2013/12/24 Stefan Baur <newsgroups.mail2@stefanbaur.de>
Am 24.12.2013 02:33, schrieb Luciano Gabriel Andino:
Hi there)) I am trying to configure x2go/pxe and this is my first
question.
I did a clientsession in server and scp transfer to pxe server. PXE server is ready, client booted but I can't login cause this message appears (in client):
"Access denied: Authentication that can continue...."
while it was possible to login from a linux box. The idea is that a any user can access to his account from anyclient. how can I store this publickeys?
I'm not sure what went wrong there, but I'm also not quite sure what you're trying to accomplish. So I've typed down the answers to the three most likely interpretations of your question that I can come up with. If none of this matches what your intention is, please rephrase your question, explain in greater detail what you're trying to accomplish (expected behavior versus actual behavior), and post again.
The following is assuming that while you want every user to be able to use every client, you *do* want authentication (i.e. every user has a dedicated account that no one else should be using):
The easiest way would be using passwords only. You do not HAVE to use public key files, though of course they provide greater security WHEN - and ONLY WHEN - implemented and used correctly.
If you want to use two-factor authentication, my guess is that you could either 2a) put the secret keys (the public key of each user needs to be in the user's home directory, in a subdirectory called ".ssh", and a file named "authorized_keys", with proper restrictive permissions in place) on a USB key fob, set up the Thin Client Environment so that it looks for USB devices and tries to mount them automatically, and have a symlink from .ssh/id_rsa or id_dsa on the TCE user's home directory on the thin client point to the mountpoint of the USB device (which needs to contain a linux filesystem so the permissions work) or 2b) use Smartcard-Based authentication, which requires cards and reader hardware. This is something I've never used myself, though, so you should contact one of the core developers (Mike Gabriel seems to be the most active one these days) about how that works.
Now, assuming that you don't care about security at all, because you want everyone to be able to log in as everyone (think Infokiosk), you could of course dump all the secret keys for your pseudo-users into id_rsa_something or id_dsa_something files (as above, with proper restrictive permissions in place), make them part of the TCE NFS image and reference them in your sessions file - but that is something you should really only do if you DO NOT NEED NOR WANT ANY SECURITY AT ALL and are simply looking for a way that users aren't bothered with having to enter a password.
If you think you should use Keyfiles AND Passwords to the keyfiles, AND are looking for a way to centrally store the keyfiles so nobody needs a USB key fob or smartcard, you are making your system LESS secure than a password-only solution without keyfiles. So if that was your intent, DO NOT DO THAT. The reason is that while you can regularly change passwords on secret keyfiles, ANY copy of a secret keyfile with a known password WILL ALWAYS grant access to the account with the matching public keyfile. So if anybody at any time gets hold of the keyfile AND the then-current password, changing the password on your keyfile DOES NOT LOCK HIM OUT. You NEED to generate completely NEW keyfiles in that situation. THIS IS BAD. So avoid this approach at all costs.
Sorry that this message is rather long, but these are some newbie mistakes I'm seeing again and again, and I'd like to keep you from making these mistakes, if only for the sake of your users.
-Stefan
X2Go-User mailing list X2Go-User@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-user
hello! thanks for your answer. I will try to explain what I try to do and maybe you can recommend the best option. Actually, I'm using thinstation's image for booting diskless station to access a Linux server using XDMCP. My LAN has about 25 MSI wind nettop clients, no HD but can boot using PXE. I am just trying testing x2go to see if there is an important improvement in terms of graphical response at client side. At the same time, I'm interesting to access my KDE session from outside (Internet) with a normal computer. The problem is I don't know which can be the best option for diskless computers in LAN, thinking that sometimes any user needs to access his account from a different station. Options I understood you told, are:
using no public keys (no encryption?) how can be done?
In this option, I don't understand if .ssh/authorized_keys must be on home user directory in server or in usb stick? Is there any documentation for this? Also seems users need to have their own stick to attach in station they want to use.
I can store session and public keys in exported fs (not recommended).
Also I am in doubt if users change their Linux account's password or they access from different station, I need to introduce changes in publickeys.
-- Saludos!!