Hi All: Am trying to get up to speed on x2go session broker, but am having trouble. Any suggestions? When try to connect I get: Error Login failed! Please try again. Along with... broker url: http://xxx.xxx.xxx.xxx/:8080/plain/inifilebroker url:http://xxx.xxxx.xxx.xxx/:8080/plain/inifile or.... broker url:http://user@xxx.xxx.xxx.xxx/cgi-bin/x2gobroker.cfgi As I'm getting started, I'm trying to do this on my LAN (all behind my firewall) without any ssh (longer term I want to see if I can run sessions inside SSL). I've disabled all the iptable rules on my server....and tried various settings in the x2gobroker.conf and x2gobroker-sessionprofiles.conf files which have not really changed the error message but may be the problem (see below). I can connect using the x2go client GUI "the normal way", and the first time I got a window on the client "The server is unknown. Do you trust the host key....", which I assume is x2go dynamically creating a ssh tunnel? This part works fine. However, when I try from the command line with an "x2goclient --broker-..." type of command, I get the Error message. Both client and server are running Debian Squeeze, and on the server I've successively installed: x2gobroker-wsgi apache2 libapache20mod-wsgi x2gobroker-authservice (wasn't sure if I should install this for my initial tests) My x2gobroker.conf: # This file is part of the X2Go Project - http://www.x2go.org # Copyright (C) 2011-2013 by Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> # Copyright (C) 2011-2013 by Heinz-Markus Graesing <heinz-m.graesing@obviously-nice.de> # Copyright (C) 2012-2013 by Mike Gabriel <mike.gabriel@das-netzwerkteam.de> # # X2Go Session Broker is free software; you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # X2Go Session Broker is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program; if not, write to the # Free Software Foundation, Inc., # 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. ### ### GLOBAL section ### [global] # Allow unauthenticated connections? Then set check-credentials to false. check-credentials = false # To secure server-client communication the client can start the communication # with a pre-set, agreed on authentication ID. Set the below value to true # to make the X2Go Session Broker require this feature #require-cookie-auth = false ### NOT-IN-USE-YET # X2Go supports two different cookie authentication modes (static and dynamic). #use-static-cookie = false ### NOT-IN-USE-YET # Every server-client communication (between X2Go Client and broker) has to be # accompanied by this initial authentication cookie. #my-cookie = <aaaavveeeerrrrryyyyylooonnnnggggssttrrriiinnnggg> ### NOT-IN-USE-YET # X2Go Session Broker knows about two output formats: a text/plain based output # and a text/json based output that is compatible with UCCS. The different outputs # run under different URLs. enable {base_url}/plain/ enable-plain-output = true # enable {base_url}/uccs/ #enable-uccs-output = false # use this URL base to create URL field in UCCS-style JSON output #my-uccs-url-base = http://localhost:8080/ # default authentication mechanism for all broker backends default-auth-mech = pam # how does this X2Go Session Broker instance retrieve user and group # information from the system? (defaults for all broker backends) default-user-db = libnss default-group-db = libnss # on large deployments it is recommended to ignore primary group # memberships traversing into all user accounts for primary group # detection can be quite CPU intensive on the X2Go Broker server. #ignore-primary-group-memberships = true # X2Go session autologin via X2Go Session Broker # # Once authenticated against the session # broker, the user becomes a trusted user. That is, the X2Go session login can # be automatized by a very temporary SSH pub/priv key pair. Prior to the session # login the key is generated, after successful session login, the key is dropped # immediately. # # This option can be overridden by the session profile parameter # broker-session-autologin={true|false} broker-session-autologin=true default-session-autologin=true # X2Go's authorized_keys file for broker mediated autologin sessions # # For the X2Go auto-login via X2Go Session Broker feature to work thoroughly, # the X2Go Session Broker has to place the temporary public SSH key into the # user's home directory. It is not recommended to use SSH's default # authorized_keys file for this but a separate and X2Go-specific authorized_keys # file ($HOME/.x2go/authorized_keys). # # Of course, the SSH daemon has to be made aware of this. This can be configured # in /etc/ssh/sshd_config like this: # # --- /etc/ssh/sshd_config.no-x2go 2013-03-01 09:57:04.000000000 +0100 # +++ /etc/ssh/sshd_config 2013-03-01 09:56:57.000000000 +0100 # @@ -28,7 +28,8 @@ # # RSAAuthentication yes # PubkeyAuthentication yes # AuthorizedKeysFile %h/.ssh/authorized_keys # +AuthorizedKeysFile2 %h/.x2go/authorized_keys # # # Don't read the user's ~/.rhosts and ~/.shosts files # IgnoreRhosts yes # # This option can be overridden by the session profile parameter # broker-authorized-keys=<file-location> #default-authorized-keys=%h/.x2go/authorized_keys # X2Go Broker Agent query mode # # The X2Go Broker Agent is needed for multi-server sites configured for # load balancing. Multi-server sites require a setup that uses the # PostgreSQL X2Go session DB backend. The X2Go Broker Agent has to be installed # on the local system (mode: LOCAL) or on all X2Go Servers (mode: SSH) in a # multi-server farm. # # So, there are three query modes for the X2GO Broker Agent: NONE, LOCAL and # SSH. # # NONE - Try to get along without X2Go Broker Agent queries. For simple # broker setups this may suffice. For load-balancing or reliable # session suspending and resuming the broker agent is a must!!! # # LOCAL - This LOCAL mode only works for _one_ configured multi-server farm. # If this X2Go Session Broker is supposed to serve many different # multi-server farms, then the LOCAL mode will not work!!! # # How it works: Assume that the local system has an X2Go Broker Agent # that knows about the multi-server setup. This means: X2Go Server # has to be installed locally and the X2Go Server has to be # configured to use the multi-server farm's PostgreSQL session DB # backend. # # The local system that is running the broker does not necessarily # have to be a real application server. It only has to be aware of # running/suspended sessions within the X2Go multi-server farm setup. # # A typical use-case is X2Go on top of a Debian Edu Terminal-Server # farm: # # TJENER -> PostgreSQL DB, X2Go Server, X2Go Session Broker + # Broker Agent # TS01 - TS0X -> X2Go Server configured to use the PostgreSQL DB # on TJENER # # SSH - The more generic approach, but also more complex. It allows that # the broker on this system may serve for many different X2Go Server # multi-server setups. # # With the SSH agent query mode, the X2Go Session Broker will query # one of the X2Go Servers in the targeted multi-server setup (through # SSH). The SSH authentication is done by a system user account # (normally UID=x2gobroker) and SSH pub/priv key authentication has # to be configured to make this work. # # All X2Go Servers in a multi-server farm need the X2Go Broker Agent # installed, whereas this local system running the X2Go Session # Broker does not need a local X2Go Broker Agent at all. # # The agent query mode can be configured on a per-broker-backend basis, the # below value is the default. #default-agent-query-mode=LOCAL ### ### BACKEND section ### # Possible X2Go Session Broker backends: # # 1. backend = zeroconf (activated by default) # Use the ZeroConf X2Go Session Broker backend, this backend is for demo only # and only operates on localhost. Make sure you have x2gobroker-daemon and # and x2goserver installed on the same machine. No need to install # x2gobroker-agent. # 2. backend = infile (deactivated by default) # The IniFile X2Go Session Broker backend is for providing session profiles # to multiple users/clients on a text config file basis (.ini file format). # # The session profile setup is accomplished by an extra configuration file, # by default named /etc/x2go/broker/x2gobroker-sessionproiles.conf. # # For small-scale deployments the IniFile backend is the recommended backend. [zeroconf] #enable = true #auth-mech = pam #user-db = libnss #group-db = libnss #desktop-shell = KDE [inifile] enable = true session-profiles = /etc/x2go/broker/x2gobroker-sessionprofiles.conf #[ldap] -> MUSIC OF THE FUTURE #enable = false #auth-mech = ldap #user-db = ldap #group-db = ldap #uri = ldap://localhost:389 #base = dc=example,dc=org #user-search-filter = (&(objectClass=posixAccount)(uid=*)) #host-search-filter = (&(objectClass=ipHost)(serial=X2GoServer)(cn=*)) #group-search-filter = (&(objectClass=posifxGroup)(cn=*)) #starttls = false #agent-query-mode = SSH My x2gobroker-sessionprofiles.conf: ### X2Go Broker Session Profiles - ADAPT TO YOUR NEEDS ### # This whole file reflects a set of examplary X2Go session profiles being # provided via the X2Go Session Broker (backend: iniconf). # This whole file could be the broker setup in some university institute that # runs three server pools (pool-A, pool-B and pool-C). Though most univerities # have real IPv4 internet addresses, we use private subnets in the examples # below. # The X2Go Session Broker is served into the institutes local intranet, the # broker cannot be reached from the internet directly. # The first section [DEFAULTS] provides a set of default profile settings that # are common to all session profiles given in sections below. # The other section names can be freely chosen, however, each section name has # to be unique within this file. # IMPORTANT: in the session profiles below you will find some lines starting # with acl-... These lines do neither protect the X2Go Session Broker nor # your X2Go Servers. They simply allow for selective session profile provision # based on client address, user name and group memberships. # # For protecting the broker use iptables and ip6tables. For protecting your # X2Go Servers use iptable+ip6tables and a tightened PAM configuration (e.g. # pam_access.so). Securing X2Go Servers means securing the SSH daemon that # runs on the X2Go Server. [DEFAULT] command=TERMINAL defsndport=true useiconv=false iconvfrom=UTF-8 height=600 export= quality=9 fullscreen=false layout= useexports=true width=800 speed=2 soundsystem=pulse print=true type=auto sndport=4713 xinerama=true variant= usekbd=true fstunnel=true applications=TERMINAL,WWWBROWSER,MAILCLIENT,OFFICE multidisp=false sshproxyport=22 sound=true rootless=false iconvto=UTF-8 soundtunnel=true dpi=96 sshport=22 setdpi=0 pack=16m-jpeg directrdp=false [GNOME] user=xxx host=xxx.xxx.xxx.xxx name=GNOME command=GNOME rootless=false acl-users-allow=xxx acl-groups-allow=gnome-users,admins acl-groups-deny=ALL acl-any-order=deny-allow broker-session-autologin=true
I have replied to this mail on X2Go User. Thread continues there... Mike On Fr 25 Okt 2013 19:28:11 CEST, Ted Barnes wrote:
Hi All:
Am trying to get up to speed on x2go session broker, but am having trouble. Any suggestions?
When try to connect I get:
Error Login failed! Please try again.
Along with... broker url: http://xxx.xxx.xxx.xxx/:8080/plain/inifilebroker url:http://xxx.xxxx.xxx.xxx/:8080/plain/inifile
or.... broker url:http://user@xxx.xxx.xxx.xxx/cgi-bin/x2gobroker.cfgi
As I'm getting started, I'm trying to do this on my LAN (all behind my firewall) without any ssh (longer term I want to see if I can run sessions inside SSL). I've disabled all the iptable rules on my server....and tried various settings in the x2gobroker.conf and x2gobroker-sessionprofiles.conf files which have not really changed the error message but may be the problem (see below).
I can connect using the x2go client GUI "the normal way", and the first time I got a window on the client "The server is unknown. Do you trust the host key....", which I assume is x2go dynamically creating a ssh tunnel? This part works fine.
However, when I try from the command line with an "x2goclient --broker-..." type of command, I get the Error message.
Both client and server are running Debian Squeeze, and on the server I've successively installed: x2gobroker-wsgi apache2 libapache20mod-wsgi x2gobroker-authservice (wasn't sure if I should install this for my initial tests)
My x2gobroker.conf: # This file is part of the X2Go Project - http://www.x2go.org # Copyright (C) 2011-2013 by Oleksandr Shneyder <oleksandr.shneyder@obviously-nice.de> # Copyright (C) 2011-2013 by Heinz-Markus Graesing <heinz-m.graesing@obviously-nice.de> # Copyright (C) 2012-2013 by Mike Gabriel <mike.gabriel@das-netzwerkteam.de> # # X2Go Session Broker is free software; you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as published by # the Free Software Foundation; either version 3 of the License, or # (at your option) any later version. # # X2Go Session Broker is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program; if not, write to the # Free Software Foundation, Inc., # 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
### ### GLOBAL section ###
[global]
# Allow unauthenticated connections? Then set check-credentials to false. check-credentials = false
# To secure server-client communication the client can start the communication # with a pre-set, agreed on authentication ID. Set the below value to true # to make the X2Go Session Broker require this feature #require-cookie-auth = false ### NOT-IN-USE-YET
# X2Go supports two different cookie authentication modes (static and dynamic). #use-static-cookie = false ### NOT-IN-USE-YET
# Every server-client communication (between X2Go Client and broker) has to be # accompanied by this initial authentication cookie. #my-cookie = <aaaavveeeerrrrryyyyylooonnnnggggssttrrriiinnnggg> ### NOT-IN-USE-YET
# X2Go Session Broker knows about two output formats: a text/plain based output # and a text/json based output that is compatible with UCCS. The different outputs # run under different URLs.
enable {base_url}/plain/ enable-plain-output = true
# enable {base_url}/uccs/ #enable-uccs-output = false
# use this URL base to create URL field in UCCS-style JSON output #my-uccs-url-base = http://localhost:8080/
# default authentication mechanism for all broker backends default-auth-mech = pam
# how does this X2Go Session Broker instance retrieve user and group # information from the system? (defaults for all broker backends) default-user-db = libnss default-group-db = libnss
# on large deployments it is recommended to ignore primary group # memberships traversing into all user accounts for primary group # detection can be quite CPU intensive on the X2Go Broker server. #ignore-primary-group-memberships = true
# X2Go session autologin via X2Go Session Broker # # Once authenticated against the session # broker, the user becomes a trusted user. That is, the X2Go session login can # be automatized by a very temporary SSH pub/priv key pair. Prior to the session # login the key is generated, after successful session login, the key is dropped # immediately. # # This option can be overridden by the session profile parameter # broker-session-autologin={true|false} broker-session-autologin=true default-session-autologin=true
# X2Go's authorized_keys file for broker mediated autologin sessions # # For the X2Go auto-login via X2Go Session Broker feature to work thoroughly, # the X2Go Session Broker has to place the temporary public SSH key into the # user's home directory. It is not recommended to use SSH's default # authorized_keys file for this but a separate and X2Go-specific authorized_keys # file ($HOME/.x2go/authorized_keys). # # Of course, the SSH daemon has to be made aware of this. This can be configured # in /etc/ssh/sshd_config like this: # # --- /etc/ssh/sshd_config.no-x2go 2013-03-01 09:57:04.000000000 +0100 # +++ /etc/ssh/sshd_config 2013-03-01 09:56:57.000000000 +0100 # @@ -28,7 +28,8 @@ # # RSAAuthentication yes # PubkeyAuthentication yes # AuthorizedKeysFile %h/.ssh/authorized_keys # +AuthorizedKeysFile2 %h/.x2go/authorized_keys # # # Don't read the user's ~/.rhosts and ~/.shosts files # IgnoreRhosts yes # # This option can be overridden by the session profile parameter # broker-authorized-keys=<file-location> #default-authorized-keys=%h/.x2go/authorized_keys
# X2Go Broker Agent query mode # # The X2Go Broker Agent is needed for multi-server sites configured for # load balancing. Multi-server sites require a setup that uses the # PostgreSQL X2Go session DB backend. The X2Go Broker Agent has to be installed # on the local system (mode: LOCAL) or on all X2Go Servers (mode: SSH) in a # multi-server farm. # # So, there are three query modes for the X2GO Broker Agent: NONE, LOCAL and # SSH. # # NONE - Try to get along without X2Go Broker Agent queries. For simple # broker setups this may suffice. For load-balancing or reliable # session suspending and resuming the broker agent is a must!!! # # LOCAL - This LOCAL mode only works for _one_ configured multi-server farm. # If this X2Go Session Broker is supposed to serve many different # multi-server farms, then the LOCAL mode will not work!!! # # How it works: Assume that the local system has an X2Go Broker Agent # that knows about the multi-server setup. This means: X2Go Server # has to be installed locally and the X2Go Server has to be # configured to use the multi-server farm's PostgreSQL session DB # backend. # # The local system that is running the broker does not necessarily # have to be a real application server. It only has to be aware of # running/suspended sessions within the X2Go multi-server farm setup. # # A typical use-case is X2Go on top of a Debian Edu Terminal-Server # farm: # # TJENER -> PostgreSQL DB, X2Go Server, X2Go Session Broker + # Broker Agent # TS01 - TS0X -> X2Go Server configured to use the PostgreSQL DB # on TJENER # # SSH - The more generic approach, but also more complex. It allows that # the broker on this system may serve for many different X2Go Server # multi-server setups. # # With the SSH agent query mode, the X2Go Session Broker will query # one of the X2Go Servers in the targeted multi-server setup (through # SSH). The SSH authentication is done by a system user account # (normally UID=x2gobroker) and SSH pub/priv key authentication has # to be configured to make this work. # # All X2Go Servers in a multi-server farm need the X2Go Broker Agent # installed, whereas this local system running the X2Go Session # Broker does not need a local X2Go Broker Agent at all. # # The agent query mode can be configured on a per-broker-backend basis, the # below value is the default. #default-agent-query-mode=LOCAL
### ### BACKEND section ###
# Possible X2Go Session Broker backends: # # 1. backend = zeroconf (activated by default) # Use the ZeroConf X2Go Session Broker backend, this backend is for demo only # and only operates on localhost. Make sure you have x2gobroker-daemon and # and x2goserver installed on the same machine. No need to install # x2gobroker-agent.
# 2. backend = infile (deactivated by default) # The IniFile X2Go Session Broker backend is for providing session profiles # to multiple users/clients on a text config file basis (.ini file format). # # The session profile setup is accomplished by an extra configuration file, # by default named /etc/x2go/broker/x2gobroker-sessionproiles.conf. # # For small-scale deployments the IniFile backend is the recommended backend.
[zeroconf] #enable = true #auth-mech = pam #user-db = libnss #group-db = libnss #desktop-shell = KDE
[inifile] enable = true session-profiles = /etc/x2go/broker/x2gobroker-sessionprofiles.conf
#[ldap] -> MUSIC OF THE FUTURE #enable = false #auth-mech = ldap #user-db = ldap #group-db = ldap #uri = ldap://localhost:389 #base = dc=example,dc=org #user-search-filter = (&(objectClass=posixAccount)(uid=*)) #host-search-filter = (&(objectClass=ipHost)(serial=X2GoServer)(cn=*)) #group-search-filter = (&(objectClass=posifxGroup)(cn=*)) #starttls = false #agent-query-mode = SSH
My x2gobroker-sessionprofiles.conf: ### X2Go Broker Session Profiles - ADAPT TO YOUR NEEDS ###
# This whole file reflects a set of examplary X2Go session profiles being # provided via the X2Go Session Broker (backend: iniconf).
# This whole file could be the broker setup in some university institute that # runs three server pools (pool-A, pool-B and pool-C). Though most univerities # have real IPv4 internet addresses, we use private subnets in the examples # below.
# The X2Go Session Broker is served into the institutes local intranet, the # broker cannot be reached from the internet directly.
# The first section [DEFAULTS] provides a set of default profile settings that # are common to all session profiles given in sections below.
# The other section names can be freely chosen, however, each section name has # to be unique within this file.
# IMPORTANT: in the session profiles below you will find some lines starting # with acl-... These lines do neither protect the X2Go Session Broker nor # your X2Go Servers. They simply allow for selective session profile provision # based on client address, user name and group memberships. # # For protecting the broker use iptables and ip6tables. For protecting your # X2Go Servers use iptable+ip6tables and a tightened PAM configuration (e.g. # pam_access.so). Securing X2Go Servers means securing the SSH daemon that # runs on the X2Go Server.
[DEFAULT] command=TERMINAL defsndport=true useiconv=false iconvfrom=UTF-8 height=600 export= quality=9 fullscreen=false layout= useexports=true width=800 speed=2 soundsystem=pulse print=true type=auto sndport=4713 xinerama=true variant= usekbd=true fstunnel=true applications=TERMINAL,WWWBROWSER,MAILCLIENT,OFFICE multidisp=false sshproxyport=22 sound=true rootless=false iconvto=UTF-8 soundtunnel=true dpi=96 sshport=22 setdpi=0 pack=16m-jpeg directrdp=false
[GNOME] user=xxx host=xxx.xxx.xxx.xxx name=GNOME command=GNOME rootless=false acl-users-allow=xxx acl-groups-allow=gnome-users,admins acl-groups-deny=ALL acl-any-order=deny-allow broker-session-autologin=true
X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
-- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
Mike Gabriel -
Ted Barnes