Hello,
Is there a way to disable Strict Host Key Checking on X2Go client for windows?
Thank you, Ivan G.
Hello,
Just sending this again in case someone knows the answer and missed it.
Is there a way to disable Strict Host Key Checking on X2Go client for windows? I would like to ignore the Host Key changed waring (screenshot attached). If you have suggestions other than using StrictHostKeyCheking=no please share.
Thank you, Ivan G.
From: x2go-user [mailto:x2go-user-bounces@lists.x2go.org] On Behalf Of Ivan Gomez Sent: Thursday, March 23, 2017 5:24 PM To: x2go-user@lists.x2go.org Subject: [X2Go-User] StrictHostKeyChecking=no
This sender failed our fraud detection checks and may not be who they appear to be. Learn about spoofing<http://aka.ms/LearnAboutSpoofing>
Feedback<http://aka.ms/SafetyTipsFeedback>
Hello,
Is there a way to disable Strict Host Key Checking on X2Go client for windows?
Thank you, Ivan G.
Am 26.03.2017 um 17:43 schrieb Ivan Gomez:
Just sending this again in case someone knows the answer and missed it.
This isn't a web forum where you could "bump" posts.
List replies are provided by volunteers, and thus may take some time. (If you are looking for support with guaranteed response times, please sign up for commercial support. Info below.)
At present, both me and my assistant list-master (list-mistress, actually) are suffering from the flu, another key X2Go member is on a well-deserved vacation, another is out of the country, so things may take a little longer than usual.
Is there a way to disable Strict Host Key Checking on X2Go client for windows?
I would hope not, as that would expose X2Go users to undetectable Man-in-the-Middle-Attacks. There is a command line parameter to make X2GoClient auto-accept an unknown key, but it will complain if the key changes on subsequent connection attempts. This is by design.
I would like to ignore the Host Key changed waring (screenshot attached). If you have suggestions other than using StrictHostKeyCheking=no please share.
Maybe you could instead explain why you believe you need to make your users ignore that warning? It sure sounds like the wrong thing to do, so maybe it's time to take a few steps back and look at the actual problem from a distance, to see if there aren't any alternative routes to take.
<shameless plug> X2Go also has a commercial side, where various companies - including my own - offer support contracts with guaranteed response times as well as consultancy and paid-for development work if someone wants to see a bug fixed or a new feature added in a certain time frame.
What makes my company special is, IMHO:
- I'm the current X2Go Project/Community Coordinator, so the development lead and the developers tend to listen to me.
- As far as I know, we are the only company providing X2Go support that isn't a one-man-show. Oh, and we already have US customers.
- We sub-contract other developers from the X2Go community on demand, so you only have one person you need to talk to - me - and you will only receive one invoice, even if the task involved several freelance or part-time X2Go developers.
Our hourly rate for consultancy work and fixing issues outside of a support contract is 110 EUR. With a support contract, you get guaranteed response times (starting at 400 EUR/month for 24h response time during business hours in the CET/CEST time zone from Monday to Friday, German holidays excluded) and lower hourly rates if you buy a certain amount of hours in advance. </shameless plug>
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
If you have a DHCP environment without decent hostkey management disabling struct hostkey checks makes it a bit more comfortable. Please do not judge the user's desire as inappropriate without knowing his reasons...
Uli
Vom Smartphone gesendet.
----- Ursprüngliche Nachricht ----- Von: "Stefan Baur" <X2Go-ML-1@baur-itcs.de> Gesendet: 26.03.2017 18:20 An: "x2go-user@lists.x2go.org" <x2go-user@lists.x2go.org> Betreff: Re: [X2Go-User] StrictHostKeyChecking=no
Am 26.03.2017 um 17:43 schrieb Ivan Gomez:
Just sending this again in case someone knows the answer and missed it.
This isn't a web forum where you could "bump" posts.
List replies are provided by volunteers, and thus may take some time. (If you are looking for support with guaranteed response times, please sign up for commercial support. Info below.)
At present, both me and my assistant list-master (list-mistress, actually) are suffering from the flu, another key X2Go member is on a well-deserved vacation, another is out of the country, so things may take a little longer than usual.
Is there a way to disable Strict Host Key Checking on X2Go client for windows?
I would hope not, as that would expose X2Go users to undetectable Man-in-the-Middle-Attacks. There is a command line parameter to make X2GoClient auto-accept an unknown key, but it will complain if the key changes on subsequent connection attempts. This is by design.
I would like to ignore the Host Key changed waring (screenshot attached). If you have suggestions other than using StrictHostKeyCheking=no please share.
Maybe you could instead explain why you believe you need to make your users ignore that warning? It sure sounds like the wrong thing to do, so maybe it's time to take a few steps back and look at the actual problem from a distance, to see if there aren't any alternative routes to take.
<shameless plug> X2Go also has a commercial side, where various companies - including my own - offer support contracts with guaranteed response times as well as consultancy and paid-for development work if someone wants to see a bug fixed or a new feature added in a certain time frame.
What makes my company special is, IMHO:
- I'm the current X2Go Project/Community Coordinator, so the development lead and the developers tend to listen to me.
- As far as I know, we are the only company providing X2Go support that isn't a one-man-show. Oh, and we already have US customers.
- We sub-contract other developers from the X2Go community on demand, so you only have one person you need to talk to - me - and you will only receive one invoice, even if the task involved several freelance or part-time X2Go developers.
Our hourly rate for consultancy work and fixing issues outside of a support contract is 110 EUR. With a support contract, you get guaranteed response times (starting at 400 EUR/month for 24h response time during business hours in the CET/CEST time zone from Monday to Friday, German holidays excluded) and lower hourly rates if you buy a certain amount of hours in advance. </shameless plug>
Kind Regards, Stefan Baur
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Am 26.03.2017 um 19:24 schrieb Ulrich Sibiller:
If you have a DHCP environment without decent hostkey management disabling struct hostkey checks makes it a bit more comfortable.
His screenshot clearly shows him using a DNS name (x2go.ace.analysisgroup.com), so the underlying IP should not matter, even if it changes dynamically ...
Please do not judge the user's desire as inappropriate without knowing his reasons...
Which is why I asked him to take a few steps backward and explain the actual problem he is trying to solve.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
This isn't a web forum where you could "bump" posts.
I apologize.
Maybe you could instead explain why you believe you need to make your users ignore that warning?
The DNS name is a VIP. There is a load balancer that connects the user to one of many servers. When the load balancer connects the users to a new backend server, they see the "scary" SSH warning. I understand your concern with initially disabling host checking under normal conditions, but this environment is highly controlled and the network is isolated. I also would only disable host key checking for this specific domain.
Thank you, Ivan G.
On Mar 26, 2017, at 1:31 PM, Stefan Baur <X2Go-ML-1@baur-itcs.de> wrote:
Am 26.03.2017 um 19:24 schrieb Ulrich Sibiller:
If you have a DHCP environment without decent hostkey management disabling struct hostkey checks makes it a bit more comfortable.
His screenshot clearly shows him using a DNS name (x2go.ace.analysisgroup.com), so the underlying IP should not matter, even if it changes dynamically ...
Please do not judge the user's desire as inappropriate without knowing his reasons...
Which is why I asked him to take a few steps backward and explain the actual problem he is trying to solve.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
Am 26.03.2017 um 19:52 schrieb Ivan Gomez:
Maybe you could instead explain why you believe you need to make your users ignore that warning?
The DNS name is a VIP. There is a load balancer that connects the user to one of many servers. When the load balancer connects the users to a new backend server, they see the "scary" SSH warning. I understand your concern with initially disabling host checking under normal conditions, but this environment is highly controlled and the network is isolated.
In that case, the sane approach (IMO) would be to use the load balancer already offered by X2Go - the X2Go Session Broker - which would also bring the advantage that you can resume sessions and that you have one central location where you administer the session configuration - the broker server. Your X2GoClients connect to the broker, authenticate against it, and in return they receive one or more "session tiles" to click on. The broker-side configuration for those is set up in a way so that they'll always end up on the machine with the lowest load, unless they have a suspended session somewhere. If you want to tinker with that approach, you can install your own demo setup (say, in VMware Workstation, VirtualBox or KVM) in just a few steps by following our tutorial here: <http://wiki.x2go.org/doku.php/doc:howto:x2gobroker>
The second best approach would be to use your system management tools (if you have such a large farm of servers, I would assume you're using something like ansible/puppet/chef) to deploy the same host key to all your X2Go servers hiding behind that DNS name.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
Thank you for your feedback. I will try your suggestions.
Have a good day. Ivan
-----Original Message----- From: x2go-user [mailto:x2go-user-bounces@lists.x2go.org] On Behalf Of Stefan Baur Sent: Sunday, March 26, 2017 2:08 PM To: x2go-user@lists.x2go.org Subject: Re: [X2Go-User] StrictHostKeyChecking=no
Am 26.03.2017 um 19:52 schrieb Ivan Gomez:
Maybe you could instead explain why you believe you need to make your users ignore that warning?
The DNS name is a VIP. There is a load balancer that connects the user to one of many servers. When the load balancer connects the users to a new backend server, they see the "scary" SSH warning. I understand your concern with initially disabling host checking under normal conditions, but this environment is highly controlled and the network is isolated.
In that case, the sane approach (IMO) would be to use the load balancer already offered by X2Go - the X2Go Session Broker - which would also bring the advantage that you can resume sessions and that you have one central location where you administer the session configuration - the broker server. Your X2GoClients connect to the broker, authenticate against it, and in return they receive one or more "session tiles" to click on. The broker-side configuration for those is set up in a way so that they'll always end up on the machine with the lowest load, unless they have a suspended session somewhere. If you want to tinker with that approach, you can install your own demo setup (say, in VMware Workstation, VirtualBox or KVM) in just a few steps by following our tutorial here: <http://wiki.x2go.org/doku.php/doc:howto:x2gobroker>
The second best approach would be to use your system management tools (if you have such a large farm of servers, I would assume you're using something like ansible/puppet/chef) to deploy the same host key to all your X2Go servers hiding behind that DNS name.
-Stefan
-- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
-
Ivan Gomez -
Stefan Baur -
Ulrich Sibiller