<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-15">
</head>
<body bgcolor="#ffffff" text="#000000">
<font face="Helvetica, Arial, sans-serif">Hi Mike,<br>
<br>
you wrote:<br>
<br>
> > Which would be a NX/x2go-migration-blocker for those
currently using <br>
> > the "store password" function of the NXclient.<br>
><br>
> OK, you are thinking in migration NX2X2go-terms... I see.<br>
<br>
That is the main objective that led me to the x2go project - as
"FreeNX is dying, NetCraft confirms it". ;-)<br>
<br>
<br>
> SSH keyfiles are indeed possible to use with both clients.<br>
<br>
Interesting. I never used them with NX and can'T remember seeing a
GUI option for this; then again, I'm not using the latest client.<br>
<br>
<br>
> However, neither with PyHoca-GUI nor with X2goClient-qt you
have a key <br>
> generation mechanism at hand. However, this would be really a
need <br>
> feature:<br>
><br>
> o The client generates a key pair<br>
> o at first login, the pubkey is pushed to the server (this
needs a password)<br>
> o at further logins, the pubkey is used for Auth...<br>
><br>
> What do you think about something like this?<br>
<br>
The idea of automatically generating a key pair sounds nice.<br>
<br>
I'm not sure how to deal with the password issue, though.<br>
I know that I can block password-based logins for root in
sshd_config, so that root always requires a key file, but I
wouldn't know how to tell SSH "if the user has a keyfile, disallow
password-based logins" for regular users and on a per-user basis.<br>
<br>
Also, this would mean that the initial password remains unchanged
on the server, so someone gaining physical access to it could try
to log in on the console as that particular user. Of course,
physical security of the server is another issue that needs to be
dealth with by the server administrator (and not by us) - but
still, leaving an initial password unchanged sounds like asking
for trouble.<br>
<br>
If we had a mechanism to issue a passwd -l <username> after
the keyfile has been transferred, things would look better.
(AFAIK, a key file will still allow you access to your account
even if your password has been locked).<br>
<br>
<br>
> > Usability: The user is already authenticated on the
Windows machine <br>
> > or the Windows Domain. No one else has access to the
particular <br>
> > configuration file, as it is stored in the user's home
directory <br>
> > (for this concept, it doesn't matter if it's a NX config
file with a <br>
> > plaintext password, or a passwordless ssh secret key for
x2go). <br>
> > There is absolutely no need to ask the user for a
password again.<br>
><br>
> Single-Sign-On is always a neat thing to have...<br>
<br>
Indeed, and on Windows, it can usually only be achieved using
third-party tools (and even with them, it's still a RPITA when it
comes to proper administration of these tools: Detecting "Password
expired, please change" application popups, fulfilling minimum
password requirements, etc.). Very few programs query the Windows
authentication to check if a particular user is permitted to run
them.<br>
<br>
<br>
[snip]<br>
> Please let me known your opinion about the above approach
(SSH key <br>
> generation). It should be rather easy to implement this into
Python <br>
> X2go. If you are interested, I will add that to the
PyHoca-GUI <br>
> enhancement wishlist.<br>
<br>
I'd say add it to the wishlist, but with a "needs-more-thoughts"
flag regarding proper implementation, see my worries above.<br>
<br>
I hope my comments don't turn this wish into the following wish
from the PuTTY wishlist: </font><font face="Helvetica, Arial,
sans-serif"><a class="moz-txt-link-rfc2396E" href="http://goo.gl/CwZa8"><http://goo.gl/CwZa8></a> </font><br>
<font face="Helvetica, Arial, sans-serif"><br>
Kind Regards,<br>
Stefan<br>
</font>
</body>
</html>