if mounted, inform x2goclient about it... system("touch $mntdir/$ldev.mounted"); open (D,">",expand_filename("~$user/export/$name.$ldev")); print D "export=/media/$name/$ldev\n"; -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:49 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511182069 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] updated x2gocdmanager entry User : stefanbaur @@ -1028,13 +1028,13 @@ FIXME Maybe we should add symlinks to the mount points created by the automounter: Currently, we create ''/media/vendor_model_name/sdxn'' as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the ''//x//'' in ''sdxn'' may change any time. We should replace ''//sdx//'' with ''//partition//'' (or have corresponding symlinks created), but what should we do for //superfloppies// that only have ''sdx'' with no partition number? We could mount them as ''/media/vendor_model_name/partition/'' or directly at ''/media/vendor_model_name/''. Also, symlinks using labels and uuids, similar to ''/dev/by-*'' would be handy for scripting. Another problem: when replacing ''sdx'', what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''media/vendor_model_name/1/partitionn/'' or ''media/vendor_model_name-1/partitionn/''. FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions. Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. - FIXME ''x2gocdmanager'' is currently not part of the image (I think), but should probably become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs. + FIXME ''x2gocdmanager'' is currently not part of the image, but should become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs. FIXME ''pinentry-x2go'' and ''x2gosmartcardrules'' probably need further investigation to make smartcard authentication work. FIXME Even though we set the hostname to localhost using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://blog.schlomo.schapiro.org/2013/11/setting-hostname-from-dhcp-in-debi… FIXME At least when building a stretch TCE on a jessie system, you need to add kernel parameters ''net.ifnames=0 biosdevname=0'' to the image's kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. This might not be necessary when building a stretch TCE on stretch. For a jessie TCE on jessie, it is not required. -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:47 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511182005 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] updated second partition on USB media FIXME User : stefanbaur @@ -953,9 +953,9 @@ </code> FIXME Document how to add second partition to USB media after dd'ing the iso-hybrid image, and how to add X2GoClient-Portable to it. - * The catch is that on USB media, Windows will only see the partition with the partition number 1, even if there is more than 1 partition. + * The catch is that on USB media, Windows (except for Windows 10 Creators Update and newer) will only see the partition with the partition number 1, even if there is more than 1 partition. * However, it doesn't care whether the partition bearing the number 1 is actually the first partition. It will happily display the contents of the second partition as long as it bears the number 1. * So, one has to change the partition number of the dd'ed image to 2, then create a new partition in the remaining space and assign it the number 1 and a partition type of FAT (NTFS *might* work, but is untested.) * After that, partition "number 1" - actually the second partition on the USB media - can be formatted. * Once formatted, one can install X2GoClient for Windows on it, and add a short batch script or similar to run it in portable mode (''x2goclient.exe --portable --session-conf=sessions''). -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:46 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181792 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] updated SSH Private Keys FIXME User : stefanbaur @@ -1000,24 +1000,13 @@ * additional scripts could be added that work "automagically" if there's no PXE/TFTP/HTTP/FTP server yet - maybe in a separate package x2go-tce-setup-aids.deb which then has dependencies on atftpd and apache|lighttpd, ... FIXME To be checked: Does the live-config "builtin" command ''live-config.nottyautologin'' do the same as our ''nouser'' command? If yes, ''nouser'' could be removed. Note that ''live-config.nottyautologin'' **might** mean "there's a login prompt, but you just need to enter username ''user'' and password ''live'' to login" - this is not what we want. We need a solution to entirely block user logons. - FIXME It would be cool if there was some kind of autodetection for SSH private keys, on local storage media and/or on USB media. + FIXME autodetection for SSH Private Keys might need some more bells and whistles. For USB media, this may require adding an automounter. - * Stefan once wrote a script 2500-x2go-keychange for this, but it only handles local storage media, also, it needs to be adapted to the current TCE. - * 1150-openssh-readsshprivatekeys or 1150-x2go-readsshprivatekeys would probably be the proper names - * Maybe it would be better to split the process into 2 scripts, one that fetches the keys from local storage/USB media, and one that patches the sessions file - * 2800-x2go-thinclientconfig would also have to be changed so it uses the keyfile(s) when in broker mode (''--broker-ssh-key'') - * https://packages.debian.org/jessie/usbmount might come in handy - needs to be configured to mount everything read-only - * udev can be used to trigger an action when a block device gets plugged in or plugged out: /lib/udev/rules.d/80-do-something.rules ''SUBSYSTEM=="block", RUN+="/usr/bin/some-command"'' (command to trigger devices that were already plugged in at boot: ''udevadm trigger --action=add'') - * all keys found on "real" (non-USB) disks that weren't already mounted should be copied to the ramdisk, mimicking the directory structure, and the device should be umounted immediately afterwards (so we don't interfere with the update script when running from NTFS) - * once a key has been selected, it should be copied to /home/user/.ssh/id_[d|r]sa, and all other in-memory copies of keys should be wiped + * how about a script that patches the sessions file to enable autologin for all sessions when keys have been found? + * 2800-x2go-thinclientconfig needs to be changed so it uses the keyfile(s) when in broker mode (''--broker-ssh-key'') * directory scan - * scan USB devices first - * scan already mounted block devices belonging to fixed disks next (parse output of ''df'' or ''/proc/mounts'') - * then start ro-mounting remaining partitions - * scan for .ssh and ssh folders in /, /home/*/ and /*/ (in case /home was a separate mount point), but no subdirectories underneath them - * check every file using the ''file'' command - output ends e.g. in ''PEM RSA private key'' * should we abort on first match? * how do we treat multiple keys? * no keys on USB and exactly one key on disk -> use key * exactly one key on USB -> takes precedence over key/keys found on disk? Or present chooser based on gxmessage? @@ -1025,8 +1014,9 @@ * problem with gxmessage as chooser is that it can only display 6 buttons on 640x480 (Which we should assume as minimum screen size) * 4 key choices, back, next? * oooooor we might just load all keys into ssh-agent and let it figure out which one it needs? * next problem: How do we prompt for passwords of such keys? + FIXME 2200-xserver-xorg-getxorgconf should be taught to understand file:<nowiki>//</nowiki> URLs. FIXME Parsing the output of e.g. <code>udevadm info --query path /dev/sdb /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/host2/target2:0:0/2:0:0:0/block/sdb -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:43 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181721 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] removed FIXME that has been fixed User : stefanbaur @@ -997,18 +997,8 @@ * /usr/share/x2go-tcebuilder/template-scripts (scripts we ship, with a big fat header that they should not be changed, but copied) * store the results somewhere under /var/lib/x2go-tcebuilder/ or whatever the proper place according to FHS and Debian would be * turning it into a package would mean we could add dependencies as well, so the manual apt-get install would not be neccessary * additional scripts could be added that work "automagically" if there's no PXE/TFTP/HTTP/FTP server yet - maybe in a separate package x2go-tce-setup-aids.deb which then has dependencies on atftpd and apache|lighttpd, ... - - FIXME To avoid re-generating SSH Server keys on each ThinClient on every boot, they could be stored - * in a file on a HTTP(S)/FTP/RSYNC server - * on local storage (/etc/ssh) - * a script 1155-openssh-readsshserverkeys would have to inject them before the server starts Tricky parts: - * reading to local media means you need a way to determine where to read them from (in case of "toram", look for ntfs-uuid and findiso path) - * reading from a remote server means you should use https, rsync, and/or some kind of signature check - * a script 1165-openssh-writesshserverkeys would have to save them to local media/upload them after initial generation. Tricky parts: - * saving to local media means you need a way to determine where to save them (in case of "toram", look for ntfs-uuid and findiso path) - * saving to a remote server means you need some kind of login credentials that could be abused FIXME To be checked: Does the live-config "builtin" command ''live-config.nottyautologin'' do the same as our ''nouser'' command? If yes, ''nouser'' could be removed. Note that ''live-config.nottyautologin'' **might** mean "there's a login prompt, but you just need to enter username ''user'' and password ''live'' to login" - this is not what we want. We need a solution to entirely block user logons. FIXME It would be cool if there was some kind of autodetection for SSH private keys, on local storage media and/or on USB media. -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:42 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181542 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] updated automounter script FIXME User : stefanbaur @@ -1042,9 +1042,9 @@ /devices/pci0000:00/0000:00:14.0/usb1/1-1/1-1:1.0/host2/target2:0:0/2:0:0:0/block/sdb cat /sys/devices/pci0000:00/0000:00:14.0/usb1/1-1/serial</code> allows to determine the serial number of a USB device. Those SHOULD be unique, but sadly, they aren't (and sometimes, they are missing entirely). Therefore, a USB serial number can't be used for authentication, but it could be used for "weak" identification - so it could be used to set a default user name or a default session, or to download a particular sessions file. Authentification and "hard" identification could be implemented using OpenPGP cards, ''scdaemon'' and a script based on ''/usr/share/doc/scdaemon/examples/scd-event''. For Status ''NOCARD'', suspend the session (kill x2goclient or send a signal that means "suspend", if available, or maybe sighup nxproxy), for status ''USABLE'', run ''gpg --card-status 2>&1 | awk '$1=="Serial" && $2=="number" {print $4}''' to determine the card's serial number, then act based on that (pull new sessions file or set default user, for example, and restart x2goclient). - FIXME Automount script currently only understands VFAT and NTFS (and possibly hfs and iso9660?) - mounting other file systems will fail due to the uid= and uni_xlate mount options being unknown. Should be extended to support more file systems. ext* is problematic as it doesn't allow you to force an owner/group at mount. fuse's fuseext2 module might, though. Needs to be investigated further. However, it looks like fuseext2 only understands rw+, or rw,force as options, and write support is experimental. Update: fuseext2 will ignore access permissions, so chmod 600 root:root is still readable by the user that ran fuseext2. This is good for e.g. reading SSH keys from ext*-formatted USB media. Regarding write support, maybe a warning popup or a boot parameter should be added for those daring enough to enable it. + FIXME Automount script expansion is in the works. Will fully support VFAT, NTFS, hfs, hpfs, will offer read-only support for ext* via fuseext2 (that way, file ownership/permissions are ignored). FIXME Maybe we should add symlinks to the mount points created by the automounter: Currently, we create ''/media/vendor_model_name/sdxn'' as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the ''//x//'' in ''sdxn'' may change any time. We should replace ''//sdx//'' with ''//partition//'' (or have corresponding symlinks created), but what should we do for //superfloppies// that only have ''sdx'' with no partition number? We could mount them as ''/media/vendor_model_name/partition/'' or directly at ''/media/vendor_model_name/''. Also, symlinks using labels and uuids, similar to ''/dev/by-*'' would be handy for scripting. Another problem: when replacing ''sdx'', what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''media/vendor_model_name/1/partitionn/'' or ''media/vendor_model_name-1/partitionn/''. FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions. Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:39 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181486 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] updated x2gocdmanager entry User : stefanbaur @@ -1048,13 +1048,13 @@ FIXME Maybe we should add symlinks to the mount points created by the automounter: Currently, we create ''/media/vendor_model_name/sdxn'' as a mount point. The idea is to allow the user to find their portable device using the vendor/model name description. However, this is unusable for scripting, as the ''//x//'' in ''sdxn'' may change any time. We should replace ''//sdx//'' with ''//partition//'' (or have corresponding symlinks created), but what should we do for //superfloppies// that only have ''sdx'' with no partition number? We could mount them as ''/media/vendor_model_name/partition/'' or directly at ''/media/vendor_model_name/''. Also, symlinks using labels and uuids, similar to ''/dev/by-*'' would be handy for scripting. Another problem: when replacing ''sdx'', what will happen when a user inserts two media with the same vendor/model name at the same time? Blindly replacing the string would make one of them inaccessible due to overwriting the symlink(s). We'd have to start checking active mounts and enumerate them like ''media/vendor_model_name/1/partitionn/'' or ''media/vendor_model_name-1/partitionn/''. FIXME Automount script currently expects a LUKS password in ''/etc/keys/keystick.key'' when it believes it has found an encrypted partition on USB media. This is a problem in general, as it should be trivial to sniff out this password using a rogue client. If we want to support this feature, though, we should add code to the build script that lets the user place a password file in the image, and sets proper restrictive permissions. Adding a boot parameter instead of hardcoding it would allow for dynamic password files, but on the other hand, would make it even easier to sniff out the password. - FIXME ''x2gocdmanager'' is currently not part of the image (I think), but should probably become part of it. While optical media are on their way out, they still exist and thus we should support them. + FIXME ''x2gocdmanager'' is currently not part of the image (I think), but should probably become part of it. While optical media are on their way out, they still exist and thus we should support them. However, the script is hardcoded for X2Go-TCE-NFS and needs to be adapted to work with both TCEs. FIXME ''pinentry-x2go'' and ''x2gosmartcardrules'' probably need further investigation to make smartcard authentication work. FIXME Even though we set the hostname to localhost using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://blog.schlomo.schapiro.org/2013/11/setting-hostname-from-dhcp-in-debi… FIXME At least when building a stretch TCE on a jessie system, you need to add kernel parameters ''net.ifnames=0 biosdevname=0'' to the image's kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. This might not be necessary when building a stretch TCE on stretch. For a jessie TCE on jessie, it is not required. -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:38 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511181339 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: [List of open ToDos/FIXMEs for this page] removed FIXME that has been fixed User : stefanbaur @@ -1056,5 +1056,5 @@ FIXME Even though we set the hostname to localhost using the corresponding boot parameter, as recommended by Debian, changing the name via DHCP does not work for all image flavours. One way to fix this might be http://blog.schlomo.schapiro.org/2013/11/setting-hostname-from-dhcp-in-debi… FIXME At least when building a stretch TCE on a jessie system, you need to add kernel parameters ''net.ifnames=0 biosdevname=0'' to the image's kernel parameters, else you will receive error messages about the hostname script being unable to find eth0. This might not be necessary when building a stretch TCE on stretch. For a jessie TCE on jessie, it is not required. - FIXME Document config/sshdkeys in detail. + -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

[[X2Go Wiki]] page changed: doc:howto:tce
by wiki-admin＠x2go.org 20 Nov '17

20 Nov '17

A page in your DokuWiki was added or changed. Here are the details: Date : 2017/11/20 12:35 Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101 Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0 IP-Address : 134.3.37.90 Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511180919 New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce Edit Summary: added section regarding persistent SSH Host Keys User : stefanbaur @@ -717,8 +717,12 @@ So just do ''dd if=./original-x2go-tce-live-image-i386.hybrid.iso of=/dev/targetdevice'' and wait until it finishes. Also, when using iso-hybrid and USB media, there are a few "cheats" to reclaim unused space on the USB media, and to turn it into a solution that allows you to run X2GoClient in portable mode on Windows, and boot it as X2Go-TCE, with a shared configuration file. + + ===== Persistent SSH Host Keys ===== + As there is no simple way to have individual, persistent SSH Host Keys per ThinClient, and sharing secret host keys across machines is a bad idea, too, the default behavior is to generate a new key pair upon boot. If you need to SSH into ThinClients often, this may soon become annoying. + Therefore, X2Go-TCE-Live comes with a script that, during the boot process, will scan for USB media and fixed disk media (with fixed disk media taking precedence, unlike the ''copysecring'' boot parameter that copies SSH //Client// Private Keys when set) for a directory ''config/sshdkeys''. The volume must be labeled ''X2GO-TCE-LIVE'' and may use any supported file system, though write support is required if you want to store the keys from within X2Go-TCE-Live. If you're booting from fixed disk media/internal flash, you may put the folder directly in the root directory of your boot drive - just don't forget to change the volume label to the "magic value" ''X2GO-TCE-LIVE''. If the directory exists, but is empty, all current SSH Host Keys will be copied into it (missing ones will be generated on the fly). Any SSH Host Keys found in the ''config/sshdkeys'' directory will be copied into ''/etc/ssh/'' (in the ramdisk), with proper permissions and ownerships for sshd, and sshd will be told to reload its config if required. ===== Boot Parameters for X2Go-TCE ===== <note important>**These are always required for security reasons, unless you are working on a debug image:** * ''noroot'' - do not allow the local user account on the ThinClient (named "user") to become root, e.g. using sudo **Always set this unless you are debugging an image and need to log in locally!** -- This mail was generated by DokuWiki at https://wiki.x2go.org/

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

x2go-commits