[X2go-dev] can't start ssh tunnel / integration with existing ldap

Martin Steigerwald ms at teamix.de
Tue Jan 25 16:52:25 CET 2011 

Hi!

I installed X2goserver one into a Debian Squeeze VM under VMware ESX today. 
Since we use a LDAP server to central user management I integrated it via 
libpam-ldap and libnss-ldap manually. We also use NFS for home directory so I 
added that too. Logging into the server via SSH works as expected.

But I get "can't start SSH tunnel" when trying to open a new X2go session with 
x2goclient.

When I use a SSH key I get messages like this:

Verbindung fehlgeschlagen intraws.of.teamix.net: Unable to connect: 
/home/ms/.x2go/ssh/socaskpass-M31562 Unable to connect: 
/home/ms/.x2go/ssh/socaskpass-M31562 Permission denied, please try again. 
Unable to connect: /home/ms/.x2go/ssh/socaskpass-M31562 Permission denied, 
please try again. Unable to connect: /home/ms/.x2go/ssh/socaskpass-M31562 
Permission denied (publickey,password). 

I guess this has to do with the usage of NFS.

~/.x2go/ssh is 750 and root is squashed to nobody:nogroup. Thus it is neither 
the user nor the group. Since

chmod 777 ~/.x2go/ssh

fixes key based login for me, it seems that something of x2go server is using 
root privileges to access files in the home directory of the user.

Could this be changed to use user rights - root can su to any ? This would 
work with NFS.

Other questions:

1) Can X2go client be told to use an existing ssh agent which has the right 
identidy added? A ssh user at intraws works already without asking for the key 
password, thus if x2goclient uses this ssh-agent it wouldn't need to ask for 
the passphrase as well.

2) What steps are necessary to integrate x2go with an *existing* LDAP server? 
x2goldaptools depends on slapd and samba and since we use NFS with an existing 
LDAP server I want neither of those. LDAP authentification via PAM works 
already. I can login with SSH and LDAP password of a user. I thought this 
would be enough for x2go *when* users that use x2go are in the group 
x2gousers. They are. But in the local group. What additinional steps are 
necessary?

Ciao,
-- 
Martin Steigerwald - team(ix) GmbH - http://www.teamix.de
gpg: 19E3 8D42 896F D004 08AC A0CA 1E10 C593 0399 AE90
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110125/6ec16622/attachment.pgp>

More information about the x2go-dev mailing list