The branch, build-59a18b6e3b5d3f1dd8f07f26433d37fe5984a57d has been updated via 04aeddee31eb27ca15346f585b6b550f757b2e3f (commit) from d92c83a10d806f60fc797a06f6584445e6b16a2f (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: README.ssh-agent | 110 ++++++++++++++++++++++++++++++++++++++++++++++++ debian/changelog | 1 + debian/pyhoca-gui.docs | 1 + 3 files changed, 112 insertions(+) create mode 100644 README.ssh-agent The diff of changes is: diff --git a/README.ssh-agent b/README.ssh-agent new file mode 100644 index 0000000..5b0cf63 --- /dev/null +++ b/README.ssh-agent @@ -0,0 +1,110 @@ +SSH Agent support in PyHoca-GUI / Python X2Go +============================================= + +Quotation from the ssh-agent man page: + +""" +[...] + +The agent will never send a private key over its request channel. +Instead, operations that require a private key will be performed +by the agent, and the result will be returned to the requester. +This way, private keys are not exposed to clients using the agent. + +A UNIX-domain socket is created and the name of this socket is stored +in the SSH_AUTH_SOCK environment variable. The socket is made +accessible only to the current user. This method is easily abused by +root or another instance of the same user. + +[...] +""" + +So the benefit of SSH agent support is: no need to have private SSH keys +on remote systems anymore. You can keep your private ID files locally +and use SSH agent to handle authentication requests, even if you have +a chain of systems that you log in to: + + local-machine -> machine-1 -> machine-2 -> machine-3 ... + +The requirement for SSH agent usage: the system administrators of the +remote hosts must be trustworthy. They cannot obtain your private keys, +but they can use the SSH agent socket and log into systems in your +login chain under your identity. So, BEWARE!!! + + +1. AUTHENTICATION AGAINST SSH AGENT +----------------------------------- + +This feature has been added to Python X2Go 0.2.1.0. + +PyHoca-GUI / Python X2Go is aware of local SSH agents and can authenticated +against those. Use this feature with the following session profile options +set: + + [x] Discover SSH keys or use SSH agent for X2Go authentication + + autologin = true (or 1) + + [x] Discover SSH keys or use SSH agent for proxy authentication + + sshproxyautologin = true (or 1) + +Do not forget to run ssh-add (see the man page for more info). + +2. AUTHENTICATION REQUEST FORWARDING TO YOUR LOCAL SSH AGENT +------------------------------------------------------------ + +This feature has been added to Python X2Go 0.2.1.0 and requires Python Paramiko +1.8.0. + +PyHoca-GUI / Python X2Go supports forwarding of SSH agent authentication request. +Basically, you could say that the -A command line switch of the OpenSSH client +is now also available with X2Go. Please read the ssh man page for more +info on this. + +With this little howto, you can test SSH agent authentication request forwarding: + + Place your SSH pubkey on machine-1 and machine-2 (which can be reached via + machine-1) into the (for this demo) otherwise empty files: + + user-1@machine-1:~user-1/.ssh/authorized_keys + + and + + user-2@machine-2:~user-2/.ssh/authorized_keys + + Return to your local client: + + $ ssh-add [<priv-keyfile>] + $ pyhoca-gui + + Enable SSH agent forwarding in connection tab of a session profile for + machine-1. Use a simple TERMINAL session command. + + Connect to user-1@machine-1 and start a session on machine-1 + + $ echo $SSH_AUTH_SOCK + /tmp/ssh-<hash>/agent.<pid> + + $ ssh <user-2>@<machine-2> + (should work without password) + + For the authentication from user-1@machine-1 to user-2@machine-2 you use an + SSH agent connection that is tunneled back through Python X2Go to your client + machine (the machine you run PyHoca-GUI on). So, the SSH agent on your client + machine serves a challenge/response request from SSH client programs within + X2Go sessions. + + Note: if you try the above with a GNOME desktop (XFCE4 probably as well) the + gnome-keyring will hijack the SSH agent functionality and ignore forwarded + SSH agent connections. (This normally happens with the x2goserver-xsession + bin:package installed.) + + Use the below command to disable the SSH agent feature in gnome-keyring (within the + X2Go Session): + + $ gconftool-2 -s /apps/gnome-keyring/daemon-components/ssh false --type bool + + After you have applied this gconf change, logout and re-start a new GNOME (or XFCE4) + session. Now SSH agent stuff is handled properly through ssh-agent and the ssh-agent + should also be aware of SSH agent forwarding connections. diff --git a/debian/changelog b/debian/changelog index c4c9400..a2e4523 100644 --- a/debian/changelog +++ b/debian/changelog @@ -33,6 +33,7 @@ pyhoca-gui (0.2.1.0-0~x2go1) UNRELEASED; urgency=low issue: #13. - Implement SSH agent, automatic key discovery, and SSH agent authentication request forwarding in session profile manager. + - Add SSH agent README. * /debian/control: + Maintainer change in package: X2Go Developers <x2go-dev@lists.berlios.de>. diff --git a/debian/pyhoca-gui.docs b/debian/pyhoca-gui.docs index 4a27220..e50977f 100644 --- a/debian/pyhoca-gui.docs +++ b/debian/pyhoca-gui.docs @@ -1,3 +1,4 @@ README README.Unity +README.ssh-agent TODO hooks/post-receive -- pyhoca-gui.git (Python X2Go Client (wxPython GUI)) This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "pyhoca-gui.git" (Python X2Go Client (wxPython GUI)).