Hi Mike,
Default behavior for x2gobroker and x2goclient in broker mode seems to be to first authenticate against the broker and then whatever terminal server the user ends up connecting to. This means the user ends up having to type in his/her username and password twice. Not a nice user experience. Either it shouldn't authenticate to get the available sessions or it should remember the username/password and try it when authenticating against the chosen server. Until the latter might be possible, I would like to turn off authentication to get the session information. It seems to me that this information is fairly safe to be publicly available. I have set check-credentials = false in x2gobroker.conf, but the client still prompts the user for a username/password. You can just hit enter twice at that dialog, but it still isn't an acceptable user experience. Is it possible to avoid this extra authentication currently, or would it mean changes to x2goclient?
-- Anders Bruun Olsen It-ansvarlig Det Danske Sprog- og Litteraturselskab (Society for Danish Language and Literature)
Hi Anders,
On Do 28 Feb 2013 14:52:31 CET Anders Bruun Olsen wrote:
Hi Mike,
Default behavior for x2gobroker and x2goclient in broker mode seems to be to first authenticate against the broker and then whatever terminal server the user ends up connecting to. This means the user ends up having to type in his/her username and password twice. Not a nice user experience. Either it shouldn't authenticate to get the available sessions or it should remember the username/password and try it when authenticating against the chosen server. Until the latter might be possible, I would like to turn off authentication to get the session information. It seems to me that this information is fairly safe to be publicly available. I have set check-credentials = false in x2gobroker.conf, but the client still prompts the user for a username/password. You can just hit enter twice at that dialog, but it still isn't an acceptable user experience. Is it possible to avoid this extra authentication currently, or would it mean changes to x2goclient?
Please use
x2goclient --broker-noauth --broker-url=<URL>
For this to work, you have to set the check-credentials config option
x2gobroker.conf to false.
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
Hi Anders,
On Do 28 Feb 2013 18:00:54 CET Mike Gabriel wrote:
Hi Anders,
On Do 28 Feb 2013 14:52:31 CET Anders Bruun Olsen wrote:
Hi Mike,
Default behavior for x2gobroker and x2goclient in broker mode seems to be to first authenticate against the broker and then whatever terminal server the user ends up connecting to. This means the user ends up having to type in his/her username and password twice. Not a nice user experience. Either it shouldn't authenticate to get the available sessions or it should remember the username/password and try it when authenticating against the chosen server. Until the latter might be possible, I would like to turn off authentication to get the session information. It seems to me that this information is fairly safe to be publicly available. I have set check-credentials = false in x2gobroker.conf, but the client still prompts the user for a username/password. You can just hit enter twice at that dialog, but it still isn't an acceptable user experience. Is it possible to avoid this extra authentication currently, or would it mean changes to x2goclient?
Please use
x2goclient --broker-noauth --broker-url=<URL>
For this to work, you have to set the check-credentials config
option x2gobroker.conf to false.
I have checked this again and thought it through. As the broker needs
to know the username on whose behalf to operate, you probably have to
add the --auth-id cmdline switch:
x2goclient --auth-id=<broker-user> --broker-noauth --broker-url=<URL>
This is ok with X2Go Client installations on some local/private
machines. On thin clients (with no local login) this does not work as
the thin client is not aware of the person's username sitting in front
of the TC.
Hmmm...
The other option would be to automatize the SSH login once the user
has authenticated against the broker. This feature is already
implemented in X2Go Client but needs some extra work in the public
X2Go Session Broker.
Another issue, I have to address later: The current broker
implementations in X2GoClient expects that the broker user ID is
identical with the SSH user ID (i.e. the X2Go user ID) of the
targetting servers. This is suboptimal, IMHO.
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
2013/3/1 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Please use
x2goclient --broker-noauth --broker-url=<URL> For this to work, you have to set the check-credentials config option x2gobroker.conf to false.
I have checked this again and thought it through. As the broker needs to know the username on whose behalf to operate, you probably have to add the --auth-id cmdline switch:
x2goclient --auth-id=<broker-user> --broker-noauth --broker-url=<URL>
This is ok with X2Go Client installations on some local/private machines. On thin clients (with no local login) this does not work as the thin client is not aware of the person's username sitting in front of the TC.
It works for me with just "x2goclient --broker-noauth --broker-url=<URL>" and check-credentials=false in x2gobroker.conf. I have tried with both users who exist on both the broker and terminal server and users who only exist on the terminal server.
I get the available sessions and can just choose one. What I can't get to work though, is --session=<SESSIONNAME>. I have term-external and term-internal setup as available sessions in the broker, and I can choose term-internal and logon just fine. But I can't add --session and prechoose the session. Is this a bug in x2goclient or am I just doing it wrong?
Hmmm... The other option would be to automatize the SSH login once the user has authenticated against the broker. This feature is already implemented in X2Go Client but needs some extra work in the public X2Go Session Broker.
If that would mean that we could have just a single login dialog for both authenticating against the broker and the terminal server, then that would be great! Disabling authentication on the broker is suboptimal IMHO.
Another issue, I have to address later: The current broker implementations in X2GoClient expects that the broker user ID is identical with the SSH user ID (i.e. the X2Go user ID) of the targetting servers. This is suboptimal, IMHO.
Yes, there might be setups where one would want different user IDs for broker and terminal server. Although for our setup, I prefer them to be the same, so our users don't have to remember more than one set of credentials. So for us, it is low priority :)
-- Anders Bruun Olsen It-ansvarlig Det Danske Sprog- og Litteraturselskab (Society for Danish Language and Literature)
Hi Anders,
On Fr 01 Mär 2013 12:54:43 CET Anders Bruun Olsen wrote:
2013/3/1 Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Please use
x2goclient --broker-noauth --broker-url=<URL> For this to work, you have to set the check-credentials config option x2gobroker.conf to false.
I have checked this again and thought it through. As the broker needs to know the username on whose behalf to operate, you probably have to add the --auth-id cmdline switch:
x2goclient --auth-id=<broker-user> --broker-noauth --broker-url=<URL>
This is ok with X2Go Client installations on some local/private machines. On thin clients (with no local login) this does not work as the thin client is not aware of the person's username sitting in front of the TC.
It works for me with just "x2goclient --broker-noauth --broker-url=<URL>" and check-credentials=false in x2gobroker.conf. I have tried with both users who exist on both the broker and terminal server and users who only exist on the terminal server.
The point where it fails is resuming suspended sessions. When resuming
x2goclient queries the session broker for suspended session for the
broker username. This actually feels like a conceptual bug in X2Go
Client, though, and probably has to be addressed.
I get the available sessions and can just choose one. What I can't get to work though, is --session=<SESSIONNAME>. I have term-external and term-internal setup as available sessions in the broker, and I can choose term-internal and logon just fine. But I can't add --session and prechoose the session. Is this a bug in x2goclient or am I just doing it wrong?
I think that --session=<sessionname> is only available in non-broker
mode of X2Go Client. It would be nice to have that option work in
broker mode, as well. Can you submit it as a bug later?
Hmmm... The other option would be to automatize the SSH login once the user has authenticated against the broker. This feature is already implemented in X2Go Client but needs some extra work in the public X2Go Session Broker.
If that would mean that we could have just a single login dialog for both authenticating against the broker and the terminal server, then that would be great! Disabling authentication on the broker is suboptimal IMHO.
Yes, you exactly got how it is intended to work.
Another issue, I have to address later: The current broker implementations in X2GoClient expects that the broker user ID is identical with the SSH user ID (i.e. the X2Go user ID) of the targetting servers. This is suboptimal, IMHO.
Yes, there might be setups where one would want different user IDs for broker and terminal server. Although for our setup, I prefer them to be the same, so our users don't have to remember more than one set of credentials. So for us, it is low priority :)
Agreed.
Mike
--
DAS-NETZWERKTEAM mike gabriel, rothenstein 5, 24214 neudorf-bornstein fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-
Anders Bruun Olsen -
Mike Gabriel