On 13-12-12 14:44, Stefan Baur <newsgroups.mail2@stefanbaur.de> wrote:
Am 12.12.2013 14:20, schrieb Oleksandr Shneyder:
- Support for GSSApi (Kerberos 5) authentication.
Care to explain what that can be used for, to the non-initiated? :-)
Single-Sign-On done right. You log on with your Kerberos password, which creates an ephemeral "ticket" that allows password-less login to other services. Services might be e.g. ssh, but also websites, SMTP/IMAP/POP3 and quite a lot more.
Hypothetical scenario: You log in to your thin client running x2go with your username and password (smartcard would also be possible theoretically). Thats the only time you need to type a password. You then connect to the x2go session broker, authenticated by your ticket, which assigns you to a server. On that server you log in with your ticket. You start a web browser and open your IMAP webclient, authenticated by your ticket wich is forwarded from your thinclient over the ssh/x2go connection to your browser. The IMAP webclient also authenticates via a forwarded ticket to the IMAP server where you read your Email.
Of course this is somewhat hypothetical still because not every piece of software supports ticket forwarding and I'm not sure if x2go already does all that. Also, services like the x2go session broker would have to be extended to support this kind of authentication I guess. But what should generally work is passwordless x2go in places where passwordless ssh already works via Kerberos.
Ciao,
Alexander Wuerstlein.