Hi Mihai,
 
I tested the following things: login via normal SSH, login via x2goclient gui and cli while I was monitoring the messages on the RSA SecurID authentication server. What I found is, that while I login via normal SSH there is a message in the RSA console showing the user sucessfully authenticated itself. However, if I login via x2goclient gui or cli, there is no message at all in the RSA console (not even a false authentication or so). It seems that x2go doesn't even get to the RSA authentication as if it would force the SSH client to authenticate via normal password and not via PAM.
I get the same results: no messages at the RSA console, if I make a normal SSH connection forcing password authentication:
"ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no user@server".
Can it be that x2goclient forces the password authentication explicitely if there is no publickey?
 
Regards
Swizzly
 
Gesendet: Freitag, 13. März 2015 um 17:12 Uhr
Von: "Mihai Moldovan" <ionic@ionic.de>
An: "swizz ly" <swizz.ly@gmx.ch>, x2go-user@lists.x2go.org
Betreff: Re: [X2Go-User] X2Go Two-factor-authentication with SecurID
Hi,


On 13.03.2015 02:48 PM, swizz ly wrote:
> [...]
> In case of the x2goclient-cli Perl script, that comes with the
> x2goclient source, I found, that for a single x2go connection several
> (3-4x?) SSH connections are made in the background. In case of SecurID
> RSA, only the first SSH connection can work with a given PASSCODE, it
> is accepted only at the first SSH connection.
> Perhaps the normal x2goclient behaves the same way: it tries to
> connect using the same PASSCODE several times, and this could be the
> cause of the problem.

Well, the answer is a little bit complicated.

Yes, it behaves exactly the same way. Several programs are started
server side.

This includes session discovery and of course starting a new session or
resuming it.

For that, a new connection is established via libssh. This connection is
authenticated by any means provided: password, key, or
keyboard-interactive (i.e., SecurID.)

This said, libssh uses channels for spawning new commands/shells. These
channels do NO authentication but use the established main connection.

X2Go Client should only open up one connection and then use multiple
channels over the already authenticated connection for doing its work.

Is it really not and instead opening up multiple connections?



Mihai