[X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls
    Richard Beare 
    richard.beare at mcri.edu.au
       
    Thu Apr  2 09:20:52 CEST 2020
    
    
  
Hi,
Thanks for the reply.
My suspicion is that the kex err is due to the PaloAltoNetworks stuff. If I log into the remote workstation:
sshd -T
kexalgorithms curve25519-sha256,curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
I guess the only fix will be extra kex options in libssh...
Thanks for the tip on the proxy. If I create tunnel from localhost:2222 => remote host sshd port, and configure the x2goclient to find the ssh proxy at localhost:2222, then it appears to work, and hopefully that is one less encryption layer.
Thanks for the reminder on image compression. I will pass that on!
Richard Beare
Team Leader (Computational Methods Group)
Developmental Imaging
Murdoch Children's Research Institute
The Royal Children's Hospital
Flemington Road Parkville Victoria 3052 Australia
T 8341 6403
E Richard.Beare at mcri.edu.au<mailto:richard.beare at mcri.edu.au>
www.mcri.edu.au
Developmental Imaging Software<http://developmentalimagingmcri.github.io/>
________________________________
From: x2go-user [x2go-user-bounces at lists.x2go.org] on behalf of Stefan Baur [X2Go-ML-1 at baur-itcs.de]
Sent: Thursday, April 02, 2020 5:54 PM
To: x2go-user at lists.x2go.org
Subject: Re: [X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls
Am 02.04.20 um 01:56 schrieb Richard Beare:
> Apologies - accidentally sent before completing
> Hi,
> I have a working installation of x2go, but there is some ugliness about the setup that I'd like to reduce. Any advice welcome.
>
> Here's how it looks at the moment.
>
> 1) vpn connection to the institute.
> 2) ssh tunnel to the workstation from the laptop
> 3) x2go connected to the local tunnel port
>
> This works, but we now have 3 layers of encyption.
>
> The reason for not pointing x2go directly at the w orkstation is the use of PaloAltoNetworking appliances within the institution. These do a man-in-the-middle break of ssh connections and lead to the following error from x2go:
>
> kex error : no match for method kex algos: server [diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1], client [curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
>
> A direct ssh login works, but always falls back to a password.
>
>
> Is there any configuration option possible to have x2go/libssh handle the setup in the same way that regular ssh does?
Yes. That's what the "Use Proxy Server for SSH Connection" checkbox in
the session configuration is for.
Though I'm not quite sure why you're getting the kex error one way, but
not the other. That's the actual issue you should be trying to fix.
You probably need a line "KexAlgorithms" in your server's
/etc/ssh/sshd_config, where "KexAlgorithms" is followed by at least one
of the algorithm names listed after "client" in your error message above.
After changing that, you need to restart sshd - note that running
sessions will not be killed by the usual restart methods, but, if you're
trying to change this via a ssh connection, be sure to have several SSH
sessions open, so you have a spare session to fix things if you make a
typo or other mistake.
Also, since your signature says:
> Team Leader (Computational Methods Group)
> Developmental Imaging
I would like to add our usual disclaimer/warning:
X2Go does have options for image compression, like using JPG and/or PNG.
Not all image compression algorithms are lossless, and thus there may be
artifacts in the images (i.e. the image displayed through X2Go may look
slightly different than what it would look like on a regular X-Server
screen), depending on which algorithm and which compression level you
choose.
If you're using fMRI/X-Ray/Mammography/… images or similar medical
imaging displayed through X2Go for clinical purposes (deciding whether a
certain patient requires a surgery etc.), you should absolutely make
sure that you're using a lossless compression or no compression at all,
or else you might be seeing things that aren't actually there, or
missing things that are there.
Kind Regards,
Stefan Baur
--
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
_______________________________________________
x2go-user mailing list
x2go-user at lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user<https://lists.x2go.org/listinfo/x2go-user>
Disclaimer
This e-mail and any attachments to it (the "Communication") are, unless otherwise stated, confidential, may contain copyright material and is for the use only of the intended recipient. If you receive the Communication in error, please notify the sender immediately by return e-mail, delete the Communication and the return e-mail, and do not read, copy, retransmit or otherwise deal with it. Any views expressed in the Communication are those of the individual sender only, unless expressly stated to be those of Murdoch Children’s Research Institute (MCRI) ABN 21 006 566 972 or any of its related entities. MCRI does not accept liability in connection with the integrity of or errors in the Communication, computer virus, data corruption, interference or delay arising from or in respect of the Communication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.x2go.org/pipermail/x2go-user/attachments/20200402/fe087db4/attachment-0001.html>
    
    
More information about the x2go-user
mailing list