[X2Go-User] x2go session broker connect problem
Ted Barnes
madogdevelopment at gmail.com
Fri Oct 25 19:28:11 CEST 2013
Hi All:
Am trying to get up to speed on x2go session broker, but am having
trouble. Any suggestions?
When try to connect I get:
Error
Login failed!
Please try again.
Along with...
broker url: http://xxx.xxx.xxx.xxx/:8080/plain/inifilebroker
url:http://xxx.xxxx.xxx.xxx/:8080/plain/inifile
or....
broker url:http://user@xxx.xxx.xxx.xxx/cgi-bin/x2gobroker.cfgi
As I'm getting started, I'm trying to do this on my LAN (all behind my
firewall) without any ssh (longer term I want to see if I can run
sessions inside SSL). I've disabled all the iptable rules on my
server....and tried various settings in the x2gobroker.conf and
x2gobroker-sessionprofiles.conf files which have not really changed the
error message but may be the problem (see below).
I can connect using the x2go client GUI "the normal way", and the first
time I got a window on the client "The server is unknown. Do you trust
the host key....", which I assume is x2go dynamically creating a ssh
tunnel? This part works fine.
However, when I try from the command line with an "x2goclient
--broker-..." type of command, I get the Error message.
Both client and server are running Debian Squeeze, and on the server
I've successively installed:
x2gobroker-wsgi
apache2
libapache20mod-wsgi
x2gobroker-authservice (wasn't sure if I should install this for my
initial tests)
My x2gobroker.conf:
# This file is part of the X2Go Project - http://www.x2go.org
# Copyright (C) 2011-2013 by Oleksandr Shneyder
<oleksandr.shneyder at obviously-nice.de>
# Copyright (C) 2011-2013 by Heinz-Markus Graesing
<heinz-m.graesing at obviously-nice.de>
# Copyright (C) 2012-2013 by Mike Gabriel <mike.gabriel at das-netzwerkteam.de>
#
# X2Go Session Broker is free software; you can redistribute it and/or
modify
# it under the terms of the GNU Affero General Public License as
published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# X2Go Session Broker is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program; if not, write to the
# Free Software Foundation, Inc.,
# 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
###
### GLOBAL section
###
[global]
# Allow unauthenticated connections? Then set check-credentials to false.
check-credentials = false
# To secure server-client communication the client can start the
communication
# with a pre-set, agreed on authentication ID. Set the below value to true
# to make the X2Go Session Broker require this feature
#require-cookie-auth = false ### NOT-IN-USE-YET
# X2Go supports two different cookie authentication modes (static and
dynamic).
#use-static-cookie = false ### NOT-IN-USE-YET
# Every server-client communication (between X2Go Client and broker) has
to be
# accompanied by this initial authentication cookie.
#my-cookie = <aaaavveeeerrrrryyyyylooonnnnggggssttrrriiinnnggg> ###
NOT-IN-USE-YET
# X2Go Session Broker knows about two output formats: a text/plain based
output
# and a text/json based output that is compatible with UCCS. The
different outputs
# run under different URLs.
enable {base_url}/plain/
enable-plain-output = true
# enable {base_url}/uccs/
#enable-uccs-output = false
# use this URL base to create URL field in UCCS-style JSON output
#my-uccs-url-base = http://localhost:8080/
# default authentication mechanism for all broker backends
default-auth-mech = pam
# how does this X2Go Session Broker instance retrieve user and group
# information from the system? (defaults for all broker backends)
default-user-db = libnss
default-group-db = libnss
# on large deployments it is recommended to ignore primary group
# memberships traversing into all user accounts for primary group
# detection can be quite CPU intensive on the X2Go Broker server.
#ignore-primary-group-memberships = true
# X2Go session autologin via X2Go Session Broker
#
# Once authenticated against the session
# broker, the user becomes a trusted user. That is, the X2Go session
login can
# be automatized by a very temporary SSH pub/priv key pair. Prior to the
session
# login the key is generated, after successful session login, the key is
dropped
# immediately.
#
# This option can be overridden by the session profile parameter
# broker-session-autologin={true|false}
broker-session-autologin=true
default-session-autologin=true
# X2Go's authorized_keys file for broker mediated autologin sessions
#
# For the X2Go auto-login via X2Go Session Broker feature to work
thoroughly,
# the X2Go Session Broker has to place the temporary public SSH key into the
# user's home
directory. It is not recommended to use SSH's default
# authorized_keys file for this but a separate and X2Go-specific
authorized_keys
# file ($HOME/.x2go/authorized_keys).
#
# Of course, the SSH daemon has to be made aware of this. This can be
configured
# in /etc/ssh/sshd_config like this:
#
# --- /etc/ssh/sshd_config.no-x2go 2013-03-01
09:57:04.000000000 +0100
# +++ /etc/ssh/sshd_config 2013-03-01 09:56:57.000000000 +0100
# @@ -28,7 +28,8 @@
#
# RSAAuthentication yes
# PubkeyAuthentication yes
# AuthorizedKeysFile %h/.ssh/authorized_keys
# +AuthorizedKeysFile2 %h/.x2go/authorized_keys
#
# # Don't read the user's ~/.rhosts and ~/.shosts files
# IgnoreRhosts yes
#
# This option can be overridden by the session profile parameter
# broker-authorized-keys=<file-location>
#default-authorized-keys=%h/.x2go/authorized_keys
# X2Go Broker Agent query mode
#
# The X2Go Broker Agent is needed for multi-server sites configured for
# load balancing. Multi-server sites require a setup that uses the
# PostgreSQL X2Go session DB backend. The X2Go Broker Agent has to be
installed
# on the local system (mode: LOCAL) or on all X2Go Servers (mode: SSH) in a
# multi-server farm.
#
# So, there are three query modes for the X2GO Broker Agent: NONE, LOCAL and
# SSH.
#
# NONE - Try to get along without X2Go Broker Agent queries. For simple
# broker setups this may suffice. For load-balancing or reliable
# session suspending and resuming the broker agent is a must!!!
#
# LOCAL - This LOCAL mode only works for _one_ configured
multi-server farm.
# If this X2Go Session Broker is supposed to serve many different
# multi-server farms, then the LOCAL mode will not work!!!
#
# How it works: Assume that the local system has an X2Go
Broker Agent
# that knows about the multi-server setup. This means: X2Go
Server
# has to be installed locally and the X2Go Server has to be
# configured to use the multi-server farm's PostgreSQL session DB
# backend.
#
# The local system that is running the broker does not
necessarily
# have to be a real application server. It only has to be
aware of
# running/suspended sessions within the X2Go multi-server
farm setup.
#
# A typical use-case is X2Go on top of a Debian Edu
Terminal-Server
# farm:
#
# TJENER -> PostgreSQL DB, X2Go Server, X2Go Session Broker +
# Broker Agent
# TS01 - TS0X -> X2Go Server configured to use the
PostgreSQL DB
# on TJENER
#
# SSH - The more generic approach, but also more complex. It allows
that
# the broker on this system may serve for many different X2Go
Server
# multi-server setups.
#
# With the SSH agent query mode, the X2Go Session Broker will
query
# one of the X2Go Servers in the targeted multi-server setup
(through
# SSH). The SSH authentication is done by a system user account
# (normally UID=x2gobroker) and SSH pub/priv key
authentication has
# to be configured to make this work.
#
# All X2Go Servers in a multi-server farm need the X2Go
Broker Agent
# installed, whereas this local system running the X2Go Session
# Broker does not need a local X2Go Broker Agent at all.
#
# The agent query mode can be configured on a per-broker-backend basis, the
# below value is the default.
#default-agent-query-mode=LOCAL
###
### BACKEND section
###
# Possible X2Go Session Broker backends:
#
# 1. backend = zeroconf (activated by default)
# Use the ZeroConf X2Go Session Broker backend, this backend is for demo
only
# and only operates on localhost. Make sure you have x2gobroker-daemon and
# and x2goserver installed on the same machine. No need to install
# x2gobroker-agent.
# 2. backend = infile (deactivated by default)
# The IniFile X2Go Session Broker backend is for providing session profiles
# to multiple users/clients on a text config file basis (.ini file format).
#
# The session profile setup is accomplished by an extra configuration file,
# by default named /etc/x2go/broker/x2gobroker-sessionproiles.conf.
#
# For small-scale deployments the IniFile backend is the recommended
backend.
[zeroconf]
#enable = true
#auth-mech = pam
#user-db = libnss
#group-db = libnss
#desktop-shell = KDE
[inifile]
enable = true
session-profiles = /etc/x2go/broker/x2gobroker-sessionprofiles.conf
#[ldap] -> MUSIC OF THE FUTURE
#enable = false
#auth-mech = ldap
#user-db = ldap
#group-db = ldap
#uri = ldap://localhost:389
#base = dc=example,dc=org
#user-search-filter = (&(objectClass=posixAccount)(uid=*))
#host-search-filter = (&(objectClass=ipHost)(serial=X2GoServer)(cn=*))
#group-search-filter = (&(objectClass=posifxGroup)(cn=*))
#starttls = false
#agent-query-mode = SSH
My x2gobroker-sessionprofiles.conf:
### X2Go Broker Session Profiles - ADAPT TO YOUR NEEDS ###
# This whole file reflects a set of examplary X2Go session profiles being
# provided via the X2Go Session Broker (backend: iniconf).
# This whole file could be the broker setup in some university institute
that
# runs three server pools (pool-A, pool-B and pool-C). Though most
univerities
# have real IPv4 internet addresses, we use private subnets in the examples
# below.
# The X2Go Session Broker is served into the institutes local intranet, the
# broker cannot be reached from the internet directly.
# The first section [DEFAULTS] provides a set of default profile
settings that
# are common to all session profiles given in sections below.
# The other section names can be freely chosen, however, each section
name has
# to be unique within this file.
# IMPORTANT: in the session profiles below you will find some lines starting
# with acl-... These lines do neither protect the X2Go Session Broker nor
# your X2Go Servers. They simply allow for selective session profile
provision
# based on client address, user name and group memberships.
#
# For protecting the broker use iptables and ip6tables. For protecting your
# X2Go Servers use iptable+ip6tables and a tightened PAM configuration (e.g.
# pam_access.so). Securing X2Go Servers means securing the SSH daemon that
# runs on the X2Go Server.
[DEFAULT]
command=TERMINAL
defsndport=true
useiconv=false
iconvfrom=UTF-8
height=600
export=
quality=9
fullscreen=false
layout=
useexports=true
width=800
speed=2
soundsystem=pulse
print=true
type=auto
sndport=4713
xinerama=true
variant=
usekbd=true
fstunnel=true
applications=TERMINAL,WWWBROWSER,MAILCLIENT,OFFICE
multidisp=false
sshproxyport=22
sound=true
rootless=false
iconvto=UTF-8
soundtunnel=true
dpi=96
sshport=22
setdpi=0
pack=16m-jpeg
directrdp=false
[GNOME]
user=xxx
host=xxx.xxx.xxx.xxx
name=GNOME
command=GNOME
rootless=false
acl-users-allow=xxx
acl-groups-allow=gnome-users,admins
acl-groups-deny=ALL
acl-any-order=deny-allow
broker-session-autologin=true
More information about the x2go-user
mailing list