This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch master in repository x2gobroker. commit 752a74133e9423173087f848b53b7133ca3ea1e1 Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Mon Apr 20 20:37:39 2020 +0200 contrib/x2go-mini-sshbroker: Contribute Bash script that demonstrate a simple X2Go SSH Broker written in Bash. (Fixes: 1459). --- contrib/x2go-mini-sshbroker | 166 ++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 4 ++ 2 files changed, 170 insertions(+) diff --git a/contrib/x2go-mini-sshbroker b/contrib/x2go-mini-sshbroker new file mode 100644 index 0000000..6a823c0 --- /dev/null +++ b/contrib/x2go-mini-sshbroker @@ -0,0 +1,166 @@ +#!/bin/bash + +# This file is part of the X2Go Project - http://www.x2go.org +# Copyright (C) 2018 by Stefan Baur <X2Go-ML-1@baur-itcs.de> +# +# X2Go Mini SSH Session Broker is free software; you can redistribute it and/or modify +# it under the terms of the GNU Affero General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# X2Go Mini SSH Session Broker is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program; if not, write to the +# Free Software Foundation, Inc., +# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. + +# Features and Limitations +# You can add sessions as for-everyone (defaultsessions), per-group, and per-user +# You cannot add sessions based on IP range +# You cannot deny sessions based on group, user, or IP range +# Checking for suspended sessions and resuming them only works if you are logged in +# to the broker with the same credentials that you want to use to start/resume +# the session AND +# if broker and X2Go server are one and the same machine +# (This could be expanded so it works with separate machines, as long as ssh +# public/private key authentication and autologin is used.) + +# Config goes here - always only one session per file! +# /etc/x2go/x2go-mini-sshbroker/defaultsessions/*.session +# /etc/x2go/x2go-mini-sshbroker/${USER}/*.session +# /etc/x2go/x2go-mini-sshbroker/groups/${GROUP}/*.session + +### init ### +# make a list of the parameters we received on the command line +PARAMLIST=$(echo -e "$@" | sed -e 's/ --/\n--/g') + +# make sure we have a directory to write our config file to +mkdir -p ~/.x2go + +### main ### + +# check if we were asked to list sessions +if (echo -e "$PARAMLIST" | grep -q -- '--task listsessions'); then + + # this is so we can request data for a username that is different from the one we used + # to log in and run this script with + REQUESTEDUSER=$(echo -e "$PARAMLIST" | awk '$1 == "--user" { print $2}') + if [ -n "$REQUESTEDUSER" ]; then + USER=$REQUESTEDUSER + fi + + # fetch default sessions + if [ -d /etc/x2go/x2go-mini-sshbroker/defaultsessions ]; then + for SINGLESESSIONFILE in /etc/x2go/x2go-mini-sshbroker/defaultsessions/*.session ; do + # add session file name to the list of sessionfiles + SESSIONFILES+="$SINGLESESSIONFILE\n" + # figure out what the name of the session should be, based on the filename + SINGLESESSIONNAME=$(basename $SINGLESESSIONFILE | sed -e 's/\.session$//') + # check if the session file already contains a proper header block + if (grep -q "^\[$SINGLESESSIONNAME\]" $SINGLESESSIONFILE); then + # if it does, all we do is replace the user name + SESSIONLIST+="\n$(grep -v '^user=' $SINGLESESSIONFILE)\nuser=$USER\n" + else + # if it does not, we add a header based on the file name, and replace the user name + SESSIONLIST+="\n[$SINGLESESSIONNAME]\n$(grep -v '^\[' $SINGLESESSIONFILE | grep -v '^user=')\nuser=$USER\n" + fi + done + fi + + # fetch user-specific sessions + if [ -d /etc/x2go/x2go-mini-sshbroker/$USER ]; then + for SINGLESESSIONFILE in /etc/x2go/x2go-mini-sshbroker/$USER/*.session ; do + # add session file name to the list of sessionfiles + SESSIONFILES+="$SINGLESESSIONFILE\n" + # figure out what the name of the session should be, based on the filename + SINGLESESSIONNAME=$(basename $SINGLESESSIONFILE | sed -e 's/\.session$//') + # check if the session file already contains a proper header block + if (grep -q "^\[$SINGLESESSIONNAME\]" $SINGLESESSIONFILE); then + # if it does, all we do is replace the user name + SESSIONLIST+="\n$(grep -v '^user=' $SINGLESESSIONFILE)\nuser=$USER\n" + else + # if it does not, we add a header based on the file name, and replace the user name + SESSIONLIST+="\n[$SINGLESESSIONNAME]\n$(grep -v '^\[' $SINGLESESSIONFILE | grep -v '^user=')\nuser=$USER\n" + fi + done + fi + + # fetch group-specific sessions + if [ -d /etc/x2go/x2go-mini-sshbroker/groups ]; then + # determine groups for this user and work through the list + for SINGLEGROUP in $(id -Gn $USER) ; do + if [ -d /etc/x2go/x2go-mini-sshbroker/groups/$SINGLEGROUP ]; then + for SINGLESESSIONFILE in /etc/x2go/x2go-mini-sshbroker/groups/$SINGLEGROUP/*.session ; do + # add session file name to the list of sessionfiles + SESSIONFILES+="$SINGLESESSIONFILE\n" + # figure out what the name of the session should be, based on the filename + SINGLESESSIONNAME=$(basename $SINGLESESSIONFILE | sed -e 's/\.session$//') + # check if the session file already contains a proper header block + if (grep -q "^\[$SINGLESESSIONNAME\]" $SINGLESESSIONFILE); then + # if it does, all we do is replace the user name + SESSIONLIST+="\n$(grep -v '^user=' $SINGLESESSIONFILE)\nuser=$USER\n" + else + # if it does not, we add a header based on the file name, and replace the user name + SESSIONLIST+="\n[$SINGLESESSIONNAME]\n$(grep -v '^\[' $SINGLESESSIONFILE | grep -v '^user=')\nuser=$USER\n" + fi + done + fi + done + fi + + # store list of session files + TEMPBROKERSESSIONFILE=$(mktemp -p ~/.x2go) + echo -e "$SESSIONFILES">$TEMPBROKERSESSIONFILE + # atomic transaction, so it is always complete when accessed, even when multiple instances are run in parallel + mv $TEMPBROKERSESSIONFILE ~/.x2go/brokersessionfile-${USER} # needs user name, in case we ssh'ed into the broker using different credentials + + # output all session data + echo -e "Access granted" + echo -e "START_USER_SESSIONS" + echo -e "$SESSIONLIST" + echo -e "END_USER_SESSIONS" + +# check if we were asked to provide a server name/IP and port for a specific session +elif (echo -e "$PARAMLIST" | grep -q -- '--task selectsession'); then + SESSIONID=$(echo -e "$PARAMLIST" | awk '$1 == "--sid" { print $2 }') + # search for the line with the corresponding session file in our stored list of files + SESSIONFILE=$(grep "$SESSIONID" ~/.x2go/brokersessionfile-${USER}) + # determine server name/IP and port from this file + SERVER=$(awk -F '=' '$1 == "host" { print $2 }' $SESSIONFILE) + PORT=$(awk -F '=' '$1 == "sshport" { print $2 }' $SESSIONFILE) + # if this failed, set default values + if [ -z "$SERVER" ] && [ -f /etc/x2go/x2go-mini-sshbroker/defaulthost ]; then + # determine default hostname/IP + read DEFAULTHOST </etc/x2go/x2go-mini-sshbroker/defaulthost + SERVER=$DEFAULTHOST + fi + + if [ -z "PORT" ]; then + PORT=22 + fi + + # output all data + echo -e "Access granted" + echo -e "SERVER:$SERVER:$PORT" + # check for suspended sessions + SESSIONLIST=$(x2golistsessions) + # NOTE: at present, this only checks for local sessions (X2GoBroker==X2GoServer) + # to make this work with a separate X2GoServer, we would need something like + #if [ -z "$SESSIONLIST" ] && [ -n "$SSH_AUTH_SOCK" ]; then + # # very hackish and not safe! Try to add hosts to a shared known_hosts file in advance, and place it in /etc/x2go/x2go-mini-sshbroker/ + # # then point UserKnownHostsFile at that and get rid of the StrictHostKeyChecking=false + # SESSIONLIST=$(ssh -oStrictHostKeyChecking=false -oUserKnownHostsFile=/dev/null -p $PORT -A $USER@$SERVER x2golistsessions 2>/dev/null) + #fi + # but the problem is, that it seems SSH_AUTH_SOCK is not set by the broker when logging in + # one way around this might be an ssh private key stored in /etc/x2go/x2go-mini-sshbroker/, that is added as a limited key with + # "forced-command=x2golistsessions_root" to /root/.ssh/authorized_keys to all servers - the output would then have to be filtered for the + # username in question, as _root shows the data of all users on that particular host + if [ -n "$SESSIONLIST" ]; then + echo "SESSION_INFO:$SESSIONLIST" + fi +fi +# DEBUG echo "$@" >>/tmp/x2go-mini-sshbroker-commands diff --git a/debian/changelog b/debian/changelog index bbede3b..d89ac2d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,10 @@ x2gobroker (0.0.4.2-0x2go1) UNRELEASED; urgency=medium * x2gobroker/defaults.py: Hint that there is a new feature in X2Go: X2Go KDrive. + [ Stefan Baur ] + * contrib/x2go-mini-sshbroker: Contribute Bash script that demonstrate + a simple X2Go SSH Broker written in Bash. (Fixes: 1459). + -- X2Go Release Manager <git-admin@x2go.org> Mon, 22 Apr 2019 12:31:49 +0200 x2gobroker (0.0.4.1-0x2go1) unstable; urgency=medium -- Alioth's /home/x2go-admin/maintenancescripts/git/hooks/post-receive-email on /srv/git/code.x2go.org/x2gobroker.git