[X2go-dev] Seg fault (was Re: SSH Key issues)

John A. Sullivan III jsullivan at opensourcedevel.com
Mon Mar 15 10:19:46 CET 2010 

On Sun, 2010-03-14 at 04:18 -0400, John A. Sullivan III wrote:
> Hello, all.  We recently recreated an X2Go Server and found we had
> serious ssh key issues when we tried to connect from the previously
> existing X2Go clients.  We're still working these through so I'll list
> them in the order we find them.
> 
> The GUI key popping up Accept Key dialogs with Yes and No options but no
> text.  It was only when we canceled that we saw the error message about
> there being an old, conflicting key.  By the way, we use both hashed
> known_host files and non-default ssh ports.  This created a problem when
> we went to remove the offending keys in that the syntax ssh-keygen -R
> <server name> did not work.  We needed to use ssh-keygen -R [<server
> name>]:<port number> (note the brackets).
> 
> We then hit a problem where the X2Go Client for some reason started
> trying to open an SSH sessions as root.  Since we use active host
> intrusion detection (OSSEC), the failed login attempts lock out the user
> and the screen stops at the X2Go logo.  Oops! This was our
> misunderstanding of the auth.log.  The problem was that our users are
> only defined in LDAP.  We configured pam to look at pam_unix first.
> This tripped our HIDS and blocked our users.  From our internal
> documentation:
> 
> Now we need to fix some pam files.  It is critical that the ldap modules
> are processed first even though that is non-standard.  In the X2Go
> environment, many ssh sessions are fired off in quick succession.  Since
> the pam_unix authentications fail for the LDAP users (as they are not
> defined locally), all the failed authentications trip the OSSEC
> auto-response and block the user from access to VD01.  Thus, LDAP
> credentials MUST be processed first.
> 
> This just leaves the empty dialog box.  Thanks - John
<snip>
Oops! We've hit some nastier issues.  Using an X2Go Client on a
different station this morning, I encountered the empty dialog.  I
cleared the offending entry from known_hosts and tried again.  This time
I was told I needed to answer yes or no.  Clicking Yes had no effect.
Clicking no caused the entire x2goclient to crash and disappear - I
assume a seg fault.

I had a sneaking suspicion of what was happening.  Connecting from a
console gave me this:
Warning: the RSA host key for '[vdhost01.ssiservices.biz]:443' differs
from the key for the IP address '[208.46.93.8]:443'
Offending key for IP in /home/jsullivan/.ssh/known_hosts:3
Matching host key in /home/jsullivan/.ssh/known_hosts:24
Are you sure you want to continue connecting (yes/no)?

I cleared the offending IP address entry and all worked well but we do
have this seg fault to address - John

More information about the x2go-dev mailing list