Hi guys,
On So 23 Aug 2015 23:10:59 CEST, git-admin wrote:
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master in repository x2goserver.
commit bfe3ba761c1d3e9143285ca17edc87ac763ce35d Author: Mihai Moldovan <ionic@ionic.de> Date: Sun Aug 23 23:08:45 2015 +0200
x2goserver/bin/x2gostartagent: changes to Robert Nowotny'sSSH_PORT patch. Fixes: #922.
Use default outgoing interface to determine IP address. Use the whole range of ${RANDOM}'s pool. Seed it for good measure. Change the default method to randomization instead of IP-based initialization. If IP-based initialization was requested but the default outgoing IP address unavailable, fall back to randomization.
Haven't looked at X2Go Server code for a while... Today I found the below...
+# Get server IP address. +get_server_ip_address() {
- # The provided IP address should be outside of any local network.
- # We are only interested in how the kernel would try to reach the
- # non-local IP address specified here. It is not actually contacted
- # in any way.
- typeset ip_output="$(ip route get 8.8.8.8)"
- # Remove newlines.
- ip_output="${ip_output//$'\n'}"
- # Fetch source address.
- typeset src_address="$(grep -oe
'src[[:space:]]\{1,\}\(\([[:digit:]]\{1,3\}\.\)\{3\}[[:digit:]]\{1,3\}\)'
<<< "${ip_output}" | sed -e 's/src[[:space:]]\{1,\}//')"- if [ -n "${src_address}" ]; then
printf "${src_address}"return "0"- fi
- return "1" +}
Has anyone of you ever heard of IPv6? And has anyone ever seen setups
where the IPv6 traffic is routed via a different interface compared to
IPv4 traffic?
Furthermore, within the last years, I never had any problems with
server-side ports being the same on different servers. I mostly
connect through PyHoca. So if there is a problem in X2Go Client
regarding server-side SSH tunnel ports, why--the hack--do you fix that
in X2Go Server?
If the port allocation is a problem at all, it certainly is a problem
that requires fixing in X2Go Client, not X2Go Server.
Please consider reverting this flawed patch!!!
Scratching my head and wondering...
Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40...
Furthermore...
On Mi 30 Dez 2015 10:21:20 CET, Mike Gabriel wrote:
+get_server_ip_address() {
- # The provided IP address should be outside of any local network.
- # We are only interested in how the kernel would try to reach the
- # non-local IP address specified here. It is not actually contacted
- # in any way.
- typeset ip_output="$(ip route get 8.8.8.8)"
Since when does X2Go promote Google??? Or even depend on them?
As this patch is IPv6-flawed anyway, the next request is pointless...
In case the patch is kept, please make this configurable and use the
IP address of japsand.x2go.org or some other static IP on the internet
that is more political correct, please.
Good candidates for this are the root DNS servers of the world:
IPv4: 192.228.79.201 192.33.4.12 199.7.91.13 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33
IPv6:
2001:503:ba3e::2:30 2001:500:84::b 2001:500:2::c 2001:500:2d::d 2001:500:2f::f 2001:500:1::803f:235 2001:7fe::53 2001:503:c27::2:30 2001:7fd::1 2001:500:3::42 2001:dc3::35
Regarding IPv4/IPv6 flaw in the patch... There are also setup that are
IPv6 only... Tststs...
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40...
Forwarding this to the bugtracker so it doesn't get lost ...
-------- Weitergeleitete Nachricht -------- Betreff: Re: [X2Go-Dev] X2Go Server contains some IPv4/non-IPv6 logic for creating ports. Datum: Wed, 30 Dec 2015 09:40:19 +0000 Von: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Organisation: DAS-NETZWERKTEAM An: x2go-dev@lists.x2go.org
Furthermore...
On Mi 30 Dez 2015 10:21:20 CET, Mike Gabriel wrote:
+get_server_ip_address() {
- # The provided IP address should be outside of any local network.
- # We are only interested in how the kernel would try to reach the
- # non-local IP address specified here. It is not actually contacted
- # in any way.
- typeset ip_output="$(ip route get 8.8.8.8)"
Since when does X2Go promote Google??? Or even depend on them?
As this patch is IPv6-flawed anyway, the next request is pointless... In case the patch is kept, please make this configurable and use the IP address of japsand.x2go.org or some other static IP on the internet that is more political correct, please.
Good candidates for this are the root DNS servers of the world:
IPv4: 192.228.79.201 192.33.4.12 199.7.91.13 192.203.230.10 192.5.5.241 192.112.36.4 128.63.2.53 192.36.148.17 192.58.128.30 193.0.14.129 199.7.83.42 202.12.27.33
IPv6:
2001:503:ba3e::2:30 2001:500:84::b 2001:500:2::c 2001:500:2d::d 2001:500:2f::f 2001:500:1::803f:235 2001:7fe::53 2001:503:c27::2:30 2001:7fd::1 2001:500:3::42 2001:dc3::35
Regarding IPv4/IPv6 flaw in the patch... There are also setup that are IPv6 only... Tststs...
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40...
Forwarding this to the bugtracker so it doesn't get lost ...
-------- Weitergeleitete Nachricht -------- Betreff: [X2Go-Dev] X2Go Server contains some IPv4/non-IPv6 logic for creating ports. Datum: Wed, 30 Dec 2015 09:21:20 +0000 Von: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Organisation: DAS-NETZWERKTEAM An: x2go-dev@lists.x2go.org
Hi guys,
On So 23 Aug 2015 23:10:59 CEST, git-admin wrote:
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch master in repository x2goserver.
commit bfe3ba761c1d3e9143285ca17edc87ac763ce35d Author: Mihai Moldovan <ionic@ionic.de> Date: Sun Aug 23 23:08:45 2015 +0200
x2goserver/bin/x2gostartagent: changes to Robert Nowotny'sSSH_PORT patch. Fixes: #922.
Use default outgoing interface to determine IP address. Use the whole range of ${RANDOM}'s pool. Seed it for good measure. Change the default method to randomization instead of IP-based initialization. If IP-based initialization was requested but the default outgoing IP address unavailable, fall back to randomization.
Haven't looked at X2Go Server code for a while... Today I found the below...
+# Get server IP address. +get_server_ip_address() {
- # The provided IP address should be outside of any local network.
- # We are only interested in how the kernel would try to reach the
- # non-local IP address specified here. It is not actually contacted
- # in any way.
- typeset ip_output="$(ip route get 8.8.8.8)"
- # Remove newlines.
- ip_output="${ip_output//$'\n'}"
- # Fetch source address.
- typeset src_address="$(grep -oe
'src[[:space:]]\{1,\}\(\([[:digit:]]\{1,3\}\.\)\{3\}[[:digit:]]\{1,3\}\)'
<<< "${ip_output}" | sed -e 's/src[[:space:]]\{1,\}//')"- if [ -n "${src_address}" ]; then
printf "${src_address}"return "0"- fi
- return "1" +}
Has anyone of you ever heard of IPv6? And has anyone ever seen setups where the IPv6 traffic is routed via a different interface compared to IPv4 traffic?
Furthermore, within the last years, I never had any problems with server-side ports being the same on different servers. I mostly connect through PyHoca. So if there is a problem in X2Go Client regarding server-side SSH tunnel ports, why--the hack--do you fix that in X2Go Server?
If the port allocation is a problem at all, it certainly is a problem that requires fixing in X2Go Client, not X2Go Server.
Please consider reverting this flawed patch!!!
Scratching my head and wondering...
Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/mailxchange/kronolith/fb.php?u=m.gabriel%40...
On 30.12.2015 10:21 AM, Mike Gabriel wrote:
On So 23 Aug 2015 23:10:59 CEST, git-admin wrote:
[...] commit bfe3ba761c1d3e9143285ca17edc87ac763ce35d Author: Mihai Moldovan <ionic@ionic.de> Date: Sun Aug 23 23:08:45 2015 +0200
x2goserver/bin/x2gostartagent: changes to Robert Nowotny'sSSH_PORT patch. Fixes: #922. [...]
Haven't looked at X2Go Server code for a while... Today I found the below...
+# Get server IP address. +get_server_ip_address() { [...]
Has anyone of you ever heard of IPv6? And has anyone ever seen setups
where the IPv6 traffic is routed via a different interface compared to
IPv4 traffic?
Yes, and this is exactly why that function is not used by default. Instead, the "real" port randomization is used. IPv4-address-based randomization can be enabled by setting "randomize_ssh_port" to "0", but administrators have to edit the script manually to do this. Even though the comment says otherwise, I think it shouldn't be configurable in x2goserver.conf either for exactly this reason.
Furthermore, within the last years, I never had any problems with
server-side ports being the same on different servers. I mostly
connect through PyHoca. So if there is a problem in X2Go Client
regarding server-side SSH tunnel ports, why--the hack--do you fix that
in X2Go Server?If the port allocation is a problem at all, it certainly is a problem
that requires fixing in X2Go Client, not X2Go Server.Please consider reverting this flawed patch!!!
I don't think port randomization is bad per se, so I'd like to keep it.
It's true that the real problem lies within x2goclient and I should eventually get rid of that, too, by checking whether a port is already in use and incrementing it, though.
On 30.12.2015 10:40 AM, Mike Gabriel wrote:
Since when does X2Go promote Google??? Or even depend on them?
As this patch is IPv6-flawed anyway, the next request is pointless... In case the patch is kept, please make this configurable and use the IP address of japsand.x2go.org or some other static IP on the internet that is more political correct, please.
I don't promote or depend upon Google in any way. As the comment makes clear, the IPv4 address provided there is not contacted in any way, I just need some address predictably outside of any local network to get the default outgoing address from the routing table.
I chose 8.8.8.8 instead of Japsand's address or any other address, because I didn't want users with malicious intents to try to attack whatever address is written in the source code "for fun", assuming that 8.8.8.8 is well-known and well protected. Any other address would have made us "responsible" for "providing" the address if an attack was based on that information.
Mihai
-
Mihai Moldovan -
Mike Gabriel -
Stefan Baur