[X2Go-User] Questions regarding features and configuration advice of X2go
Jörg Kastning
joerg.kastning at uni-bielefeld.de
Tue Dec 21 08:23:30 CET 2021
Am 20.12.2021 um 17:44 schrieb Stefan Baur:
> Am 20.12.21 um 16:14 schrieb richard lucassen:
>>> In short: forget about it. If you're allowing users SSH access for
>>> X2Go, they WILL be able to copy data. You can make it a little harder
>>> for them if you think you have to, but as long as they are in control
>>> of the client hardware, they will always be able to do so.
>> I have no complete answer to it, but if you use keys instead of
>> user/pass then you will be able to restrict ssh in
>> ~/.ssh/authorized_keys
>>
>> from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty
>> ssh-rsa <key>
>>
>> (all in 1 line)
>>
>> This is an example of what I use here, I think there must be many other
>> options available.
>>
>> see "man authorized_keys"
>
> That's all fine for non-interactive commands or simple scripts. But have
> you tried to use this with X2Go?
That's an interesting question.
@richard: Do you use this config with X2Go? Does it work?
Thanks for your answers so far. I'm aware that there is no such thing as
100% security. I just try to figure out what's possible and what risks
will remain.
In the end it's not my job to decide whether to take the risk or not.
But I would like to know what maybe possible to prevent to advice the
project on this. So I ask in a very early stage of the project so I
won't have to hurry later.
Regards,
Joerg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5324 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.x2go.org/pipermail/x2go-user/attachments/20211221/1d695fa6/attachment.bin>
More information about the x2go-user
mailing list