[X2Go-Dev] Bug#1085: 4.1 upgrade has not fixed the crashing

[Troels Arvin]

Upgrading to X2Go 4.1.0.0: Unfortunately, the crashes still occur.
___
x2go-dev mailing list
x2go-dev@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-dev

[X2Go-Dev] Bug#1155: Bug#1155: Volume levels are not saved with TCE

[Stefan Baur]

Am 13.03.2017 um 11:43 schrieb Walid MOGHRABI:

> When my TCE users logs in their session, they have to set their audio volume 
> levels everytime.
> Their settings are not saved when they log off their session.

Where would you expect the setting to be saved?
The Client is a RAM disk, so once you reboot, all settings are reset to
their default values.
If you want to adjust client-side audio volume, you'd have to adjust the
volume on each startup using, say, amixer in a startup script that you
splice into the thinclient boot process.  If anything, I would use that
to set the audio volume to maximum for all ThinClients.

The only volume controls available to the user come from the server,
once the session is running.  Saving those settings SHOULD be the task
of the selected Desktop Environment.
It would be interesting to know if you're also losing the settings when
you log in using a non-ThinClient computer that has X2GoClient installed.

-Stefan

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243



signature.asc
Description: OpenPGP digital signature
___
x2go-dev mailing list
x2go-dev@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-dev

Re: [X2Go-Dev] X2Go client to search for server?

[Stefan Baur]

Am 27.03.2017 um 16:50 schrieb John Cobo:

> If a person had a small, inexpensive computer to use only for
> on-line banking and a few other secure things that would seem to solve a
> lot of problems. 

Aaand that's where you're mistaken.  Sorry to burst your bubble.
There are two ways to do this that aren't just security theater, but
provide real security, and your approach isn't among them.

One is a live system that you only boot for banking, and that has its
kernel patched so it is unable to detect and access hard disk media - it
will only access optical and USB media.  This is the safest way to do
it, but of course, less convenient.
A German computer magazine called c't issued ISOs with such a modified
kernel for a few years (it was called c't bankix), but recently
abandoned it.  There seems to be a volunteer that has picked up
development from where they left, though - he keeps posting updates in
their bankix online forum.

The more convenient way is to invert the idea you had:
Use an X2GoServer for all "world wild [sic] web" surfing, and your local
browser for banking and other secure applications only.
This requires a firewall that is set to deny traffic from LAN to WAN by
default, and a DMZ in which the X2GoServer resides.
We actually offer such systems as appliances for medical professionals,
with commercial support and all, see e.g. here:


Your approach, using the X2GoServer for the banking stuff only, is
insecure for the simple reason that if you use your local machine for
day to day surfing, malware can (and will!) hide in the background and
capture your keystrokes.  It doesn't matter if they're directed at the
local browser or at the X2GoClient - as soon as you start typing
https://www.ubs.com or https://www.morganstanley.com, the bad guys will
know that the next sequence of characters will be your banking login
details.

So the only safe and sane approach is to absolutely make sure your
client computer is clean and has no connection to the internet (save for
the few trustworthy sites you whitelisted), and consider the X2GoServer
your "throwaway" machine, because there is no way it could "snoop
backwards" to your client, especially when you close X2GoClient before
logging in to your banking site.


> I've tried writing the Pi's IP back onto the USB, but do to what some
> call a bug in Raspbian/Debian the address is not available when boot
> scripts run. 

That's why you don't do such things at boot time, but instead whenever
the interface goes up.  Have a look at our X2Go-TCE-Live solution - it
displays MAC and IP before the login prompt, but waits until the
interface is up and has an IP before creating that file.

Kind Regards,
Stefan Baur

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243



signature.asc
Description: OpenPGP digital signature
___
x2go-dev mailing list
x2go-dev@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-dev

Re: [X2Go-Dev] X2Go client to search for server?

[John Cobo]

Stefan,

Thanks for continuing to ponder on this.

The problem I'm trying to solve is that normal, non-technical people (my
sister triggered this) are quite rightly concerned about security and
privacy on the internet but not given much real help. Read the fine print
on your on-line banking's web site to see what I mean. It will tell you
that your PC must be secure, up to date, free of viruses and malware, etc.
In real life your daughter grabs the PC and downloads some free movies and
viruses, then you go on-line banking, then you run a bitcoin wallet, then
your new flatmate gets the router password from the landlord and on it
goes. My sister runs an old Mac. and is afraid to update anything because
it "will probably break stuff." When she asked me to suggest bitcoin wallet
software to run on her computer I became concerned and thought there must
be a better way.

At work, we will do our best to isolate "at risk" servers (my sister's Mac)
from those that must remain secure (eg. for financial transactions). My
idea is to offer the same separation for normal people. If a person had a
small, inexpensive computer to use only for on-line banking and a few other
secure things that would seem to solve a lot of problems. A Raspberry Pi
seems ideal but is no longer inexpensive if you have to buy a monitor and
keyboard to set it up.

Back to the use case. I would provide my sister and many people like her
with a hardened Raspbian image on a SD card along with a Raspberry Pi. My
sister enters her wifi credentials to a file on a USB stick which she
inserts in the Pi and plugs it in. A boot script on the Pi connects to WiFi
and starts the X2Go server. My sister has installed X2Go client and ideally
"just" connects. Many people do not have spare monitors sitting around
these days.

I've tried writing the Pi's IP back onto the USB, but do to what some call
a bug in Raspbian/Debian the address is not available when boot scripts
run. I've tried VNC connect, but there are a few issues with it too. I
could periodically ping the Pi's IP and some secret code to an internet web
server, but the users of this are naturally distrustful of internet based
stuff so I would rather not. My typical user can (probably) install
software such as your client, but are not going to be logging into routers
or anything very technical. Users would not want anyone else to be able to
access their secure Pi.

I hope that explains the use case better.

Thanks,
John

On 27 March 2017 at 13:22, Stefan Baur  wrote:

> Am 16.03.2017 um 18:28 schrieb John Cobo:
>
> > I am considering X2Go for a project which involves non-technical people
> > using X2Go to connect to a Raspberry Pi which does not have a screen and
> > so the user will not know the Pi's IP address. I could set an SSH port
> > on the Pi to an obscure number such as 2432 or something.
> >
> > Would it be feasible for the X2Go clients have a new option to scan a
> > range of IPs (eg. 192.168.0.1 - 192.168.0.255) for a given port (eg.
> > 2432) on which to connect?
> >
> > Such a feature could solve the generic problem of how to connect for the
> > first time to something new on your local network.
>
> I've been giving this some more thought.  I still believe that we
> shouldn't be adding such an option to X2GoClient, but there may be more
> comfortable ways of providing your users with a DNS name to connect to,
> rather than having to figure out an IP, even without
> APIPA/mDNS/Zeroconf/Bonjour.
>
> For that, you should tell us more about that usage scenario - will all
> those Raspis have full internet access?  If not, are they being deployed
> on different subnets of one larger network where you could place one
> machine they all can reach?
>
> I'm thinking along the lines of using either a DynDNS server on the
> internet, with the Raspi reporting its internal IP instead of the
> external one, though, or setting up an internal DynDNS server.
>
> -Stefan
>
> --
> BAUR-ITCS UG (haftungsbeschränkt)
> Geschäftsführer: Stefan Baur
> Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
> Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
>
>
___
x2go-dev mailing list
x2go-dev@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-dev

Re: [X2Go-Dev] X2Go client to search for server?

[Stefan Baur]

Am 16.03.2017 um 18:28 schrieb John Cobo:

> I am considering X2Go for a project which involves non-technical people
> using X2Go to connect to a Raspberry Pi which does not have a screen and
> so the user will not know the Pi's IP address. I could set an SSH port
> on the Pi to an obscure number such as 2432 or something.
> 
> Would it be feasible for the X2Go clients have a new option to scan a
> range of IPs (eg. 192.168.0.1 - 192.168.0.255) for a given port (eg.
> 2432) on which to connect?
> 
> Such a feature could solve the generic problem of how to connect for the
> first time to something new on your local network.

I've been giving this some more thought.  I still believe that we
shouldn't be adding such an option to X2GoClient, but there may be more
comfortable ways of providing your users with a DNS name to connect to,
rather than having to figure out an IP, even without
APIPA/mDNS/Zeroconf/Bonjour.

For that, you should tell us more about that usage scenario - will all
those Raspis have full internet access?  If not, are they being deployed
on different subnets of one larger network where you could place one
machine they all can reach?

I'm thinking along the lines of using either a DynDNS server on the
internet, with the Raspi reporting its internal IP instead of the
external one, though, or setting up an internal DynDNS server.

-Stefan

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243



signature.asc
Description: OpenPGP digital signature
___
x2go-dev mailing list
x2go-dev@lists.x2go.org
http://lists.x2go.org/listinfo/x2go-dev