Re: [X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls

2020-04-02 Thread Richard Beare 
Very helpful. Thankyou everyone.

Richard Beare

Team Leader (Computational Methods Group)
Developmental Imaging

Murdoch Children's Research Institute
The Royal Children's Hospital
Flemington Road Parkville Victoria 3052 Australia
T 8341 6403
E richard.be...@mcri.edu.au
www.mcri.edu.au
Developmental Imaging Software


From: Ulrich Sibiller [ul...@gmx.de]
Sent: Thursday, April 02, 2020 7:44 PM
To: Stefan Baur
Cc: Richard Beare; x2go-user@lists.x2go.org
Subject: Re: [X2Go-User] configure x2go for servers inside a network with 
PaloAltoNetworking firewalls

I have once researched all the compression options. You can read the
results here: 
https://github.com/ArcticaProject/nx-libs/issues/802
There's another compression type "lossless" which cannot be selected
in the gui but will auto-select one of the lossless compression
settings.

This has not been integrated into nx to this date but eventually will.

Uli

On Thu, Apr 2, 2020 at 10:08 AM Stefan Baur  wrote:
>
> Am 02.04.20 um 09:30 schrieb Richard Beare:
> > I forgot to check - is there a "lossless update" button anywhere, like 
> > turbovnc?
>
> No, there's no such button. You need to select an image format that is
> lossless. Session configuration, Connection tab, Compression Method.
> "nopack" and "PNG" with "Image Quality: 9" *should* be safe, but please
> research this yourself. You could try an image that you know has fine
> details, and view it via a regular ssh -X connection, then view it via
> X2Go and compare the results.
>
> Or, you could make it a habit to double-check every important step/final
> result by saving the image on the server side, then transferring it to
> the client with X2Go's built-in filesharing option, and looking at it
> again with an image viewer running on the client.
>
> Kind Regards,
> Stefan Baur
>
> --
> BAUR-ITCS UG (haftungsbeschränkt)
> Geschäftsführer: Stefan Baur
> Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
> Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
> ___
> x2go-user mailing list
> x2go-user@lists.x2go.org
> https://lists.x2go.org/listinfo/x2go-user

Disclaimer

This e-mail and any attachments to it (the "Communication") are, unless 
otherwise stated, confidential, may contain copyright material and is for the 
use only of the intended recipient. If you receive the Communication in error, 
please notify the sender immediately by return e-mail, delete the Communication 
and the return e-mail, and do not read, copy, retransmit or otherwise deal with 
it. Any views expressed in the Communication are those of the individual sender 
only, unless expressly stated to be those of Murdoch Children’s Research 
Institute (MCRI) ABN 21 006 566 972 or any of its related entities. MCRI does 
not accept liability in connection with the integrity of or errors in the 
Communication, computer virus, data corruption, interference or delay arising 
from or in respect of the Communication.
___
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls

2020-04-02 Thread Ulrich Sibiller 
I have once researched all the compression options. You can read the
results here: https://github.com/ArcticaProject/nx-libs/issues/802
There's another compression type "lossless" which cannot be selected
in the gui but will auto-select one of the lossless compression
settings.

This has not been integrated into nx to this date but eventually will.

Uli

On Thu, Apr 2, 2020 at 10:08 AM Stefan Baur  wrote:
>
> Am 02.04.20 um 09:30 schrieb Richard Beare:
> > I forgot to check - is there a "lossless update" button anywhere, like 
> > turbovnc?
>
> No, there's no such button.  You need to select an image format that is
> lossless.  Session configuration, Connection tab, Compression Method.
> "nopack" and "PNG" with "Image Quality: 9" *should* be safe, but please
> research this yourself.  You could try an image that you know has fine
> details, and view it via a regular ssh -X connection, then view it via
> X2Go and compare the results.
>
> Or, you could make it a habit to double-check every important step/final
> result by saving the image on the server side, then transferring it to
> the client with X2Go's built-in filesharing option, and looking at it
> again with an image viewer running on the client.
>
> Kind Regards,
> Stefan Baur
>
> --
> BAUR-ITCS UG (haftungsbeschränkt)
> Geschäftsführer: Stefan Baur
> Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
> Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
> ___
> x2go-user mailing list
> x2go-user@lists.x2go.org
> https://lists.x2go.org/listinfo/x2go-user
___
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls

2020-04-02 Thread Stefan Baur 
Am 02.04.20 um 09:30 schrieb Richard Beare:
> I forgot to check - is there a "lossless update" button anywhere, like 
> turbovnc?

No, there's no such button.  You need to select an image format that is
lossless.  Session configuration, Connection tab, Compression Method.
"nopack" and "PNG" with "Image Quality: 9" *should* be safe, but please
research this yourself.  You could try an image that you know has fine
details, and view it via a regular ssh -X connection, then view it via
X2Go and compare the results.

Or, you could make it a habit to double-check every important step/final
result by saving the image on the server side, then transferring it to
the client with X2Go's built-in filesharing option, and looking at it
again with an image viewer running on the client.

Kind Regards,
Stefan Baur

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
___
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls

2020-04-02 Thread Stefan Baur 
Am 02.04.20 um 09:20 schrieb Richard Beare:
> Hi,
> Thanks for the reply.
> 
> My suspicion is that the kex err is due to the PaloAltoNetworks stuff. If I 
> log into the remote workstation:
> 
> sshd -T
> 
> kexalgorithms 
> curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1
> 
> I guess the only fix will be extra kex options in libssh...

If I were you, I would talk to the folks that set up this
PaloAltoNetworks device.  To me, it looks like it should be
upgraded/reconfigured so it speaks the same kex algorithms as your
workstation.


> Thanks for the tip on the proxy. If I create tunnel from localhost: => 
> remote host sshd port, and configure the x2goclient to find the ssh proxy at 
> localhost:, then it appears to work, and hopefully that is one less 
> encryption layer.

No. The layers remain.  Once done right, you're just saving yourself the
trouble of having to start the tunnel manually.  But, again, your actual
issue is something else.


Kind Regards,
Stefan Baur

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
___
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls

2020-04-02 Thread Richard Beare 
I forgot to check - is there a "lossless update" button anywhere, like turbovnc?

Richard Beare

Team Leader (Computational Methods Group)
Developmental Imaging

Murdoch Children's Research Institute
The Royal Children's Hospital
Flemington Road Parkville Victoria 3052 Australia
T 8341 6403
E richard.be...@mcri.edu.au
www.mcri.edu.au
Developmental Imaging Software


From: x2go-user [x2go-user-boun...@lists.x2go.org] on behalf of Stefan Baur 
[x2go-m...@baur-itcs.de]
Sent: Thursday, April 02, 2020 5:54 PM
To: x2go-user@lists.x2go.org
Subject: Re: [X2Go-User] configure x2go for servers inside a network with 
PaloAltoNetworking firewalls

Am 02.04.20 um 01:56 schrieb Richard Beare:
> Apologies - accidentally sent before completing
> Hi,
> I have a working installation of x2go, but there is some ugliness about the 
> setup that I'd like to reduce. Any advice welcome.
>
> Here's how it looks at the moment.
>
> 1) vpn connection to the institute.
> 2) ssh tunnel to the workstation from the laptop
> 3) x2go connected to the local tunnel port
>
> This works, but we now have 3 layers of encyption.
>
> The reason for not pointing x2go directly at the w orkstation is the use of 
> PaloAltoNetworking appliances within the institution. These do a 
> man-in-the-middle break of ssh connections and lead to the following error 
> from x2go:
>
> kex error : no match for method kex algos: server 
> [diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1], 
> client 
> [curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
>
> A direct ssh login works, but always falls back to a password.
>
>
> Is there any configuration option possible to have x2go/libssh handle the 
> setup in the same way that regular ssh does?

Yes. That's what the "Use Proxy Server for SSH Connection" checkbox in
the session configuration is for.

Though I'm not quite sure why you're getting the kex error one way, but
not the other. That's the actual issue you should be trying to fix.
You probably need a line "KexAlgorithms" in your server's
/etc/ssh/sshd_config, where "KexAlgorithms" is followed by at least one
of the algorithm names listed after "client" in your error message above.

After changing that, you need to restart sshd - note that running
sessions will not be killed by the usual restart methods, but, if you're
trying to change this via a ssh connection, be sure to have several SSH
sessions open, so you have a spare session to fix things if you make a
typo or other mistake.

Also, since your signature says:

> Team Leader (Computational Methods Group)
> Developmental Imaging

I would like to add our usual disclaimer/warning:

X2Go does have options for image compression, like using JPG and/or PNG.
Not all image compression algorithms are lossless, and thus there may be
artifacts in the images (i.e. the image displayed through X2Go may look
slightly different than what it would look like on a regular X-Server
screen), depending on which algorithm and which compression level you
choose.

If you're using fMRI/X-Ray/Mammography/… images or similar medical
imaging displayed through X2Go for clinical purposes (deciding whether a
certain patient requires a surgery etc.), you should absolutely make
sure that you're using a lossless compression or no compression at all,
or else you might be seeing things that aren't actually there, or
missing things that are there.

Kind Regards,
Stefan Baur

--
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
___
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user

Disclaimer

This e-mail and any attachments to it (the "Communication") are, unless 
otherwise stated, confidential, may contain copyright material and is for the 
use only of the intended recipient. If you receive the Communication in error, 
please notify the sender immediately by return e-mail, delete the Communication 
and the return e-mail, and do not read, copy, retransmit or otherwise deal with 
it. Any views expressed in the Communication are those of the individual sender 
only, unless expressly stated to be those of Murdoch Children’s Research 
Institute (MCRI) ABN 21 006 566 972 or any of its related entities. MCRI does 
not accept liability in connection with the integrity of or errors in the 
Communication, computer virus, data corruption, interference or delay arising 
from or in respect of the Communication.
___
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user

Re: [X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls

2020-04-02 Thread Richard Beare 
Hi,
Thanks for the reply.

My suspicion is that the kex err is due to the PaloAltoNetworks stuff. If I log 
into the remote workstation:

sshd -T

kexalgorithms 
curve25519-sha256,curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1

I guess the only fix will be extra kex options in libssh...

Thanks for the tip on the proxy. If I create tunnel from localhost: => 
remote host sshd port, and configure the x2goclient to find the ssh proxy at 
localhost:, then it appears to work, and hopefully that is one less 
encryption layer.

Thanks for the reminder on image compression. I will pass that on!



Richard Beare

Team Leader (Computational Methods Group)
Developmental Imaging

Murdoch Children's Research Institute
The Royal Children's Hospital
Flemington Road Parkville Victoria 3052 Australia
T 8341 6403
E richard.be...@mcri.edu.au
www.mcri.edu.au
Developmental Imaging Software


From: x2go-user [x2go-user-boun...@lists.x2go.org] on behalf of Stefan Baur 
[x2go-m...@baur-itcs.de]
Sent: Thursday, April 02, 2020 5:54 PM
To: x2go-user@lists.x2go.org
Subject: Re: [X2Go-User] configure x2go for servers inside a network with 
PaloAltoNetworking firewalls

Am 02.04.20 um 01:56 schrieb Richard Beare:
> Apologies - accidentally sent before completing
> Hi,
> I have a working installation of x2go, but there is some ugliness about the 
> setup that I'd like to reduce. Any advice welcome.
>
> Here's how it looks at the moment.
>
> 1) vpn connection to the institute.
> 2) ssh tunnel to the workstation from the laptop
> 3) x2go connected to the local tunnel port
>
> This works, but we now have 3 layers of encyption.
>
> The reason for not pointing x2go directly at the w orkstation is the use of 
> PaloAltoNetworking appliances within the institution. These do a 
> man-in-the-middle break of ssh connections and lead to the following error 
> from x2go:
>
> kex error : no match for method kex algos: server 
> [diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1], 
> client 
> [curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
>
> A direct ssh login works, but always falls back to a password.
>
>
> Is there any configuration option possible to have x2go/libssh handle the 
> setup in the same way that regular ssh does?

Yes. That's what the "Use Proxy Server for SSH Connection" checkbox in
the session configuration is for.

Though I'm not quite sure why you're getting the kex error one way, but
not the other. That's the actual issue you should be trying to fix.
You probably need a line "KexAlgorithms" in your server's
/etc/ssh/sshd_config, where "KexAlgorithms" is followed by at least one
of the algorithm names listed after "client" in your error message above.

After changing that, you need to restart sshd - note that running
sessions will not be killed by the usual restart methods, but, if you're
trying to change this via a ssh connection, be sure to have several SSH
sessions open, so you have a spare session to fix things if you make a
typo or other mistake.

Also, since your signature says:

> Team Leader (Computational Methods Group)
> Developmental Imaging

I would like to add our usual disclaimer/warning:

X2Go does have options for image compression, like using JPG and/or PNG.
Not all image compression algorithms are lossless, and thus there may be
artifacts in the images (i.e. the image displayed through X2Go may look
slightly different than what it would look like on a regular X-Server
screen), depending on which algorithm and which compression level you
choose.

If you're using fMRI/X-Ray/Mammography/… images or similar medical
imaging displayed through X2Go for clinical purposes (deciding whether a
certain patient requires a surgery etc.), you should absolutely make
sure that you're using a lossless compression or no compression at all,
or else you might be seeing things that aren't actually there, or
missing things that are there.

Kind Regards,
Stefan Baur

--
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
___
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user

Disclaimer

This e-mail and any attachments to it (the "Communication") are, unless 
otherwise stated, confidential, may contain copyright material and is for the 
use only of the intended recipient. If you receive the Communication in error, 
please notify the sender immediately by return

Re: [X2Go-User] configure x2go for servers inside a network with PaloAltoNetworking firewalls

2020-04-02 Thread Stefan Baur 
Am 02.04.20 um 01:56 schrieb Richard Beare:
> Apologies - accidentally sent before completing
> Hi,
> I have a working installation of x2go, but there is some ugliness about the 
> setup that I'd like to reduce. Any advice welcome.
> 
> Here's how it looks at the moment.
> 
> 1) vpn connection to the institute.
> 2) ssh tunnel to the workstation from the laptop
> 3) x2go connected to the local tunnel port
> 
> This works, but we now have 3 layers of encyption.
> 
> The reason for not pointing x2go directly at the w orkstation is the use of 
> PaloAltoNetworking appliances within the institution. These do a 
> man-in-the-middle break of ssh connections and lead to the following error 
> from x2go:
> 
> kex error : no match for method kex algos: server 
> [diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1], 
> client 
> [curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
> 
> A direct ssh login works, but always falls back to a password.
> 
> 
> Is there any configuration option possible to have x2go/libssh handle the 
> setup in the same way that regular ssh does?

Yes.  That's what the "Use Proxy Server for SSH Connection" checkbox in
the session configuration is for.

Though I'm not quite sure why you're getting the kex error one way, but
not the other.  That's the actual issue you should be trying to fix.
You probably need a line "KexAlgorithms" in your server's
/etc/ssh/sshd_config, where "KexAlgorithms" is followed by at least one
of the algorithm names listed after "client" in your error message above.

After changing that, you need to restart sshd - note that running
sessions will not be killed by the usual restart methods, but, if you're
trying to change this via a ssh connection, be sure to have several SSH
sessions open, so you have a spare session to fix things if you make a
typo or other mistake.

Also, since your signature says:

> Team Leader (Computational Methods Group)
> Developmental Imaging

I would like to add our usual disclaimer/warning:

X2Go does have options for image compression, like using JPG and/or PNG.
Not all image compression algorithms are lossless, and thus there may be
artifacts in the images (i.e. the image displayed through X2Go may look
slightly different than what it would look like on a regular X-Server
screen), depending on which algorithm and which compression level you
choose.

If you're using fMRI/X-Ray/Mammography/… images or similar medical
imaging displayed through X2Go for clinical purposes (deciding whether a
certain patient requires a surgery etc.), you should absolutely make
sure that you're using a lossless compression or no compression at all,
or else you might be seeing things that aren't actually there, or
missing things that are there.

Kind Regards,
Stefan Baur

-- 
BAUR-ITCS UG (haftungsbeschränkt)
Geschäftsführer: Stefan Baur
Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364
Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243
___
x2go-user mailing list
x2go-user@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-user