Hello there.
We're trying to use X2Go in our campus as a user friendly Linux-Linux remote desktop solution. We would also like a SingleSingOn approach, so we chose to use kerberos authentication between the Linux clients and the X2Go server.
We already have a working KDC that authenticates a SSH server, as a test. On the client I have the Kerberos 5 Auth. option checked, but when I attempt the connection, the screen remains blank and never connects. The log shows this socket error but the authentication seems to be working.
x2go-INFO-8> "Starting connection to server: newhost.com:22" x2go-DEBUG-../src/onmainwindow.cpp:3007> Starting new ssh connection to server:"newhost.com":"22" krbLogin: true x2go-DEBUG-../src/sshmasterconnection.cpp:175> SshMasterConnection, host "newhost.com"; port 22; user "remoto"; useproxy false; proxyserver ""; proxyport 22 x2go-DEBUG-../src/sshmasterconnection.cpp:244> Starting SSH connection with Kerberos authentication. x2go-DEBUG-../src/sshmasterconnection.cpp:252> SshMasterConnection, instance SshMasterConnection(0x55e041b1c730) created. x2go-DEBUG-../src/sshmasterconnection.cpp:520> SshMasterConnection, instance SshMasterConnection(0x55e041b1c730) entering thread. x2go-DEBUG-../src/sshmasterconnection.cpp:834> Session port before config file parse: 22 x2go-DEBUG-../src/sshmasterconnection.cpp:844> Session port after config file parse: 22 x2go-DEBUG-../src/sshmasterconnection.cpp:909> Session port before config file parse (part 2): 22 x2go-DEBUG-../src/sshmasterconnection.cpp:919> Session port after config file parse (part 2): 22 x2go-DEBUG-../src/sshmasterconnection.cpp:944> cserverAuth x2go-DEBUG-../src/sshmasterconnection.cpp:985> state: 1
x2go-DEBUG-../src/sshmasterconnection.cpp:1633> Starting ssh:"ssh" "-o GSSApiAuthentication=yes -o PasswordAuthentication=no -o PubkeyAuthentication=no -p 22 -l remoto newhost.com bash -l -c 'echo \"X2GODATABEGIN:eb840c04-8bb1-44b2-b29f-e29332c0354e\"; export TERM=\"dumb\"; whoami; echo \"X2GODATAEND:eb840c04-8bb1-44b2-b29f-e29332c0354e\";'"
x2go-DEBUG-../src/sshmasterconnection.cpp:1661> SSH exited. x2go-DEBUG-../src/sshmasterconnection.cpp:1662> stdout: "X2GODATABEGIN:eb840c04-8bb1-44b2-b29f-e29332c0354e\nremoto\nX2GODATAEND:eb840c04-8bb1-44b2-b29f-e29332c0354e\n"
x2go-DEBUG-../src/sshmasterconnection.cpp:1663> stderr: ""
x2go-DEBUG-../src/sshmasterconnection.cpp:1664> Exit code: 0; status: QProcess::ExitStatus(NormalExit)
X2GO-DEBUG-../SRC/SSHMASTERCONNECTION.CPP:726> USER AUTHENTICATION OK. X2GO-DEBUG-../SRC/SSHMASTERCONNECTION.CPP:1727> "SSH_CHANNEL_OPEN_SESSION FAILED": "SOCKET ERROR: DISCONNECTED"
x2go-DEBUG-../src/sshmasterconnection.cpp:735> Login Check - Failed x2go-DEBUG-../src/onmainwindow.cpp:3167> Closed SSH Session interaction
The documentation on the wiki is blank when it comes to the advanced section and kerberos authentication methods, and I could not find past use cases regarding this approach on the mailing lists (I could've missed it though).
Are there any additional configurations needed on the server side or any insights regarding this connection error? Any help towards this setup is appreciated.
Regards, Rubens Zanatta
Am 21.01.19 um 14:46 schrieb rubens.zanatta@grad.ufsc.br:
Hello there.
We're trying to use X2Go in our campus as a user friendly Linux-Linux remote desktop solution. We would also like a SingleSingOn approach, so we chose to use kerberos authentication between the Linux clients and the X2Go server.
We already have a working KDC that authenticates a SSH server, as a test. On the client I have the Kerberos 5 Auth. option checked, but when I attempt the connection, the screen remains blank and never connects. The log shows this socket error but the authentication seems to be working.
Hi Rubens,
I must admit I'm not really knowledgeable about Kerberos, but since you say the authentication is succeeding, but you end up with a blank screen afterwards, it would be interesting to know which session type you were using (KDE, GNOME, XFCE, LXDE, ... or maybe Published Applications or a single application) - maybe your problem isn't related to Kerberos at all. Also, what happens when you switch to a different session type?
And what is the output of "klist -fv"? Is the ticket Proxyable, Forwardable, Initial?
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Hi Rubens,
I must admit I'm not really knowledgeable about Kerberos, but since you say the authentication is succeeding, but you end up with a blank screen afterwards, it would be interesting to know which session type you were using (KDE, GNOME, XFCE, LXDE, ... or maybe Published Applications or a single application) - maybe your problem isn't related to Kerberos at all. Also, what happens when you switch to a different session type?
And what is the output of "klist -fv"? Is the ticket Proxyable, Forwardable, Initial?
Hello Stefan, thanks for the reply.
It's not exactly a blank screen, I took a screenshot of the error with the --debug log besides it: https://drive.google.com/open?id=1cgBI3-ARfW4IDdnJeG-4K_iSAhjXuEoz
I'm trying to log in to LXDE, and when I try XFCE, Published Apps and even Terminal I get the same problem. Also, monitoring the syslog on the X2Go server machine I see no X2Go activity during these attempts. Anywhere else I should look that could help troubleshooting this?
After I issue the initial ticket and unsuccessfully attempt an X2Go login, "klist -f" outputs:
Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: remoto@KERBEROS.COM
Valid starting Expires Service principal 23/01/2019 09:38:56 23/01/2019 19:38:56 krbtgt/KERBEROS.COM@KERBEROS.COM renew until 24/01/2019 09:38:53, Flags: FPRIA 23/01/2019 09:39:06 23/01/2019 19:38:56 host/newhost.com@ renew until 24/01/2019 09:38:53, Flags: FPRAT 23/01/2019 09:39:06 23/01/2019 19:38:56 host/newhost.com@KERBEROS.COM renew until 24/01/2019 09:38:53, Flags: FPRAT
Again, any help is appreciated.
Regards, Rubens
Am 23.01.19 um 13:10 schrieb rubens.zanatta@grad.ufsc.br:
It's not exactly a blank screen, I took a screenshot of the error with the --debug log besides it: https://drive.google.com/open?id=1cgBI3-ARfW4IDdnJeG-4K_iSAhjXuEoz
I see. So you're not getting any additional screen at all, blank or not, but rather the main client window sort of freezes in place.
I'm trying to log in to LXDE, and when I try XFCE, Published Apps and even Terminal I get the same problem. Also, monitoring the syslog on the X2Go server machine I see no X2Go activity during these attempts. Anywhere else I should look that could help troubleshooting this?
Okay, that does indeed smell like an issue with Kerberos.
Can you do two things for me, please?
First, confirm that a regular SSH login using the same username, client, and server, with Kerberos enabled, works. My (limited) understanding of Kerberos says that you should be using these options for SSH *on the client*:
GSSAPIDelegateCredentials no GSSAPIKeyExchange yes GSSAPIRenewalForcesRekey yes PubkeyAuthentication no
I think you should be able to specify them on the command line like so (all on one line):
ssh -o GSSAPIDelegateCredentials=no -o GSSAPIKeyExchange=yes -o GSSAPIRenewalForcesRekey=yes -o PubkeyAuthentication=no user@server
If you can log in to the server like that, without being prompted for a password, then you have a working Kerberos setup. If not, the problem is with your Kerberos setup rather than with X2Go.
Second, can you create an account on the server that does not need to authenticate via Kerberos, and attempt a regular user/password or SSH Public Keyfile login, to see if that works? If that doesn't work, then your X2Go installation (server, client, or both) is botched somehow, and the issue is independent of Kerberos.
Please report back your results.
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Hello again Stefan, thanks for looking into this.
First, confirm that a regular SSH login using the same username, client, and server, with Kerberos enabled, works.
Yes, I am able to connect client and server though SSH with Kerberos auth, wihtout being prompted for a password. I had changed some of the config options you mentioned but the it was already working before and the error still persists with X2go. The ssh verbose prompts these lines that prove that gssapi is working:
debug1: Next authentication method: gssapi-with-mic debug1: Authentication succeeded (gssapi-with-mic). Authenticated to newhost ([SERVER IP]:22).
Second, can you create an account on the server that does not need to authenticate via Kerberos, and attempt a regular user/password or SSH Public Keyfile login, to see if that works? If that doesn't work, then your X2Go installation (server, client, or both) is botched somehow, and the issue is independent of Kerberos.
I'm not sure if I got that right. If you're asking me to create another user account (on the X2Go server) and attempt a regular X2Go login, without kerberos, then yes, it does work fine with X2Go and SSH with password authentication.
One thing that I noticed on the SSH Logs on the server is that the failed X2Go kerberos authentication attemps are actually sucessfull but disconnect IMMEDIATLY after being done. This does not happen with a password based X2Go connection. Take a look:
Jan 24 09:43:04 newhost sshd[10146]: Authorized to remoto, krb5 principal remoto@KERBEROS.COM (krb5_kuserok) Jan 24 09:43:04 newhost sshd[10146]: Accepted gssapi-with-mic for remoto from [CLIENT IP] port 33428 ssh2: remoto@KERBEROS.COM Jan 24 09:43:04 newhost sshd[10146]: pam_unix(sshd:session): session opened for user remoto by (uid=0) Jan 24 09:43:04 newhost systemd-logind[554]: New session 12 of user remoto. Jan 24 09:43:04 newhost sshd[10210]: Received disconnect from [CLIENT IP] port 33428:11: disconnected by user Jan 24 09:43:04 newhost sshd[10210]: Disconnected from user remoto [CLIENT IP] port 33428 Jan 24 09:43:04 newhost sshd[10144]: dispatch_protocol_error: type 90 seq 3 [preauth] Jan 24 09:43:04 newhost sshd[10146]: pam_unix(sshd:session): session closed for user remoto Jan 24 09:43:04 newhost systemd-logind[554]: Removed session 12.
Could this be related to that socket error mentioned on the X2Go --debug verbose?
Regards, Rubens.
Am 24.01.19 um 13:24 schrieb rubens.zanatta@grad.ufsc.br:
Hello again Stefan, thanks for looking into this.
First, confirm that a regular SSH login using the same username, client, and server, with Kerberos enabled, works.
Yes, I am able to connect client and server though SSH with Kerberos auth, wihtout being prompted for a password. I had changed some of the config options you mentioned but the it was already working before and the error still persists with X2go. The ssh verbose prompts these lines that prove that gssapi is working:
debug1: Next authentication method: gssapi-with-mic debug1: Authentication succeeded (gssapi-with-mic). Authenticated to newhost ([SERVER IP]:22).
Okay, that's good.
Second, can you create an account on the server that does not need to authenticate via Kerberos, and attempt a regular user/password or SSH Public Keyfile login, to see if that works? If that doesn't work, then your X2Go installation (server, client, or both) is botched somehow, and the issue is independent of Kerberos.
I'm not sure if I got that right. If you're asking me to create another user account (on the X2Go server) and attempt a regular X2Go login, without kerberos, then yes, it does work fine with X2Go and SSH with password authentication.
Yes, that was what I was asking for. Thanks for confirming that this works as well.
One thing that I noticed on the SSH Logs on the server is that the failed X2Go kerberos authentication attemps are actually sucessfull but disconnect IMMEDIATLY after being done. This does not happen with a password based X2Go connection. Take a look:
Jan 24 09:43:04 newhost sshd[10146]: Authorized to remoto, krb5 principal remoto@KERBEROS.COM (krb5_kuserok) Jan 24 09:43:04 newhost sshd[10146]: Accepted gssapi-with-mic for remoto from [CLIENT IP] port 33428 ssh2: remoto@KERBEROS.COM Jan 24 09:43:04 newhost sshd[10146]: pam_unix(sshd:session): session opened for user remoto by (uid=0) Jan 24 09:43:04 newhost systemd-logind[554]: New session 12 of user remoto. Jan 24 09:43:04 newhost sshd[10210]: Received disconnect from [CLIENT IP] port 33428:11: disconnected by user Jan 24 09:43:04 newhost sshd[10210]: Disconnected from user remoto [CLIENT IP] port 33428 Jan 24 09:43:04 newhost sshd[10144]: dispatch_protocol_error: type 90 seq 3 [preauth] Jan 24 09:43:04 newhost sshd[10146]: pam_unix(sshd:session): session closed for user remoto Jan 24 09:43:04 newhost systemd-logind[554]: Removed session 12.
Could this be related to that socket error mentioned on the X2Go --debug verbose?
Like I said, I am not exactly knowledgeable about Kerberos. However, there were two bug reports and changes related to Kerberos that I was able to find in the bug tracker. So maybe the fix for the regression doesn't fully work, or you are still using the version with the regression?
To find out, the answers to the following questions would be helpful:
What's the *client* Operating System/Distribution/Version that you are using? (If it's a Linux system, 'cat /etc/os-release' should provide all the necessary info.)
What's the X2GoClient version you are using? (Run 'LANG=C x2goclient --version' in the shell to find out.)
One outcome might be that we'll have to get you to change to an older or newer version of X2GoClient and try that.
Another option is that I set up a small demo Kerberos environment myself and try to replicate the issue there, as time permits. No guarantees on the time frame, though.
Last, we could get commercial support involved - if you are willing and able to pay (Rates are usually around 125 EUR/h, taxes not included).
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
What's the *client* Operating System/Distribution/Version that you are using? (If it's a Linux system, 'cat /etc/os-release' should provide all the necessary info.)
What's the X2GoClient version you are using? (Run 'LANG=C x2goclient --version' in the shell to find out.)
Ok so my set up is the following:
* Client:
* OS: Ubuntu 18.04.1 LTS
* X2Go: X2Go Client 4.1.1.1
* Server:
* OS: Ubuntu 18.04.1 LTS
* x2goserver: 4.1.0.0
* x2goserver-common: 4.1.0.0
* x2goserver-extensions: 4.1.0.0
* x2goserver-fmbindings: 4.1.0.0
* x2goserver-printing: 4.1.0.0
* x2goserver-x2goagent: 3.5.99.16
* x2goserver-xsession: 4.1.0.0
* Kerberos KDC:
* Ubuntu Server 18.04.1 LTS
One outcome might be that we'll have to get you to change to an older or newer version of X2GoClient and try that.
Do you suggest any versions? We would be doing some trial and error attempts here right?
If you'd like to try replicating, this is pretty much the sutup I have. As for the paid support, it's unlikely that my Uni would cover that.
Regards, Rubens
Am 24.01.19 um 14:53 schrieb rubens.zanatta@grad.ufsc.br:
Client:
OS: Ubuntu 18.04.1 LTS
X2Go: X2Go Client 4.1.1.1
[...]
One outcome might be that we'll have to get you to change to an older or newer version of X2GoClient and try that. Do you suggest any versions? We would be doing some trial and error attempts here right?
I think it might be the client version that's causing the problem. 4.1.1.0 introduced a fix for Bug 592 [0], but, in doing so, broke other things related to Kerberos, as reported in Bug 1258 [1] and (hopefully) fixed in 4.1.2.0.
The current stable release of X2GoClient for (Ubuntu) Linux is 4.1.2.1. This version is available from the X2Go stable PPA, which you can activate by running
sudo add-apt-repository ppa:x2go/stable sudo apt update
on the client. After that,
sudo apt upgrade
or
sudo apt install x2goclient
should pull in the new version.
You're probably on a stock Ubuntu 18.04.1 LTS, without the X2Go PPA, and stock Ubuntu currently only ships 4.1.1.1, that's why you're likely hitting the issue.
So please let me know if upgrading to 4.1.2.1 from the X2Go stable PPA fixes the issue for you; if not ...
If you'd like to try replicating, this is pretty much the sutup I have.
... I can try to create a test setup maybe this weekend, but no promises on that.
As for the paid support, it's unlikely that my Uni would cover that.
Too bad. :( So let's hope 4.1.2.1 fixes things for you.
Kind Regards, Stefan Baur
[0] https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=592 [1] https://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=1258
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
I think it might be the client version that's causing the problem. 4.1.1.0 introduced a fix for Bug 592 [0], but, in doing so, broke other things related to Kerberos, as reported in Bug 1258 [1] and (hopefully) fixed in 4.1.2.0.
Yes, updating to 4.1.2.1 through the PPA fixed it. Working perfectly with Kerberos now.
Thank you so much for the aid, Stefan.
Regards, Rubens
Am 25.01.19 um 11:19 schrieb rubens.zanatta@grad.ufsc.br:
I think it might be the client version that's causing the problem. 4.1.1.0 introduced a fix for Bug 592 [0], but, in doing so, broke other things related to Kerberos, as reported in Bug 1258 [1] and (hopefully) fixed in 4.1.2.0.
Yes, updating to 4.1.2.1 through the PPA fixed it. Working perfectly with Kerberos now.
Yay! :-)
@Mike#1: Do you think you can get X2GoClient 4.1.2.1 pushed into Ubuntu (at least 18.04, possibly 16.04 as well), so people don't need to add the PPA? "Un-breaks Kerberos support" sounds like a valid reason to get it updated.
Thank you so much for the aid, Stefan.
You're welcome - and if you ever do need commercial support, please consider contracting us (<https://www.baur-itcs.de/en/>). ;-)
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Hi,
On Fr 25 Jan 2019 14:42:27 CET, Stefan Baur wrote:
Am 25.01.19 um 11:19 schrieb rubens.zanatta@grad.ufsc.br:
I think it might be the client version that's causing the problem. 4.1.1.0 introduced a fix for Bug 592 [0], but, in doing so, broke other things related to Kerberos, as reported in Bug 1258 [1] and (hopefully) fixed in 4.1.2.0.
Yes, updating to 4.1.2.1 through the PPA fixed it. Working perfectly with Kerberos now.
Yay! :-)
@Mike#1: Do you think you can get X2GoClient 4.1.2.1 pushed into Ubuntu (at least 18.04, possibly 16.04 as well), so people don't need to add the PPA? "Un-breaks Kerberos support" sounds like a valid reason to get it updated.
Nope. I am not a Ubuntu MOTU Developer. Neither would they (Ubuntu
MOTU team) accept new upstream releases for such a minor reason
(sorry, but Krb5 Login support is still a rare case scenario).
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby mobile: +49 (1520) 1976 148 landline: +49 (4354) 8390 139
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de