Dear X2go users,
I'm trying to figure out whether X2go is a fitting solution for our project or not.
Users should get remote access to a host to execute applications in a graphical environment. These users must not be able to transfer any data or files to or from the target host.
Question 1: Is there a way to deactivate the clipboard or any drag'n'drop feature in x2go-server to prevent users from transering data?
Question 2: The documentation (at URL https://wiki.x2go.org/doku.php/doc:newtox2go#installation_and_use) mentions that the SSH server handels the X2go connections. Are there example configs that restrict SSH access to X2go but prevent users from transferring data via tools like scp or rsync?
Thank you in advance for your replys.
Regards, Joerg
Joerg,
In short: forget about it. If you're allowing users SSH access for X2Go, they WILL be able to copy data. You can make it a little harder for them if you think you have to, but as long as they are in control of the client hardware, they will always be able to do so.
X2Go is great to stop accidental copying when properly configured, but intentional copying - no.
Also, remember that keyboard input can be scripted and redirected to a file on the server, and screenshots can be OCR'ed on a client, or people can convert your data into QR codes on the server and screenshot and scan those.
So even if you'd use VNC and disable the clipboard there, you'd still not be safe from intentional copying.
Decades ago, in a lawsuit, a judge defined a computer as "a machine to copy ones and zeroes", and to be honest, that's what it does. If you want to try to stop it from doing that, good luck.
-Stefan
Am 20.12.21 um 12:08 schrieb Jörg Kastning:
Dear X2go users,
I'm trying to figure out whether X2go is a fitting solution for our project or not.
Users should get remote access to a host to execute applications in a graphical environment. These users must not be able to transfer any data or files to or from the target host.
Question 1: Is there a way to deactivate the clipboard or any drag'n'drop feature in x2go-server to prevent users from transering data?
Question 2: The documentation (at URL https://wiki.x2go.org/doku.php/doc:newtox2go#installation_and_use) mentions that the SSH server handels the X2go connections. Are there example configs that restrict SSH access to X2go but prevent users from transferring data via tools like scp or rsync?
Thank you in advance for your replys.
Regards, Joerg
x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
On Mon, 20 Dec 2021 12:15:01 +0100 Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
In short: forget about it. If you're allowing users SSH access for X2Go, they WILL be able to copy data. You can make it a little harder for them if you think you have to, but as long as they are in control of the client hardware, they will always be able to do so.
I have no complete answer to it, but if you use keys instead of user/pass then you will be able to restrict ssh in ~/.ssh/authorized_keys
from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa <key>
(all in 1 line)
This is an example of what I use here, I think there must be many other options available.
see "man authorized_keys"
HTH
R.
-- richard lucassen http://contact.xaq.nl/
On Mon, Dec 20, 2021 at 4:14 PM richard lucassen <mailinglists@lucassen.org> wrote:
On Mon, 20 Dec 2021 12:15:01 +0100 Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
In short: forget about it. If you're allowing users SSH access for X2Go, they WILL be able to copy data. You can make it a little harder for them if you think you have to, but as long as they are in control of the client hardware, they will always be able to do so.
I have no complete answer to it, but if you use keys instead of user/pass then you will be able to restrict ssh in ~/.ssh/authorized_keys
from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa <key>
(all in 1 line)
This is an example of what I use here, I think there must be many other options available.
Although I only have used it with keys so far it seems not to be restricted to keys only, see man sshd_config: ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.
Uli
On Mon, 20 Dec 2021 16:53:44 +0100 Ulrich Sibiller <uli42@gmx.de> wrote:
I have no complete answer to it, but if you use keys instead of user/pass then you will be able to restrict ssh in ~/.ssh/authorized_keys
from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa <key>
(all in 1 line)
This is an example of what I use here, I think there must be many other options available.
Although I only have used it with keys so far it seems not to be restricted to keys only, see man sshd_config: ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none.
Ok, thnx Uli for pointing this out. I'm not an authorized_keys expert ;-)
R.
-- richard lucassen http://contact.xaq.nl/
Am 20.12.21 um 16:14 schrieb richard lucassen:
In short: forget about it. If you're allowing users SSH access for X2Go, they WILL be able to copy data. You can make it a little harder for them if you think you have to, but as long as they are in control of the client hardware, they will always be able to do so. I have no complete answer to it, but if you use keys instead of user/pass then you will be able to restrict ssh in ~/.ssh/authorized_keys
from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa <key>
(all in 1 line)
This is an example of what I use here, I think there must be many other options available.
see "man authorized_keys"
That's all fine for non-interactive commands or simple scripts. But have you tried to use this with X2Go?
Even with commandline-only tools like vim or mc, this becomes a royal PITA (and yes, I know about rvim).
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
On Mon, 20 Dec 2021 17:44:06 +0100 Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
see "man authorized_keys"
That's all fine for non-interactive commands or simple scripts. But have you tried to use this with X2Go?
No need for it, and for x2go I'm the only (happy) user :-)
-- richard lucassen http://contact.xaq.nl/
Am 20.12.2021 um 17:44 schrieb Stefan Baur:
Am 20.12.21 um 16:14 schrieb richard lucassen:
In short: forget about it. If you're allowing users SSH access for X2Go, they WILL be able to copy data. You can make it a little harder for them if you think you have to, but as long as they are in control of the client hardware, they will always be able to do so. I have no complete answer to it, but if you use keys instead of user/pass then you will be able to restrict ssh in ~/.ssh/authorized_keys
from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa <key>
(all in 1 line)
This is an example of what I use here, I think there must be many other options available.
see "man authorized_keys"
That's all fine for non-interactive commands or simple scripts. But have you tried to use this with X2Go?
That's an interesting question. @richard: Do you use this config with X2Go? Does it work?
Thanks for your answers so far. I'm aware that there is no such thing as 100% security. I just try to figure out what's possible and what risks will remain.
In the end it's not my job to decide whether to take the risk or not. But I would like to know what maybe possible to prevent to advice the project on this. So I ask in a very early stage of the project so I won't have to hurry later.
Regards, Joerg
On Tue, 21 Dec 2021 08:23:30 +0100 Jörg Kastning <joerg.kastning@uni-bielefeld.de> wrote:
@richard: Do you use this config with X2Go? Does it work?
No, that just a sample of another config! I use x2go as single user.
R.
-- richard lucassen http://contact.xaq.nl/
On Mon, Dec 20, 2021 at 12:08 PM Jörg Kastning <joerg.kastning@uni-bielefeld.de> wrote:
Dear X2go users,
I'm trying to figure out whether X2go is a fitting solution for our project or not.
Users should get remote access to a host to execute applications in a graphical environment. These users must not be able to transfer any data or files to or from the target host.
Question 1: Is there a way to deactivate the clipboard or any drag'n'drop feature in x2go-server to prevent users from transering data?
You can disable clipboard for one or both directions. Drag and drop is not supported by x2go, so this is not an issue. You can also disable file transfer and printer support. Of course you cannot prevent screenshots or similar approaches.
Question 2: The documentation (at URL https://wiki.x2go.org/doku.php/doc:newtox2go#installation_and_use) mentions that the SSH server handels the X2go connections. Are there example configs that restrict SSH access to X2go but prevent users from transferring data via tools like scp or rsync?
This can be close to impossible as there are various ways to transfer files. Disabling or restricting stuff makes it more difficult but never impossible. So in the end it depends on your users' abilities...
I am not aware of any x2go specific examples, but basically you have to check what commands are started from the client and restrict ssh access to those by forcing ssh to always run a checker script instead of the command that the clients sends (read about ForceCommand e.g. here https://serverfault.com/questions/749474/ssh-authorized-keys-command-option-...). You have to prepare for several rounds of trial and error to catch all command variations the client might send. I have done this in the past on various occasions but never tried for x2go.
Please note that if the user can run arbitrary commands on the server you will probably never reach 100% security. E.g. you also need to prevent the users from opening tunnels and from connecting back to the client using the server side ssh. Also things like running an own server (e.g. nc) must be restricted, too. Or if the server has internet access data can be routed via some third-party server... the list is endless.
Uli