SSH Agent (auth+forwarding) support in Python X2Go / PyHoca-GUI - x2go-dev

11 Oct 2012

      Hi all,
during the last couple of days I have added SSH Agent

(forwarding+auth) support to Python X2Go (and so to PyHoca-GUI and

PyHoca-CLI).
The feature is already available in the nightly-build (Debian)

archive. The Ubuntu nightly-built packages should follow soon.
For SSH agent forwarding you need the not-yet-released Paramiko

version 1.8.0. For Debian I have packaged a Git snapshot and it is

available with the nightly-build of python-x2go.
Try it out:
place your SSH pubkey on machine-1 and machine-2 (which can be reached via
machine-1) into the (for this demo) otherwise empty files:
 user-1@machine-1:~user-1/.ssh/authorized_keys
and
 user-2@machine-2:~user-2/.ssh/authorized_keys
Back on your local client:
$ ssh-add [<priv-keyfile>]
$ pyhoca-gui
Enable SSH agent forwarding in connection tab of a session profile for
machine-1. Use a simple TERMINAL session command.
Connect to user-1@machine-1 and start a session on machine-1
$ echo $SSH_AUTH_SOCK
/tmp/ssh-<hash>/agent.<pid>
$ ssh <user-2>@<machine-2>
(should work without password)
For the authentication from user-1@machine-1 to user-2@machine-2 you use a
SSH agent connection that is tunneled back through Python X2Go to

your client
machine (the machine you run PyHoca-GUI on). So, the SSH agent on

your client
machine serves a challenge/response request from SSH client programs within
X2Go sessions.
Note: if you try the above with a GNOME desktop (XFCE4 probably as well) the
gnome-keyring will hijack the SSH agent functionality and ignore forwarded
SSH agent connections (with x2goserver-xsession package installed).
Use this command to disable SSH agent feature in gnome-keyring (within the
X2Go Session):
$ gconftool-2 -s /apps/gnome-keyring/daemon-components/ssh false

--type bool
After you have applied this gconf change, logout and start a new GNOME
session. Now SSH agent stuff is handled through ssh-agent and it should also
be aware of SSH agent forwarding connections.
Have fun!
Mike
--
DAS-NETZWERKTEAM
mike gabriel, rothenstein 5, 24214 neudorf-bornstein
fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...