Hi Mike,

you wrote:

> > Which would be a NX/x2go-migration-blocker for those currently using 
> > the "store password" function of the NXclient.
>
> OK, you are thinking in migration NX2X2go-terms... I see.

That is the main objective that led me to the x2go project - as "FreeNX is dying, NetCraft confirms it". ;-)


> SSH keyfiles are indeed possible to use with both clients.

Interesting. I never used them with NX and can'T remember seeing a GUI option for this; then again, I'm not using the latest client.


> However, neither with PyHoca-GUI nor with X2goClient-qt you have a key 
> generation mechanism at hand. However, this would be really a need 
> feature:
>
>    o The client generates a key pair
>    o at first login, the pubkey is pushed to the server (this needs a password)
>    o at further logins, the pubkey is used for Auth...
>
> What do you think about something like this?

The idea of automatically generating a key pair sounds nice.

I'm not sure how to deal with the password issue, though.
I know that I can block password-based logins for root in sshd_config, so that root always requires a key file, but I wouldn't know how to tell SSH "if the user has a keyfile, disallow password-based logins" for regular users and on a per-user basis.

Also, this would mean that the initial password remains unchanged on the server, so someone gaining physical access to it could try to log in on the console as that particular user. Of course, physical security of the server is another issue that needs to be dealth with by the server administrator (and not by us) - but still, leaving an initial password unchanged sounds like asking for trouble.

If we had a mechanism to issue a passwd -l <username> after the keyfile has been transferred, things would look better. (AFAIK, a key file will still allow you access to your account even if your password has been locked).


> > Usability: The user is already authenticated on the Windows machine 
> > or the Windows Domain. No one else has access to the particular 
> > configuration file, as it is stored in the user's home directory 
> > (for this concept, it doesn't matter if it's a NX config file with a 
> > plaintext password, or a passwordless ssh secret key for x2go). 
> > There is absolutely no need to ask the user for a password again.
>
> Single-Sign-On is always a neat thing to have...

Indeed, and on Windows, it can usually only be achieved using third-party tools (and even with them, it's still a RPITA when it comes to proper administration of these tools: Detecting "Password expired, please change" application popups, fulfilling minimum password requirements, etc.). Very few programs query the Windows authentication to check if a particular user is permitted to run them.


[snip]
> Please let me known your opinion about the above approach (SSH key 
> generation). It should be rather easy to implement this into Python 
> X2go. If you are interested, I will add that to the PyHoca-GUI 
> enhancement wishlist.

I'd say add it to the wishlist, but with a "needs-more-thoughts" flag regarding proper implementation, see my worries above.

I hope my comments don't turn this wish into the following wish from the PuTTY wishlist: <http://goo.gl/CwZa8>

Kind Regards,
Stefan