[X2Go-Commits] pyhoca-gui.git - twofactorauth (branch) updated: 0.2.0.4-42-g04aedde

Sat Sep 14 15:56:23 CEST 2013

The branch, twofactorauth has been updated
       via  04aeddee31eb27ca15346f585b6b550f757b2e3f (commit)
      from  d92c83a10d806f60fc797a06f6584445e6b16a2f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 README.ssh-agent       |  110 ++++++++++++++++++++++++++++++++++++++++++++++++
 debian/changelog       |    1 +
 debian/pyhoca-gui.docs |    1 +
 3 files changed, 112 insertions(+)
 create mode 100644 README.ssh-agent

The diff of changes is:

diff --git a/README.ssh-agent b/README.ssh-agent
new file mode 100644
index 0000000..5b0cf63
--- /dev/null
+++ b/README.ssh-agent
@@ -0,0 +1,110 @@
+SSH Agent support in PyHoca-GUI / Python X2Go
+=============================================
+
+Quotation from the ssh-agent man page:
+
+"""
+[...]
+
+The agent will never send a private key over its request channel.
+Instead, operations that require a private key will be performed
+by the agent, and the result will be returned to the requester.
+This way, private keys are not exposed to clients using the agent.
+
+A UNIX-domain socket is created and the name of this socket is stored
+in the SSH_AUTH_SOCK environment variable.  The socket is made
+accessible only to the current user.  This method is easily abused by
+root or another instance of the same user.
+
+[...]
+"""
+
+So the benefit of SSH agent support is: no need to have private SSH keys
+on remote systems anymore. You can keep your private ID files locally
+and use SSH agent to handle authentication requests, even if you have
+a chain of systems that you log in to:
+
+  local-machine -> machine-1 -> machine-2 -> machine-3 ...
+
+The requirement for SSH agent usage: the system administrators of the
+remote hosts must be trustworthy. They cannot obtain your private keys,
+but they can use the SSH agent socket and log into systems in your
+login chain under your identity. So, BEWARE!!!
+
+
+1. AUTHENTICATION AGAINST SSH AGENT
+-----------------------------------
+
+This feature has been added to Python X2Go 0.2.1.0.
+
+PyHoca-GUI / Python X2Go is aware of local SSH agents and can authenticated
+against those. Use this feature with the following session profile options
+set:
+
+  [x] Discover SSH keys or use SSH agent for X2Go authentication
+
+  autologin = true (or 1)
+
+  [x] Discover SSH keys or use SSH agent for proxy authentication
+
+  sshproxyautologin = true (or 1)
+
+Do not forget to run ssh-add (see the man page for more info).
+
+2. AUTHENTICATION REQUEST FORWARDING TO YOUR LOCAL SSH AGENT
+------------------------------------------------------------
+
+This feature has been added to Python X2Go 0.2.1.0 and requires Python Paramiko
+1.8.0.
+
+PyHoca-GUI / Python X2Go supports forwarding of SSH agent authentication request.
+Basically, you could say that the -A command line switch of the OpenSSH client
+is now also available with X2Go. Please read the ssh man page for more
+info on this.
+
+With this little howto, you can test SSH agent authentication request forwarding:
+
+  Place your SSH pubkey on machine-1 and machine-2 (which can be reached via
+  machine-1) into the (for this demo) otherwise empty files:
+
+    user-1 at machine-1:~user-1/.ssh/authorized_keys
+
+  and
+
+    user-2 at machine-2:~user-2/.ssh/authorized_keys
+
+  Return to your local client:
+
+  $ ssh-add [<priv-keyfile>]
+  $ pyhoca-gui
+
+  Enable SSH agent forwarding in connection tab of a session profile for
+  machine-1. Use a simple TERMINAL session command.
+
+  Connect to user-1 at machine-1 and start a session on machine-1
+
+  $ echo $SSH_AUTH_SOCK
+  /tmp/ssh-<hash>/agent.<pid>
+
+  $ ssh <user-2>@<machine-2>
+  (should work without password)
+
+  For the authentication from user-1 at machine-1 to user-2 at machine-2 you use an
+  SSH agent connection that is tunneled back through Python X2Go to your client
+  machine (the machine you run PyHoca-GUI on). So, the SSH agent on your client
+  machine serves a challenge/response request from SSH client programs within
+  X2Go sessions.
+
+  Note: if you try the above with a GNOME desktop (XFCE4 probably as well) the
+  gnome-keyring will hijack the SSH agent functionality and ignore forwarded
+  SSH agent connections. (This normally happens with the x2goserver-xsession
+  bin:package installed.)
+
+  Use the below command to disable the SSH agent feature in gnome-keyring (within the
+  X2Go Session):
+
+  $ gconftool-2 -s /apps/gnome-keyring/daemon-components/ssh false  --type bool
+
+  After you have applied this gconf change, logout and re-start a new GNOME (or XFCE4)
+  session. Now SSH agent stuff is handled properly through ssh-agent and the ssh-agent
+  should also be aware of SSH agent forwarding connections.
diff --git a/debian/changelog b/debian/changelog
index c4c9400..a2e4523 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -33,6 +33,7 @@ pyhoca-gui (0.2.1.0-0~x2go1) UNRELEASED; urgency=low
       issue: #13.
     - Implement SSH agent, automatic key discovery, and SSH agent authentication
       request forwarding in session profile manager.
+    - Add SSH agent README.
   * /debian/control:
     + Maintainer change in package: X2Go Developers
       <x2go-dev at lists.berlios.de>.
diff --git a/debian/pyhoca-gui.docs b/debian/pyhoca-gui.docs
index 4a27220..e50977f 100644
--- a/debian/pyhoca-gui.docs
+++ b/debian/pyhoca-gui.docs
@@ -1,3 +1,4 @@
 README
 README.Unity
+README.ssh-agent
 TODO


hooks/post-receive
-- 
pyhoca-gui.git (Python X2Go Client (wxPython GUI))

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "pyhoca-gui.git" (Python X2Go Client (wxPython GUI)).


