That’s the point. Gpg-cards. We too had those sun-machines for evaluation, but declined. When ones whole organization is using PKI, with 65,000 cards around, pkcs11 is essential. Would be nice to have a proper Citrix alternative.
From: "Stefan Baur" <X2Go-ML-1@baur-itcs.de<mailto:X2Go-ML-1@baur-itcs.de>> Date: Friday, 24 April 2020 at 20:24:56 To: "Witvliet, J, Ing., DMO/JIVC/GIT&INFRA/ITT" <J.Witvliet@mindef.nl<mailto:J.Witvliet@mindef.nl>>, "x2go-user@lists.x2go.org" <x2go-user@lists.x2go.org<mailto:x2go-user@lists.x2go.org>> Subject: Re: [X2Go-User] X2Go, MFA and Duo?
Am 24.04.20 um 20:12 schrieb J.Witvliet@mindef.nl:
One obviously missing, is a SmartCard, loaded with SSL keys & certificates, that should be reachable through P11 (or pkcs11) library...
We have SmartCard support as well (quite obviously, as X2Go started out as a replacement for SunRay workstations), that's just handled differently. But it's possible to authenticate using a GnuPG card that has SSH keys stored on it, for example.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
Hi,
Then again an organisation with 65000 posssible users looking for an proper Citrix alternative and considering X2Go might get in touch with the people in control to get this build?
Surely there would be some kind of EU funding for this to make sure one gets out of the hands of a proprietary software product. Me as a citizen of the country in question would really approve if not demand this from such a respected department.
Regards,
JosW
Op 25-4-2020 om 09:41 schreef J.Witvliet@mindef.nl:
That’s the point. Gpg-cards. We too had those sun-machines for evaluation, but declined. When ones whole organization is using PKI, with 65,000 cards around, pkcs11 is essential. Would be nice to have a proper Citrix alternative.
*From: *"Stefan Baur" <X2Go-ML-1@baur-itcs.de <mailto:X2Go-ML-1@baur-itcs.de>> *Date:* Friday, 24 April 2020 at 20:24:56 *To: *"Witvliet, J, Ing., DMO/JIVC/GIT&INFRA/ITT" <J.Witvliet@mindef.nl <mailto:J.Witvliet@mindef.nl>>, "x2go-user@lists.x2go.org" <x2go-user@lists.x2go.org <mailto:x2go-user@lists.x2go.org>> *Subject:* Re: [X2Go-User] X2Go, MFA and Duo?
Am 24.04.20 um 20:12 schrieb J.Witvliet@mindef.nl:
One obviously missing, is a SmartCard, loaded with SSL keys & certificates, that should be reachable through P11 (or pkcs11) library...
We have SmartCard support as well (quite obviously, as X2Go started out as a replacement for SunRay workstations), that's just handled differently. But it's possible to authenticate using a GnuPG card that has SSH keys stored on it, for example.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
[Folks, please don't top-post]
Am 24.04.20 um 20:12 schrieb J.Witvliet@mindef.nl:
One obviously missing, is a SmartCard, loaded with SSL keys & certificates, that should be reachable through P11 (or pkcs11) library...
We have SmartCard support as well (quite obviously, as X2Go started out as a replacement for SunRay workstations), that's just handled differently. But it's possible to authenticate using a GnuPG card that has SSH keys stored on it, for example.
Op 25-4-2020 om 09:41 schreef J.Witvliet@mindef.nl:
That’s the point. Gpg-cards. We too had those sun-machines for evaluation, but declined. When ones whole organization is using PKI, with 65,000 cards around, pkcs11 is essential. Would be nice to have a proper Citrix alternative.
Am 25.04.20 um 16:14 schrieb Jos:
Then again an organisation with 65000 posssible users looking for an proper Citrix alternative and considering X2Go might get in touch with the people in control to get this build?
Surely there would be some kind of EU funding for this to make sure one gets out of the hands of a proprietary software product. Me as a citizen of the country in question would really approve if not demand this from such a respected department.
Basically, pkcs11 support in X2Go would depend on pkcs11 support in libssh (haven't checked if it's there in the current version, nor in the version we're using in X2GoClient). Once present, it *may* need further changes to X2GoClient to make things work.
As X2Go is Open Source, let me say: Patches Welcome.
And if you can't do it yourself, feel free to contract a developer/a software development company to do it for you.
The only catch here is that neither BAUR-ITCS nor DAS-NETZWERKTEAM will be available for this*. I don't know about phoca GmbH, though, so it might be worth a try. But even if you hire a third-party developer outside of X2Go's core dev team: As stated above, we will accept patches for pkcs11 support into the main X2Go source.
Kind Regards, Stefan Baur
*The reason is that for both of these companies, doing business with military organizations would be a violation of their corresponding ethics code. We've had a similar discussion on the list (or was it on x2go-dev?) a few years ago, when the issue was nuclear power/nuclear research. We, as companies (and the individuals in charge of them), don't want "blood money" - but X2Go, as a project, will accept contributions under GPL, even from such orgs.
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243