I’m having trouble with Kerberos authentication with a Mac client. I am using x2goclient-4.0.4.0-preview2 on a Mac running OS X 10.9.5, connecting to Ubuntu 14.0.4 running x2goserver-4.0.1.19. Here are the symptoms:
- Connecting with kerberos and ssh works fine. I run kinit to get my tgt, and then ssh works without prompting for any sort of authentication.
- When I tell X2Go to authenticate using kerberos, it connects without apparent error, but my keyboard mapping is bizarre (and pretty much useless).
- When I tell X2Go to use the default authentication, it waits for some time (maybe 30 sec or 1 min), and pops up a dialog box, asking for a passphrase to decrypt a key. Whether I click OK or cancel, it then pops up a new dialog box, with the following text: "Received SSH_MSG_DISCONNECT: 2:Too many authentication failures for dritch Invalid state in ssh_userauth_kbdint”
- When I configure an ssh key pair for passwordless login, and configure the X2Go client to use default user authentication, all works fine.
- Before, when I used the 4.0.3.2 release client, it had very similar behavior. However, in that case, when connecting using kerberos authentication, it also popped up a dialog box with an scp error message.
Am I doing something wrong? How can I make this work?
Thanks!
David
Is this the right forum for a question like this? If not, could someone direct me to a better one? I tried reading the documentation on Kerberos user authentication in X2Go. The page here is rather incomplete: http://wiki.x2go.org/doku.php/wiki:advanced:authentication:passwordless-gssa.... Is there other documentation that I should be using?
I believe that as part of the process to initialize the connection, a keyboard map or setup script is scp’ed to the server (or to the client?), and when using Kerberos, that seems to be failing for some reason. Could someone point me to documentation on the connection setup, and what *should* be working here?
Thanks!
David
On Jun 1, 2015, at 1:20 PM, David Ritch <david.ritch@gmail.com> wrote:
I’m having trouble with Kerberos authentication with a Mac client. I am using x2goclient-4.0.4.0-preview2 on a Mac running OS X 10.9.5, connecting to Ubuntu 14.0.4 running x2goserver-4.0.1.19. Here are the symptoms:
- Connecting with kerberos and ssh works fine. I run kinit to get my tgt, and then ssh works without prompting for any sort of authentication.
- When I tell X2Go to authenticate using kerberos, it connects without apparent error, but my keyboard mapping is bizarre (and pretty much useless).
- When I tell X2Go to use the default authentication, it waits for some time (maybe 30 sec or 1 min), and pops up a dialog box, asking for a passphrase to decrypt a key. Whether I click OK or cancel, it then pops up a new dialog box, with the following text: "Received SSH_MSG_DISCONNECT: 2:Too many authentication failures for dritch Invalid state in ssh_userauth_kbdint”
- When I configure an ssh key pair for passwordless login, and configure the X2Go client to use default user authentication, all works fine.
- Before, when I used the 4.0.3.2 release client, it had very similar behavior. However, in that case, when connecting using kerberos authentication, it also popped up a dialog box with an scp error message.
Am I doing something wrong? How can I make this work?
Thanks!
David
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Am 03.06.2015 um 16:30 schrieb David Ritch:
Is this the right forum for a question like this? If not, could someone direct me to a better one?
Well, this is a mailing list, not a forum, but aside from that, you're not exactly wrong here. ;-)
My guess is that there aren't that many people using X2Go with Kerberos, that's why you're not seeing a reply.
You could also try our IRC channel, or pay one of the core developers to help you, they are available for consultancy gigs.
- -Stefan
BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQEcBAEBCAAGBQJVbxDAAAoJEG7d9BjNvlEZTJQIAJ6bjrufKTF5WJKj7TfWDz5Z zDgcZ5cs9NOei29xgPU/GyB+Jf+PuYPILH59FlPNefFzD+df1tuXH5DDs+lDO2l4 3OelferqMoqypXb0BDRt7fEl3pyiO/lYxxBYdMGL3Nbbm/XKP7vwK/8XGGpGxXS8 UysLyaQmn1uYsB4I0jEbMhwZKKUd8MxyA3yYactDshgygW05qzL6EOuW8Ex1zwkF DHHr6j/5XxmPGqxHGswe4RbsDH8w/WnjoPbboK6BgtTFrnHE2LS/A9Qu8cXUfP7V kkBaXX7tKR4Sc/BMOAOIxIHO+EALt/ubZcGJd7/mj9I6FQlfLG5iJ7FuI3ymB0E= =3avn -----END PGP SIGNATURE-----
Thank you for your response!
There has been some recent development activity with Kerberos and the Windows client. I suspect that none of the X2Go Kerberos users are using it on a Mac, and it’s simply broken or incomplete.
Perhaps I should ask on the developers mailing list about the connection startup protocol.
Incidentally, I meant forum in its older, pre-Internet sense. A forum is a venue, a place of discussion.
dbr
On Jun 3, 2015, at 10:35 AM, Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
Signed PGP part Am 03.06.2015 um 16:30 schrieb David Ritch:
Is this the right forum for a question like this? If not, could someone direct me to a better one?
Well, this is a mailing list, not a forum, but aside from that, you're not exactly wrong here. ;-)
My guess is that there aren't that many people using X2Go with Kerberos, that's why you're not seeing a reply.
You could also try our IRC channel, or pay one of the core developers to help you, they are available for consultancy gigs.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Am 03.06.2015 um 16:48 schrieb David Ritch:
There has been some recent development activity with Kerberos and the Windows client. I suspect that none of the X2Go Kerberos users are using it on a Mac, and it’s simply broken or incomplete.
If you can nail it down as a bug - i.e. it works with the Linux and/or Windows X2Go Client, but not OS X - then feel free to file a bug.
See http://wiki.x2go.org/doku.php/wiki:bugs and http://bugs.x2go.org/Reporting.html for help on how to report a bug.
TL;DR:
Send an E-Mail to submit@bugs.x2go.org Subject: Kerberos and X2Go Mac Client In the body, write the following three lines *at the very beginning*: package: x2goclient version: 4.0.4.0-preview2 severity: normal
Then hit Carriage Return *twice*, so you get a blank line. This is mandatory, if you don't have a blank line below the "severity", the bot won't trigger on the commands. After that, start composing your message as usual.
I suggest you subscribe to X2Go-Dev, first, though, because all bug reports are CCed to that list, and occasionally someone will reply only there and not to the bug by accident.
- -Stefan
BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2
iQEcBAEBCAAGBQJVbyBaAAoJEG7d9BjNvlEZx+AIAJpr2i3jBsvhkMB/qJBb7WhX Twa9k9HPQn5DpCV11EATzVqeJ0NlT0eQUiqjEcXsP79S+c2uanRj+8kt2HAmiita TSN2dT0grBWCneC9lf+fykjL6iF904Iz9exLqy1ANa8mb32YrCRNIZMm9WQNS8CT EBcFPZxPslWsanYpSL0vF0QLTouGh+uWhVHNQL9idcdLPWVzIOf60zolalrHr4/L h9aHo1NWBxblZGRS83D6NFKndcVvKv84UFtloPJeph3P2LXQhURpx1p+gMuOQOw6 pyFi0pUTb0rHT4YoK9b8TaY6S4vlUgfKknpp84r+wk03f0oRhGo8zxzQWs0QEa4= =CBpn -----END PGP SIGNATURE-----
I spoke with Ionic on IRC, and he was able to identify the problem. He expects to have it fixed in the next release.
David
On Jun 3, 2015, at 11:42 AM, Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
Signed PGP part Am 03.06.2015 um 16:48 schrieb David Ritch:
There has been some recent development activity with Kerberos and the Windows client. I suspect that none of the X2Go Kerberos users are using it on a Mac, and it’s simply broken or incomplete.
If you can nail it down as a bug - i.e. it works with the Linux and/or Windows X2Go Client, but not OS X - then feel free to file a bug.
See http://wiki.x2go.org/doku.php/wiki:bugs and http://bugs.x2go.org/Reporting.html for help on how to report a bug.
TL;DR:
Send an E-Mail to submit@bugs.x2go.org Subject: Kerberos and X2Go Mac Client In the body, write the following three lines *at the very beginning*: package: x2goclient version: 4.0.4.0-preview2 severity: normal
Then hit Carriage Return *twice*, so you get a blank line. This is mandatory, if you don't have a blank line below the "severity", the bot won't trigger on the commands. After that, start composing your message as usual.
I suggest you subscribe to X2Go-Dev, first, though, because all bug reports are CCed to that list, and occasionally someone will reply only there and not to the bug by accident.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
On 03.06.2015 08:48 PM, David Ritch wrote:
I spoke with Ionic on IRC, and he was able to identify the problem. He expects to have it fixed in the next release.
Please see if this fixes your issue:
"Installer": http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Signature: http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Checksums: http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go... http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go... http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Mihai
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Thank you! I'm out of the office today, but will test this as soon as possible.
David
On 6/3/2015 8:34 PM, Mihai Moldovan wrote:
On 03.06.2015 08:48 PM, David Ritch wrote:
I spoke with Ionic on IRC, and he was able to identify the problem. He expects to have it fixed in the next release.
Please see if this fixes your issue:
"Installer":
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Signature:
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Checksums:
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Mihai
-----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32)
iEYEAREKAAYFAlVwOUUACgkQx+mOzl1XkFGaygCfWZrHWoi1Vbuj5gerqwhWId+A NE0AnR9UljXOn3qqglxf1nSZ0HK49+uu =yUkL -----END PGP SIGNATURE-----
I was finally able to test this (had to work with IT department to have it installed). Unfortunately, it does not appear to fix the issue. Now, when I try to use Kerberos, I get a segfault. I ran it with —debug, and captured the output. It’s here: https://dpaste.de/TOsT.
David
On Jun 3, 2015, at 8:34 PM, Mihai Moldovan <ionic@ionic.de> wrote:
On 03.06.2015 08:48 PM, David Ritch wrote:
I spoke with Ionic on IRC, and he was able to identify the problem. He expects to have it fixed in the next release.
Please see if this fixes your issue:
"Installer": http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Signature: http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Checksums: http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go... http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go... http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Mihai
On 08.06.2015 01:44 AM, David Ritch wrote:
I was finally able to test this (had to work with IT department to have it installed). Unfortunately, it does not appear to fix the issue. Now, when I try to use Kerberos, I get a segfault. I ran it with —debug, and captured the output. It’s here: https://dpaste.de/TOsT.
Thanks for your feedback!
The problem is that the returned string is halfway garbage. The client shouldn't crash, but it looks like the parsing function isn't robust enough, that's a bug of its own...
I'll have to setup a Kerberos test system to debug this.
The executed command(s) look alright and when I test manually on the command line (changing PubkeyAuthentication=no to PubkeyAuthentication=yes and the user/host values), it's executed flawlessly.
Mihai
Maybe I’m reading this wrong, but I think it may still be a quoting issue. Here’s what I see. In the following debug messages, it appears to be sending a command - “export HOSTNAME && x2golistsessions” - to the server, and processing its output. When I run this from the command line, I get the following output:
X2GODATABEGIN:7542493b-a84b-418d-994c-d640b3d91ef5 X2GODATAEND:7542493b-a84b-418d-994c-d640b3d91ef5
This is just the session frame, with no text. However, when the x2go client runs it, it seems to see the following between those two lines:
; export PATH=/usr/local/bin:/usr/bin:/bin; export HOSTNAME
Unless I’m misinterpreting something, this is actually part of the command string, and not its output. The relevant debug output it below.
Thanks!
David
x2go-DEBUG-../src/sshprocess.cpp:199> Executing remote command via SshProcess object 0: "export HOSTNAME && x2golistsessions" x2go-DEBUG-../src/sshprocess.cpp:234> Evoking SSH command via SshProcess object 0: "ssh -o ServerAliveInterval=60 -K -o GSSApiAuthentication=yes -o PasswordAuthentication=no -o PubkeyAuthentication=no -p 22 -l dritch dritch-cuda.dev.cyberpointllc.com "bash -c 'echo \"X2GODATABEGIN:7542493b-a84b-418d-994c-d640b3d91ef5\"; export PATH=\"/usr/local/bin:/usr/bin:/bin\"; export HOSTNAME && x2golistsessions; echo \"X2GODATAEND:7542493b-a84b-418d-994c-d640b3d91ef5\";'"" x2go-DEBUG-../src/sshprocess.cpp:494> SSH process exit code :0 x2go-DEBUG-../src/sshprocess.cpp:483> SSH finished: true - "; export PATH=/usr/local/bin:/usr/bin:/bin; export HOSTNAME X2GODATAEND:7542493b-a84b-418d-994c-d640b3d91ef5; " (0). x2go-DEBUG-../src/onmainwindow.cpp:3458> "; export PATH=/usr/local/bin:/usr/bin:/bin; export HOSTNAME X2GODATAEND:7542493b-a84b-418d-994c-d640b3d91ef5; " x2go-DEBUG-../src/onmainwindow.cpp:4289> No shadow session. x2go-DEBUG-../src/onmainwindow.cpp:4312> "Decoding session string:; export PATH=/usr/local/bin:/usr/bin:/bin; export HOSTNAME"
On Jun 7, 2015, at 8:47 PM, Mihai Moldovan <ionic@ionic.de> wrote:
On 08.06.2015 01:44 AM, David Ritch wrote:
I was finally able to test this (had to work with IT department to have it installed). Unfortunately, it does not appear to fix the issue. Now, when I try to use Kerberos, I get a segfault. I ran it with —debug, and captured the output. It’s here: https://dpaste.de/TOsT.
Thanks for your feedback!
The problem is that the returned string is halfway garbage. The client shouldn't crash, but it looks like the parsing function isn't robust enough, that's a bug of its own...
I'll have to setup a Kerberos test system to debug this.
The executed command(s) look alright and when I test manually on the command line (changing PubkeyAuthentication=no to PubkeyAuthentication=yes and the user/host values), it's executed flawlessly.
Mihai
On 08.06.2015 08:09 PM, David Ritch wrote:
Maybe I’m reading this wrong, but I think it may still be a quoting issue. Here’s what I see. In the following debug messages, it appears to be sending a command - “export HOSTNAME && x2golistsessions” - to the server, and processing its output. When I run this from the command line, I get the following output:
X2GODATABEGIN:7542493b-a84b-418d-994c-d640b3d91ef5 X2GODATAEND:7542493b-a84b-418d-994c-d640b3d91ef5
Exactly. That's what should be returned.
This is just the session frame, with no text. However, when the x2go client runs it, it seems to see the following between those two lines:
; export PATH=/usr/local/bin:/usr/bin:/bin; export HOSTNAME
Unless I’m misinterpreting something, this is actually part of the command string, and not its output.
Kind of. It's "garbage" from the command-to-be-ran *and* the output of x2golistsessions (which "happens to be" empty for you, because no other session is running) and the X2GODATAEND echo command INCLUDING the last semicolon, which should be echo'd.
I have a strong hunch at what the problem is.
Qt is trying to be too smart and messes up the (correctly) quoted command line. I have a fix for that in mind, but it's likely going to be a bit more extensive. I also need to test it carefully.
Don't worry, I have already debugged this for several hours last night.
Just can't give any ETA for a fix. This week, I'm home about less time than on the road...
Mihai
OK - thanks for your work on this!
David
On Jun 8, 2015, at 2:16 PM, Mihai Moldovan <ionic@ionic.de> wrote:
On 08.06.2015 08:09 PM, David Ritch wrote:
Maybe I’m reading this wrong, but I think it may still be a quoting issue. Here’s what I see. In the following debug messages, it appears to be sending a command - “export HOSTNAME && x2golistsessions” - to the server, and processing its output. When I run this from the command line, I get the following output:
X2GODATABEGIN:7542493b-a84b-418d-994c-d640b3d91ef5 X2GODATAEND:7542493b-a84b-418d-994c-d640b3d91ef5
Exactly. That's what should be returned.
This is just the session frame, with no text. However, when the x2go client runs it, it seems to see the following between those two lines:
; export PATH=/usr/local/bin:/usr/bin:/bin; export HOSTNAME
Unless I’m misinterpreting something, this is actually part of the command string, and not its output.
Kind of. It's "garbage" from the command-to-be-ran *and* the output of x2golistsessions (which "happens to be" empty for you, because no other session is running) and the X2GODATAEND echo command INCLUDING the last semicolon, which should be echo'd.
I have a strong hunch at what the problem is.
Qt is trying to be too smart and messes up the (correctly) quoted command line. I have a fix for that in mind, but it's likely going to be a bit more extensive. I also need to test it carefully.
Don't worry, I have already debugged this for several hours last night.
Just can't give any ETA for a fix. This week, I'm home about less time than on the road...
Mihai
I sat down again and implemented a hopefully proper fix this time.
Successfully tested on OS X and Windows with Kerberos turned on.
Please see if this fixes both issues for real:
"Installer": http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Signature: http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Checksums: http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go... http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go... http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Mihai
Excellent! Thank you - I'll give it a try.
On Thu, Jun 11, 2015 at 9:42 AM Mihai Moldovan <ionic@ionic.de> wrote:
I sat down again and implemented a hopefully proper fix this time.
Successfully tested on OS X and Windows with Kerberos turned on.
Please see if this fixes both issues for real:
"Installer":
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Signature:
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Checksums:
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
http://code.x2go.org/releases/binary-macosx/x2goclient/previews/4.0.4.1/x2go...
Mihai
I was finally able to work through the issues with our IT processes and test this today. It works well and looks good. Thank you!
dbr
On Jun 8, 2015, at 2:27 PM, David Ritch <david.ritch@gmail.com> wrote:
OK - thanks for your work on this!
David
On Jun 8, 2015, at 2:16 PM, Mihai Moldovan <ionic@ionic.de> wrote:
On 08.06.2015 08:09 PM, David Ritch wrote:
Maybe I’m reading this wrong, but I think it may still be a quoting issue. Here’s what I see. In the following debug messages, it appears to be sending a command - “export HOSTNAME && x2golistsessions” - to the server, and processing its output. When I run this from the command line, I get the following output:
X2GODATABEGIN:7542493b-a84b-418d-994c-d640b3d91ef5 X2GODATAEND:7542493b-a84b-418d-994c-d640b3d91ef5
Exactly. That's what should be returned.
This is just the session frame, with no text. However, when the x2go client runs it, it seems to see the following between those two lines:
; export PATH=/usr/local/bin:/usr/bin:/bin; export HOSTNAME
Unless I’m misinterpreting something, this is actually part of the command string, and not its output.
Kind of. It's "garbage" from the command-to-be-ran *and* the output of x2golistsessions (which "happens to be" empty for you, because no other session is running) and the X2GODATAEND echo command INCLUDING the last semicolon, which should be echo'd.
I have a strong hunch at what the problem is.
Qt is trying to be too smart and messes up the (correctly) quoted command line. I have a fix for that in mind, but it's likely going to be a bit more extensive. I also need to test it carefully.
Don't worry, I have already debugged this for several hours last night.
Just can't give any ETA for a fix. This week, I'm home about less time than on the road...
Mihai
-
David Ritch -
Mihai Moldovan -
Stefan Baur