Am 06.12.2013 18:44, schrieb Nick Ingegneri:
Whatever solution we choose has to work within the existing environment and support the existing workflow. Our current workflow uses a mixture of xhost and xauth to allow xclients to connect to xservers. While "ssh -Y" may technically be an elegant solution, requiring it would break our existing tools, processes, and scripts.
Well, guys, it's 2013, almost 2014, and we live in the Post-NSA-Scandal world. The times of using "xhost +" and not having to worry about it are long over. Do yourself a favor and change your scripts.
I acknowledge that there is a security issue with TCP connections in X11, but that is an architectural issue with X11 itself and not with X2Go per se. If the developers of X2Go were to make TCP connections impossible then effectively the defined security model of X11 (as documented in places like the XSecurity and Xauth man pages) would be broken. TCP is part of how X11 works.
As a side-note, I hope you're aware that those newfangled GUI thingies like Wayland and Mir are ditching TCP in their core design? Just sayin' (I don't like them, either) - not that that comes to bite you in the lower back in a few years when you don't expect it.
Once it became apparent in our testing that exporting displays didn't work as expected, the system administrator who installed it went through the configuration files and documentation looking for a solution. He couldn't find one, so he escalated it to me to look into. If we hadn't been able to find a fix it would have ruled out X2Go from further consideration, which would have been unfortunate as it is currently our leading choice for this particular need.
In my opinion, Mike is a bit too customer-friendly here by turning your request into a wishlist item that lets every newbie shoot him-/herself in the foot, security-wise, by toggling a setting in the configuration. Sorry, but I've seen way too many people go "chmod 777 -R /*" as soon as something doesn't work as expected, and I'm fearing the same for an easily reachable option to allow TCP connections - because "xhost +" is the X/TCP equivalent of "chmod 777 -R /*" in the filesystem.
Of course, everybody is free to shoot him-/herself in the foot, that's why it's Linux - but merely leaving a "this is dangerous" note next to the parameter is like sticking a tag "please don't use this unless you know what you're doing" on a loaded 12-gauge in a room full of toddlers.
Hopefully the above helps persuade you that there is a need for some users to be able to continue to support the existing X11 security model (including TCP).
Sorry, but you don't have me convinced that this is something anyone should use for a prolonged period of time.
If you accept that point, then it seems there should be a more elegant way of enabling TCP than editing the x2gostartagent file. As someone brand new to looking at the project, files like x2goagent.options or x2goserver.conf are the obvious places I would expect to find an option to make this change.
My understanding of the issue is: It's possible to allow TCP connections, and the fact that it's not easily reachable - but can be reached - is a Good Thing(TM). We should leave it that way. You can manually allow TCP connections in your environment to ease transition to X2Go - but by all means, go ahead and fix your scripts so they use ssh -X/-Y, and do that soon. And reconfigure X2Go to "nolisten TCP" the second you're done fixing your scripts.
-Stefan