[X2go-dev] Looking for information on the future of x2go (and some other x2go-related stuff)

Thu Mar 3 13:23:15 CET 2011

Hi Mike,

you wrote:

 > > Which would be a NX/x2go-migration-blocker for those currently using
 > > the "store password" function of the NXclient.
 >
 > OK, you are thinking in migration NX2X2go-terms... I see.

That is the main objective that led me to the x2go project - as "FreeNX 
is dying, NetCraft confirms it". ;-)

 > SSH keyfiles are indeed possible to use with both clients.

Interesting. I never used them with NX and can'T remember seeing a GUI 
option for this; then again, I'm not using the latest client.

 > However, neither with PyHoca-GUI nor with X2goClient-qt you have a key
 > generation mechanism at hand. However, this would be really a need
 > feature:
 >
 >    o The client generates a key pair
 >    o at first login, the pubkey is pushed to the server (this needs a 
password)
 >    o at further logins, the pubkey is used for Auth...
 >
 > What do you think about something like this?

The idea of automatically generating a key pair sounds nice.

I'm not sure how to deal with the password issue, though.
I know that I can block password-based logins for root in sshd_config, 
so that root always requires a key file, but I wouldn't know how to tell 
SSH "if the user has a keyfile, disallow password-based logins" for 
regular users and on a per-user basis.

Also, this would mean that the initial password remains unchanged on the 
server, so someone gaining physical access to it could try to log in on 
the console as that particular user. Of course, physical security of the 
server is another issue that needs to be dealth with by the server 
administrator (and not by us) - but still, leaving an initial password 
unchanged sounds like asking for trouble.

If we had a mechanism to issue a passwd -l <username> after the keyfile 
has been transferred, things would look better. (AFAIK, a key file will 
still allow you access to your account even if your password has been 
locked).

 > > Usability: The user is already authenticated on the Windows machine
 > > or the Windows Domain. No one else has access to the particular
 > > configuration file, as it is stored in the user's home directory
 > > (for this concept, it doesn't matter if it's a NX config file with a
 > > plaintext password, or a passwordless ssh secret key for x2go).
 > > There is absolutely no need to ask the user for a password again.
 >
 > Single-Sign-On is always a neat thing to have...

Indeed, and on Windows, it can usually only be achieved using 
third-party tools (and even with them, it's still a RPITA when it comes 
to proper administration of these tools: Detecting "Password expired, 
please change" application popups, fulfilling minimum password 
requirements, etc.). Very few programs query the Windows authentication 
to check if a particular user is permitted to run them.

[snip]
 > Please let me known your opinion about the above approach (SSH key
 > generation). It should be rather easy to implement this into Python
 > X2go. If you are interested, I will add that to the PyHoca-GUI
 > enhancement wishlist.

I'd say add it to the wishlist, but with a "needs-more-thoughts" flag 
regarding proper implementation, see my worries above.

I hope my comments don't turn this wish into the following wish from the 
PuTTY wishlist: <http://goo.gl/CwZa8>

Kind Regards,
Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20110303/d0db071c/attachment.html>