[X2Go-User] Security setup on server with x2go
Hanák
hanak at is-it.eu
Wed Oct 22 12:37:20 CEST 2014
Hello,
I would like to ask experienced users, how they solve security topics on
their x2go servers.
I have the server where users are allowed to start only very a limited set
of commands through ssh. I am using sshd_config option ForceCommand
which allows to start only /usr/local/bin/check_ssh_cmd where
I test SSH_ORIGINAL_COMMAND. Everything works fine so far.
Now I need to allow users to start also some commands through
x2goclient. The problem is that in order x2go to work I need to
allow also every single command which is sent by x2goclient.
I tried to track what is being sent and there are a lot of
commands like 'sh -c "echo X2GODATABEGIN: ... echo X2GODATAEND"'.
So the question is, how to write the rules in check_ssh_cmd wrapper script.
If I would allow any command containing X2GODATABEGIN and X2GODATAEND,
it would probably work, but my security setup of ssh would be broken,
because somebody who knows, how x2go internally works, could sent
his own commands wrapped in X2GODATABEGIN and X2GODATAEND.
What would you recommend? Any sugestions are appreciated.
Pavel
More information about the x2go-user
mailing list