Dear readers,
In FreeNX it is possble to change the default SSH key, so in addition to have a valid username+passphrase to the host, the user also needs a SSH key. The SSH key is the same for all users.
Is this also possible in x2go?
Kindest regards, Jasmine =)
Am 19.05.2014 16:32, schrieb Jasmine Lognnes:
In FreeNX it is possble to change the default SSH key, so in addition to have a valid username+passphrase to the host, the user also needs a SSH key. The SSH key is the same for all users.
Is this also possible in x2go?
Uh, I think you're either confusing things here or your statement is too vague to figure out what you're actually trying to ask.
NoMachine NX/FreeNX uses a special pair of SSH public/private keys during initial session setup. NX ships a default key pair, and you can change that to one you (as the admin) created. This key pair will be the same for all connections to the server.
This is independent of the user's SSH authentication method (which, in case of X2Go, can be password, an individual SSH key file, or a smartcard).
As far as I know - but Mike#1 should be able to make a more qualified statement here - X2Go does not need such an underlying "shared" key pair at all. So, since it is not needed, there's no way or reason to change it.
Using an *individual* SSH key pair for each user instead of simple password-based authentication is obviously recommended, but this must be done right.
<rant>The private key file must be kept secret at all times, not even the admin should have a copy - or read access. Some people have the "brilliant" idea to store private key files on network shares where other people can access them, because they fail to realize that a keyfile that hasn't been properly protected is like handing out a permanent second key to your home - it doesn't help to change the password you used to protect the keyfile, because the original password will still work on the copy the attacker has in his hands, and this can be brute-forced like a regular password, once the keyfile is in the enemy's hands.</rant>
-Stefan
Dear Stefan,
NoMachine NX/FreeNX uses a special pair of SSH public/private keys during initial session setup. NX ships a default key pair, and you can change that to one you (as the admin) created. This key pair will be the same for all connections to the server.
Yes, that is the one, that I would like to use with X2Go =) Of course my own generated one. =)
This is independent of the user's SSH authentication method (which, in case of X2Go, can be password, an individual SSH key file, or a smartcard).
As far as I know - but Mike#1 should be able to make a more qualified statement here - X2Go does not need such an underlying "shared" key pair at all. So, since it is not needed, there's no way or reason to change it.
The reason I would like such shared keyis that, if someone should get hold of a username and passphrase, then the bad guy still needs the shared key file, before the account is compromised.
Using an *individual* SSH key pair for each user instead of simple password-based authentication is obviously recommended, but this must be done right.
<rant>The private key file must be kept secret at all times, not even the admin should have a copy - or read access. Some people have the "brilliant" idea to store private key files on network shares where other people can access them, because they fail to realize that a keyfile that hasn't been properly protected is like handing out a permanent second key to your home - it doesn't help to change the password you used to protect the keyfile, because the original password will still work on the copy the attacker has in his hands, and this can be brute-forced like a regular password, once the keyfile is in the enemy's hands.</rant>
I would never do such a thing. But thanks for clearing that out =)
Hugs, Jasmine =)
Am 19.05.2014 17:04, schrieb Jasmine Lognnes:
NoMachine NX/FreeNX uses a special pair of SSH public/private keys during initial session setup. NX ships a default key pair, and you can change that to one you (as the admin) created. This key pair will be the same for all connections to the server.
Yes, that is the one, that I would like to use with X2Go =) Of course my own generated one. =)
This NX key is/was never used the way you seem to think it is/was used. It is *not* a key securing the user's session.
This is independent of the user's SSH authentication method (which, in case of X2Go, can be password, an individual SSH key file, or a smartcard).
As far as I know - but Mike#1 should be able to make a more qualified statement here - X2Go does not need such an underlying "shared" key pair at all. So, since it is not needed, there's no way or reason to change it.
The reason I would like such shared keyis that, if someone should get hold of a username and passphrase, then the bad guy still needs the shared key file, before the account is compromised.
If you want to improve security, using individual SSH keys makes more sense. If you're dealing with minimum password requirements - which you can't enforce on a keyfile, as far as I know - then maybe you should think about using a VPN connection along with regular password authentication. VPNs can use shared or individual keys, though again I'd strongly recommend using individual ones.
-Stefan
This NX key is/was never used the way you seem to think it is/was used. It is *not* a key securing the user's session.
OK. What was then the purpose of it?
If you want to improve security, using individual SSH keys makes more sense. If you're dealing with minimum password requirements - which you can't enforce on a keyfile, as far as I know - then maybe you should think about using a VPN connection along with regular password authentication. VPNs can use shared or individual keys, though again I'd strongly recommend using individual ones.
Not a bad idea to require VPN. It should be interesting to see if any latency will be introduced.
Hi Jasmine,
On Mo 19 Mai 2014 16:32:07 CEST, Jasmine Lognnes wrote:
Dear readers,
In FreeNX it is possble to change the default SSH key, so in addition to have a valid username+passphrase to the host, the user also needs a SSH key. The SSH key is the same for all users.
Is this also possible in x2go?
Kindest regards, Jasmine =)
This is considered to be a feature of X2Go. No common SSH key anymore.
However, you can create such setups with SSH proxy authentication
(which would mean that you have double encryption on the connection).
Also, on the todo list for X2Go Client we have two-factor
authentication (password+privkey authentication in sequence).
Greets, Mike
--
DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148
GnuPG Key ID 0x25771B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xf...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am 20.05.2014 13:31, schrieb Mike Gabriel:
Also, on the todo list for X2Go Client we have two-factor authentication (password+privkey authentication in sequence).
*ahem* to clarify: two-factor authentication, using a secret key that is password-protected, is already present. If you specify a password-protected key file, X2Go will prompt you for the password to unlock the key.
What's on the to-do list is a smarter solution to handle not having a running SSH agent while also having autologin (but no keyfile) specified in the session.
See Bug 489 in the Bugtracker: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=489
- -Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQEcBAEBAgAGBQJTe0A+AAoJEG7d9BjNvlEZeDwIAKxmj6XPlp7coZG0ivJR9chV RRY9Q1j2AijPHULHGrWO10Qn9dEVAEI3Sjen51Orlpr952Sm/CsHIAxBAYBMyxBG fYvHYfWCcklPzADkA0oNqNNI84IoVwOrZLv1rnzGbWJ2nWLSo0dfrab5c2T4Yq5w euykPoABjrDuxqELwGdWzyV66PYHhEPerE4ePGwAzEfSBfqh7dYpejSSTeTc9mGn 2QwBmrc2c2wAvvGlgs/sOp8FADWNkhSRe0uikz1hpJKBzoQx1kvXeqRLOiBlxtok BXHqJekirFcV12ChkZ5JdldPRDbcYQCMq6rajSgFaw6GHK0pmqSnb38QNfHIgLI= =Sgw7 -----END PGP SIGNATURE-----
-
Jasmine Lognnes -
Mike Gabriel -
Stefan Baur