Hi,
I am trying to connect with the Mac x2goclient (v4.1.2.2) through a bastion host*, essentially as a version of the openssh '-J' option.
My setup in ~/.ssh/config works for ssh, but it looks like the x2go client (libssh? Where is that in the source tree?) does not look at config.
With an ssh proxy connection configured in x2go, I can see a login on the bastion host, but nothing on the target machine. And what logs x2go has are too quickly replaced by a user/passwd login screen to be readable.
How can I have the x2go client log to a file?
Cheerio, Hauke
- My uni is going to cut off direct client access from outside the perimeter soon
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
Hi,
the x2go is using libssh, which _partly_ reads your openssh config files. It understands _some_ of the options, but not all.
You can use your ProxyJump setup in conjunction with -L to establish a port forwarding outside x2go and then use localhost:<your_forwarded_port> in the x2go connection dialog.
Also, x2goclient knows some debug switches to produce log files. You might see what's going on.
Third, if your bastion host is running some kind of restricted shell you can try to use !<hostname> instead of <hostname> (preceding the hostname with an exclamation mark) in the connection dialog (for destination or proxy or both) to disable some checks that might trigger your restricted shell to fail.
HTH, Uli
On Wed, Jun 26, 2024 at 11:17 PM Hauke Fath <hf@spg.tu-darmstadt.de> wrote:
Hi,
I am trying to connect with the Mac x2goclient (v4.1.2.2) through a bastion host*, essentially as a version of the openssh '-J' option.
My setup in ~/.ssh/config works for ssh, but it looks like the x2go client (libssh? Where is that in the source tree?) does not look at config.
With an ssh proxy connection configured in x2go, I can see a login on the bastion host, but nothing on the target machine. And what logs x2go has are too quickly replaced by a user/passwd login screen to be readable.
How can I have the x2go client log to a file?
Cheerio, Hauke
- My uni is going to cut off direct client access from outside the perimeter soon
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
On Wed, 26 Jun 2024 23:50:45 +0200, Ulrich Sibiller wrote:
the x2go is using libssh, which _partly_ reads your openssh config files. It understands _some_ of the options, but not all.
So I've read. What I have not been able to find, is information on what subset of the ssh_config(5) options libssh (and, in particular, the libssh version built into the x2go mac client) recognizes. Do you know more?
You can use your ProxyJump setup in conjunction with -L to establish a port forwarding outside x2go and then use localhost:<your_forwarded_port> in the x2go connection dialog.
I've read about that. Problem is: I need to come up with a workable solution for three dozen users, many of whom are not ssh savvy, on three different platforms. And tweaking configuration outside of x2go just to connect to a different host is not practical for them, even if I can make it work for me.
Also, x2goclient knows some debug switches to produce log files. You might see what's going on.
I might, if I could find said debug switches, which is what my question was about... Please fill me in.
Third, if your bastion host is running some kind of restricted shell you can try to use !<hostname> instead of <hostname> (preceding the hostname with an exclamation mark) in the connection dialog (for destination or proxy or both) to disable some checks that might trigger your restricted shell to fail.
The jumphost allows port forwarding only, no sessions there.
Since the x2go client does offer support for an ssh proxy connection: How functional is it? And what is the intended setup, i.e. what is expected of the proxy?
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On Thu, 27 Jun 2024 10:49:48 +0200, Hauke Fath wrote:
Also, x2goclient knows some debug switches to produce log files. You might see what's going on.
I might, if I could find said debug switches, which is what my question was about... Please fill me in.
I managed to invoke the mac x2go client from the command line as './x2go --libssh-debug', which gives a bit more information.
A lot of it is of the form "ssh_config_parse_line: Un(supported|applicable) option:", to the point where a list of libssh supported options will probably be shorter... In particular, ProxyJump is not supported.
The debug information ends with
[...] [2024/06/27 11:46:22.944213, 1] ssh_agent_get_ident_count: Answer type: 12, expected answer: 12 [2024/06/27 11:46:23.238705, 2] channel_open: Creating a channel 43 with 64000 window and 32768 max packet [2024/06/27 11:46:23.262887, 2] ssh_packet_global_request: Received SSH_MSG_GLOBAL_REQUEST packet [2024/06/27 11:46:23.262971, 2] ssh_packet_global_request: UNKNOWN SSH_MSG_GLOBAL_REQUEST hostkeys-00@openssh.com 0 [2024/06/27 11:46:23.262988, 1] ssh_packet_process: Couldn't do anything with packet type 80 [2024/06/27 11:46:23.263056, 2] ssh_packet_ignore_callback: Received SSH_MSG_DEBUG packet [2024/06/27 11:46:23.263078, 2] ssh_packet_ignore_callback: Received SSH_MSG_DEBUG packet [2024/06/27 11:46:23.287345, 2] ssh_packet_channel_open_conf: Received a CHANNEL_OPEN_CONFIRMATION for channel 43:0 [2024/06/27 11:46:23.287401, 2] ssh_packet_channel_open_conf: Remote window : 0, maxpacket : 32768 [2024/06/27 11:46:23.532003, 1] channel_request: Channel request pty-req failed
and while the jumphost logs
Jun 27 11:51:29 Pollux sshd[22590]: SSH: Server;Ltype: Kex;Remote: 195.52.168.252-61842;Enc: aes256-ctr;MAC: hmac-sha2-256;Comp: none [preauth] Jun 27 11:51:30 Pollux sshd[22590]: SSH: Server;Ltype: Authname;Remote: 195.52.168.252-61842;Name: ntjump [preauth] Jun 27 11:51:30 Pollux sshd[22590]: Accepted publickey for ntjump from 195.52.168.252 port 61842 ssh2: RSA SHA256:e593oJRD2akRZtNT3ib5VufkJc3RCRdGEqDlfV+xKNU Jun 27 11:51:30 Pollux sshd[25939]: SSH: Server;LType: Throughput;Remote: 195.52.168.252-61842;IN: 0;OUT: 0;Duration: 0.3;tPut_in: 0.0;tPut_out: 0.0
there is no indication of a connection to the target machine, neither on the jumphost, nor the target machine's logs.
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
Well, I don't see what's going wrong here. But I had similar experiences with libssh debug output not helping at all.
Running x2goclient with --help shows you all available options.
Regarding debugging there are these:
--debug Enables extensive debug output to the console.
On Windows, also enables PulseAudio logging to a file under ".x2go/pulse" & cygwin sshd logging to a file under ".x2go/sshLogs" directory, both under the USERPROFILE directory.
The logs are not deleted when X2Go Client terminates.
--libssh-debug Instructs libssh to print out extensive debug output to the console.
This will only have an effect if libssh is being used. It tends to generate a lot of output.
WARNING: Enabling this option could reveal sensitive information about client and server configuration, and, if libssh has been compiled with password debugging, user credentials. Do not publish log files created with this option.
--libssh-packetlog Instructs libssh to print out all network packets sent and received, including their contents.
This will only have an effect if libssh is being used. It tends to generate huge amounts of output.
WARNING: The same caveats as explained in the --libssh-debug option help text apply.
As MacOS is unixoid i assume you can easily automate the tunnel building during session startup. This should not build up big hurdles for any of your (possibly unexperienced) users.
Regarding the proxy connection: AFAIR x2go will connect to the named proxy and start another ssh session to the final destination there.
Uli
On Thu, Jun 27, 2024 at 11:55 AM Hauke Fath <hf@spg.tu-darmstadt.de> wrote:
On Thu, 27 Jun 2024 10:49:48 +0200, Hauke Fath wrote:
Also, x2goclient knows some debug switches to produce log files. You might see what's going on.
I might, if I could find said debug switches, which is what my question was about... Please fill me in.
I managed to invoke the mac x2go client from the command line as './x2go --libssh-debug', which gives a bit more information.
A lot of it is of the form "ssh_config_parse_line: Un(supported|applicable) option:", to the point where a list of libssh supported options will probably be shorter... In particular, ProxyJump is not supported.
The debug information ends with
[...] [2024/06/27 11:46:22.944213, 1] ssh_agent_get_ident_count: Answer type: 12, expected answer: 12 [2024/06/27 11:46:23.238705, 2] channel_open: Creating a channel 43 with 64000 window and 32768 max packet [2024/06/27 11:46:23.262887, 2] ssh_packet_global_request: Received SSH_MSG_GLOBAL_REQUEST packet [2024/06/27 11:46:23.262971, 2] ssh_packet_global_request: UNKNOWN SSH_MSG_GLOBAL_REQUEST hostkeys-00@openssh.com 0 [2024/06/27 11:46:23.262988, 1] ssh_packet_process: Couldn't do anything with packet type 80 [2024/06/27 11:46:23.263056, 2] ssh_packet_ignore_callback: Received SSH_MSG_DEBUG packet [2024/06/27 11:46:23.263078, 2] ssh_packet_ignore_callback: Received SSH_MSG_DEBUG packet [2024/06/27 11:46:23.287345, 2] ssh_packet_channel_open_conf: Received a CHANNEL_OPEN_CONFIRMATION for channel 43:0 [2024/06/27 11:46:23.287401, 2] ssh_packet_channel_open_conf: Remote window : 0, maxpacket : 32768 [2024/06/27 11:46:23.532003, 1] channel_request: Channel request pty-req failed
and while the jumphost logs
Jun 27 11:51:29 Pollux sshd[22590]: SSH: Server;Ltype: Kex;Remote: 195.52.168.252-61842;Enc: aes256-ctr;MAC: hmac-sha2-256;Comp: none [preauth] Jun 27 11:51:30 Pollux sshd[22590]: SSH: Server;Ltype: Authname;Remote: 195.52.168.252-61842;Name: ntjump [preauth] Jun 27 11:51:30 Pollux sshd[22590]: Accepted publickey for ntjump from 195.52.168.252 port 61842 ssh2: RSA SHA256:e593oJRD2akRZtNT3ib5VufkJc3RCRdGEqDlfV+xKNU Jun 27 11:51:30 Pollux sshd[25939]: SSH: Server;LType: Throughput;Remote: 195.52.168.252-61842;IN: 0;OUT: 0;Duration: 0.3;tPut_in: 0.0;tPut_out: 0.0
there is no indication of a connection to the target machine, neither on the jumphost, nor the target machine's logs.
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
On Thu, 27 Jun 2024 14:52:18 +0200, Ulrich Sibiller wrote:
As MacOS is unixoid i assume you can easily automate the tunnel building during session startup. This should not build up big hurdles for any of your (possibly unexperienced) users.
s/possibly/generally/g
As mentioned, this will have to work on windows, macos, unixen.
Regarding the proxy connection: AFAIR x2go will connect to the named proxy and start another ssh session to the final destination there.
Ah - now we're getting somewhere:
% ./x2go --debug --libssh-debug [...] [2024/06/27 15:00:15.040974, 1] channel_request: Channel request pty-req failed x2go-DEBUG-../src/sshmasterconnection.cpp:1670> "ssh_channel_request_pty schlug fehl": "Channel request pty-req failed"
x2go-DEBUG-../src/sshmasterconnection.cpp:705> Login Check - Failed x2go-DEBUG-../src/sshmasterconnection.cpp:436> SSH proxy interaction finished [...]
and since the jumphost does not offer sessions, that is the end of that.
Anyway - thanks for the input. :)
Cheerio, Hauke
-- The ASCII Ribbon Campaign Hauke Fath () No HTML/RTF in email Institut für Nachrichtentechnik /\ No Word docs in email TU Darmstadt Respect for open standards Ruf +49-6151-16-21344
On Thu, Jun 27, 2024 at 9:06 AM Hauke Fath <hf@spg.tu-darmstadt.de> wrote:
On Thu, 27 Jun 2024 14:52:18 +0200, Ulrich Sibiller wrote:
As MacOS is unixoid i assume you can easily automate the tunnel building during session startup. This should not build up big hurdles for any of your (possibly unexperienced) users.
s/possibly/generally/g
As mentioned, this will have to work on windows, macos, unixen.
Regarding the proxy connection: AFAIR x2go will connect to the named proxy and start another ssh session to the final destination there.
Ah - now we're getting somewhere:
% ./x2go --debug --libssh-debug [...] [2024/06/27 15:00:15.040974, 1] channel_request: Channel request pty-req failed x2go-DEBUG-../src/sshmasterconnection.cpp:1670> "ssh_channel_request_pty schlug fehl": "Channel request pty-req failed"
x2go-DEBUG-../src/sshmasterconnection.cpp:705> Login Check - Failed x2go-DEBUG-../src/sshmasterconnection.cpp:436> SSH proxy interaction finished [...]
and since the jumphost does not offer sessions, that is the end of that.
Anyway - thanks for the input. :)
Cheerio, Hauke
Possibly tailscale could help you.
-
Hauke Fath -
Neal Becker -
Ulrich Sibiller