Hi Stefan:
Thanks so much for the ping back….my sense is while what you are suggesting is "the right way", it's not practical for our user base (i.e., to ask them to generate an ssh key, email etc.).
So that might bring me back to the other parts of the email - can we work with some sort of encrypted tunnel without using ssh?
- does the plugin approach work on Windows and OS X yet (I can't tell from the documentation - they may still only work on linux clients) such that would use SSL and some sort of user login page
- or would the x2go-broker approach allow something similar, where a user goes to a web page, logs in, and has an SSL tunnel to connect to the x2go server…
Thanks!
On Oct 11, 2013, at 6:00 AM, x2go-dev-request@lists.berlios.de wrote:
Send X2Go-Dev mailing list submissions to x2go-dev@lists.berlios.de
To subscribe or unsubscribe via the World Wide Web, visit https://lists.berlios.de/mailman/listinfo/x2go-dev or, via email, send a message with subject or body 'help' to x2go-dev-request@lists.berlios.de
You can reach the person managing the list at x2go-dev-owner@lists.berlios.de
When replying, please edit your Subject line so it is more specific than "Re: Contents of X2Go-Dev digest..."
Today's Topics:
- X2go browser plugin & session broker (Ted Barnes)
- Re: X2go browser plugin & session broker (Stefan Baur)
Message: 1 Date: Thu, 10 Oct 2013 20:17:47 +0000 From: Ted Barnes <madogdevelopment@gmail.com> To: x2go-user@lists.berlios.de, x2go-dev@lists.berlios.de Subject: [X2Go-Dev] X2go browser plugin & session broker Message-ID: <52570B6B.3040609@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi All:
Currently the people I support who use x2go connect over ssh and are "outside the firewall". This means needing some secure way to get remote users the ssh private key.
Q: How do other people do this, where there is no secure connection until the private ssh key is provided? Email doesn't seem to be a great way to send someone a key (e.g., as a password protected file)....maybe try some sort of "user login" web page or drop box? My understanding of the documented way of giving someone a key assumes you are on the same LAN....is that wrong?
Q: Does x2go session broker still require ssh even if the initial connection is made over HTTPS? Would x2go session broker be a way to avoid using SSH keys but still provide an encrypted connection?
Q: Does the x2go plugin work on Windows and OS X at this point? Would the x2go plugin be a means to connect over HTTPS securely with a user name and password and avoid SSH keys?
Any suggestions, please!
Message: 2 Date: Thu, 10 Oct 2013 22:28:45 +0200 From: Stefan Baur <newsgroups.mail2@stefanbaur.de> To: x2go-dev@lists.berlios.de Subject: Re: [X2Go-Dev] X2go browser plugin & session broker Message-ID: <52570DFD.9090608@stefanbaur.de> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Am 10.10.2013 22:17, schrieb Ted Barnes:
Q: How do other people do this, where there is no secure connection until the private ssh key is provided? Email doesn't seem to be a great way to send someone a key (e.g., as a password protected file)....maybe try some sort of "user login" web page or drop box? My understanding of the documented way of giving someone a key assumes you are on the same LAN....is that wrong?
Uh, no. You shouldn't create the private key for them. It's called a "private key" for a reason. It's theirs, and theirs alone. Have your users create their private keys on their own machines. Then have them send you their *public* keys via E-Mail, and verify the fingerprint of the public key by transmitting it on a different channel (SMS, phone call, snail-mail letter, fax, whatever).
-Stefan
X2Go-Dev mailing list X2Go-Dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
End of X2Go-Dev Digest, Vol 58, Issue 7
Am 11.10.2013 15:33, schrieb Madog:
Thanks so much for the ping back….my sense is while what you are suggesting is "the right way", it's not practical for our user base (i.e., to ask them to generate an ssh key, email etc.).
I will leave answering your other questions to the more qualified list members. What on earth are you doing, though, that your users are unable to create their own private key? You can use PuTTYgen or the cygwin suite on Windows, and possibly script the whole issue so your users only have to double-click on an installer icon. And for Linux and MacOS (since it is Unix-based as well), scripting is even easier, I'd say.
Remember, as soon as someone else (That includes you as the admin! Your users' private key files are none of your business!) has access to the private key file, it is not safer than a traditional password-based login. Security is even worse, actually, as a password change on the user's keyfile by himself doesn't propagate back to the additional copies. Whoever gets a hold of a key file and manages to guess/crack the password on it, has eternal access to the system where the matching public key file is installed, no matter how often the legitimate user changes his password afterwards.
So why go through the extra hassle of creating a keyfile when you break security again right afterwards? Use a traditional password-based login (X2Go supports it) and that's it.
-Stefan
On 13-10-11 15:50, Madog <madogdevelopment@gmail.com> wrote:
Hi Stefan:
Thanks so much for the ping back….my sense is while what you are suggesting is "the right way", it's not practical for our user base (i.e., to ask them to generate an ssh key, email etc.).
What you are suggesting is dangerously negligent with regards to security. Key exchanges by sending around private key material amounts to no sensible encryption or security at all, only a weak simulation thereof. Which might fool some of your users thereby endangering their privacy, the integrity of their data and of your service.
You may be able to make the process more user-friendly by automating things, e.g. create a nice GUI for key creation and a phone dialogue system or automatically printed mail-in form to verify fingerprint and userid, but the basic steps will remain:
- user creates keypair
- user sends public key and fingerprint along with his userid.
- you verify that public key and fingerprint match
- you verify the authenticity of fingerprint and userid
- only if the previous two steps were successful: you authorize the public key for this userid.
- the private key must never leave the user's computer
A similar process is used to assure the user of your servers authenticity by means of the server's hostkey fingerprint.
So that might bring me back to the other parts of the email - can we work with some sort of encrypted tunnel without using ssh?
Maybe you could modify the x2go components to tunnel via openssl or gnutls, but that does not really solve your problem. You need a secure way to authenticate the user and for that you either need a verified public key from the user (be it X.509 or ssh) or the user needs to set some kind of password in a secure way. There are ways to do this, but one needs to be careful to ensure mutual authentication, which is exactly the same kind of problem as with the ssh keys.
Also, generally any kind of "build-your-own"-security is very dangerous. History has shown that each of those homegrown solutions were lacking in important aspects, at least in the first few iterations of CVEs... Try to use ssh and do it the right way, you and your customers will be happier in the long run.
Ciao,
Alexander Wuerstlein.
-
Alexander Wuerstlein -
Madog -
Stefan Baur