Bug#1295: x2goclient/broker mode : don't close on suspended session with --close-disconnect
package: x2goclient version: 4.1.2.0-0~1750~ubuntu16.04.1 priority: bug
In broker/tce mode, when I connect a new session on TCE-CLIENT-1, if I live migrate the running session on TCE-CLIENT-2, the session is detached from client 1 to client 2 correctly (suspended on client 1 and correctly resumed on client 2) but x2goclient doesn't close itself on client 1 once session is detached. The client stays opened on the sessions profiles list with the currently logged in user instead of closing itself and getting back to the broker login prompt.
This is a major security issue since anyone can then just click on a session profile to connect with the current user credentials.
Regards, Walid Moghrabi
TRAVAUX.COM BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403 13591 AIX EN PROVENCE CEDEX 3
DISCLAIMER: This e-mail is private and confidential and may contain proprietary or legally privileged information. It is for the intended recipient only. If you have received this email in error, please notify the author by replying to it and then destroy it. If you are not the intended recipient you must not use, disclose, distribute, copy, print or rely on this e-mail or any attachment. Thank you
Hi Walid,
On Mi 09 Mai 2018 16:00:43 CEST, Walid MOGHRABI wrote:
package: x2goclient version: 4.1.2.0-0~1750~ubuntu16.04.1 priority: bug
In broker/tce mode, when I connect a new session on TCE-CLIENT-1, if
I live migrate the running session on TCE-CLIENT-2, the session is
detached from client 1 to client 2 correctly (suspended on client 1
and correctly resumed on client 2) but x2goclient doesn't close
itself on client 1 once session is detached.
This per se is a bug, as --close-disconnect fails.
The client stays opened on the sessions profiles list with the
currently logged in user instead of closing itself and getting back
to the broker login prompt.
I think --close-disconnect is not what you want. You want --broker-autologoff.
This is a major security issue since anyone can then just click on a
session profile to connect with the current user credentials.
Understood. However, please check if you can achieve the correct
behaviour with --broker-autologoff. It saves you the X2Go Client
restarts on session logout.
Mike
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
-
Mike Gabriel -
Walid MOGHRABI