Am 24.01.19 um 13:24 schrieb rubens.zanatta@grad.ufsc.br:
Hello again Stefan, thanks for looking into this.
First, confirm that a regular SSH login using the same username, client, and server, with Kerberos enabled, works.
Yes, I am able to connect client and server though SSH with Kerberos auth, wihtout being prompted for a password. I had changed some of the config options you mentioned but the it was already working before and the error still persists with X2go. The ssh verbose prompts these lines that prove that gssapi is working:
debug1: Next authentication method: gssapi-with-mic debug1: Authentication succeeded (gssapi-with-mic). Authenticated to newhost ([SERVER IP]:22).
Okay, that's good.
Second, can you create an account on the server that does not need to authenticate via Kerberos, and attempt a regular user/password or SSH Public Keyfile login, to see if that works? If that doesn't work, then your X2Go installation (server, client, or both) is botched somehow, and the issue is independent of Kerberos.
I'm not sure if I got that right. If you're asking me to create another user account (on the X2Go server) and attempt a regular X2Go login, without kerberos, then yes, it does work fine with X2Go and SSH with password authentication.
Yes, that was what I was asking for. Thanks for confirming that this works as well.
One thing that I noticed on the SSH Logs on the server is that the failed X2Go kerberos authentication attemps are actually sucessfull but disconnect IMMEDIATLY after being done. This does not happen with a password based X2Go connection. Take a look:
Jan 24 09:43:04 newhost sshd[10146]: Authorized to remoto, krb5 principal remoto@KERBEROS.COM (krb5_kuserok) Jan 24 09:43:04 newhost sshd[10146]: Accepted gssapi-with-mic for remoto from [CLIENT IP] port 33428 ssh2: remoto@KERBEROS.COM Jan 24 09:43:04 newhost sshd[10146]: pam_unix(sshd:session): session opened for user remoto by (uid=0) Jan 24 09:43:04 newhost systemd-logind[554]: New session 12 of user remoto. Jan 24 09:43:04 newhost sshd[10210]: Received disconnect from [CLIENT IP] port 33428:11: disconnected by user Jan 24 09:43:04 newhost sshd[10210]: Disconnected from user remoto [CLIENT IP] port 33428 Jan 24 09:43:04 newhost sshd[10144]: dispatch_protocol_error: type 90 seq 3 [preauth] Jan 24 09:43:04 newhost sshd[10146]: pam_unix(sshd:session): session closed for user remoto Jan 24 09:43:04 newhost systemd-logind[554]: Removed session 12.
Could this be related to that socket error mentioned on the X2Go --debug verbose?
Like I said, I am not exactly knowledgeable about Kerberos. However, there were two bug reports and changes related to Kerberos that I was able to find in the bug tracker. So maybe the fix for the regression doesn't fully work, or you are still using the version with the regression?
To find out, the answers to the following questions would be helpful:
What's the *client* Operating System/Distribution/Version that you are using? (If it's a Linux system, 'cat /etc/os-release' should provide all the necessary info.)
What's the X2GoClient version you are using? (Run 'LANG=C x2goclient --version' in the shell to find out.)
One outcome might be that we'll have to get you to change to an older or newer version of X2GoClient and try that.
Another option is that I set up a small demo Kerberos environment myself and try to replicate the issue there, as time permits. No guarantees on the time frame, though.
Last, we could get commercial support involved - if you are willing and able to pay (Rates are usually around 125 EUR/h, taxes not included).
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243