[Bug 1037296] Re: [MIR] remote-login-service
Hi, please note bug #1172318 [1] when looking at remote-login-service. Currently, only uccs.landscape.canonical.com can be used as UCCS server. Other UCCS implementations (like [2]) will not be configurable through /etc/remote-login-service.conf atm. Thanks for looking at this, Mike [1] https://bugs.launchpad.net/remote-login-service/+bug/1172318 [2] http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob;f=x2gobroker/web/uccs.py -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
Override component to main remote-login-service 0.5.0-0ubuntu1 in quantal: universe/misc - main remote-login-service 0.5.0-0ubuntu1 in quantal amd64: universe/misc/extra - main remote-login-service 0.5.0-0ubuntu1 in quantal armel: universe/misc/extra - main remote-login-service 0.5.0-0ubuntu1 in quantal armhf: universe/misc/extra - main remote-login-service 0.5.0-0ubuntu1 in quantal i386: universe/misc/extra - main remote-login-service 0.5.0-0ubuntu1 in quantal powerpc: universe/misc/extra - main 6 publications overridden. ** Changed in: remote-login-service (Ubuntu) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1037296] Re: [MIR] remote-login-service
Thank you for the review! On Tue, 2012-08-28 at 22:13 +, Jamie Strandboge wrote: It's difficult to audit things when they are only partially implemented, or in this case, partially working in the archive. All this with little documentation. On top of that I was fiddling with an account on uccs.landscape.canonical.com and now it only returns 503. If people would like a meaningful review, high-level design documents and documentation on how to set things up should be provided. I was able to muddle my way through some low-level stuff to test UCCS, so I won't block on this anymore, so here is my cursory high-level review: Just as an FYI if you're still interested there is a system diagram and message sequence chart of how things fit together in the documentation directory: http://bazaar.launchpad.net/~remote-login-service-team/remote-login- service/trunk/files/head:/docs/ But it sounds like you figured it all out. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
It's difficult to audit things when they are only partially implemented, or in this case, partially working in the archive. All this with little documentation. On top of that I was fiddling with an account on uccs.landscape.canonical.com and now it only returns 503. If people would like a meaningful review, high-level design documents and documentation on how to set things up should be provided. I was able to muddle my way through some low-level stuff to test UCCS, so I won't block on this anymore, so here is my cursory high-level review: * remote-login-service/remote-login-service should be compiled with PIE and all hardening options * lintian clean, no initscripts/upstart jobs, dbus system services, setuid, fscaps, sudo usage or privileged command usage (sudo,su,pkexec) log file has some failures: ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: citrix_server_new_from_keyfile: assertion `keyfile != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: citrix_server_new_from_keyfile: assertion `name != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: rdp_server_new_from_keyfile: assertion `keyfile != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: rdp_server_new_from_keyfile: assertion `name != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: uccs_server_new_from_keyfile: assertion `keyfile != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: uccs_server_new_from_keyfile: assertion `name != NULL' failed ** (remote-login-service:4024): ERROR **: Unable to get name 'com.canonical.RemoteLogin' ** (remote-login-service:4060): ERROR **: Unable to get name 'com.canonical.RemoteLogin' ** (remote-login-service:4075): ERROR **: Unable to get name 'com.canonical.RemoteLogin' ** (remote-login-service:4149): ERROR **: Unable to get name 'com.canonical.RemoteLogin' ** (remote-login-service:4164): ERROR **: Unable to get name 'com.canonical.RemoteLogin' These happen in tests that show they are passing, which is a bit confusing. * high-level code inspection seems fine There is a dbus session service which holds the list of servers. It is pretty careful about locking/unlocking so you have to provide a credential to see anything. I tried launching this under my own user (as opposed to lightdm) and was able to call methods, etc, but it doesn't appear that I could expose information from another user. That said, I didn't have a working setup so I couldn't poke at this very hard. For UCCS, it does make connections the network via a separate program, 'thin-client-config-agent' and all I could find suggests this will be over https (good). I verify via packet analysis that only https is being used with UCCS/thin-client-config-agent. This is good, but the secure connection is only as good as the Exec line in /etc/remote-login- service.conf. Trying to use GetServersForLogin: ** (remote-login-service:8847): WARNING **: Unable to start UCCS process: Failed to execute child process thin-client-config-agent (No such file or directory) I had to add to /etc/remote-login-service.conf: [Remote Login Service] UCCSServers=Canonical [UCCS Server Canonical] Name=Remote Login URI=https://uccs.landscape.canonical.com/ Exec=/usr/bin/thin-client-config-agent After this I communicated with the DBus interface using d-feet and was pleased to see authentication/locking appearing to work: p11-kit: duplicate configured module: gnome-keyring.module: /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so Certificate verification failed ** (remote-login-service:9409): WARNING **: Address ':1.1' is not authorized Performing a MITM on remote-login-service, I saw that it is verifying certificates: p11-kit: duplicate configured module: gnome-keyring.module: /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so Certificate verification failed ** (remote-login-service:9409): WARNING **: Address ':1.1' is not authorized While the code is very new it is written by Canonical so I don't have any concerns on its maintenance. ACK. ** Changed in: remote-login-service (Ubuntu) Status: New = Fix Committed ** Changed in: remote-login-service (Ubuntu) Assignee: Jamie Strandboge (jdstrand) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
Based on Michael's MIR review, marking Fix Committed. Please feel free to seed or add a dependency/recommends of something in main. ** Changed in: remote-login-service (Ubuntu) Status: Fix Committed = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
** Changed in: remote-login-service (Ubuntu) Status: New = Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
With latest upload of 0.3.0, my concerns are met (unit test is enabled, and helper script dropped). All that remains is a security pass by the security team. ** Changed in: remote-login-service (Ubuntu) Status: Incomplete = New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
** Changed in: remote-login-service (Ubuntu) Assignee: Ubuntu Security Team (ubuntu-security) = Jamie Strandboge (jdstrand) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
This branch should fix the test suite and remove a security issue with the helper-script. It is being reviewed. https://code.launchpad.net/~ted/remote-login-service/async-command- line/+merge/120044 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
Blockers: * Should have test suite enabled. Questions: * What's the story with passing a password over dbus in the GetServersForLogin call? Seems bad. Nits: * Should have a bug subscriber Notes: * Small, simple package * Builds fine * Only talks to a remote server in a client capacity and uses JSON libraries to parse it * New package * All dependencies in main * Canonical will maintain I would approve modulo the test suite issue and password question. ** Changed in: remote-login-service (Ubuntu) Assignee: (unassigned) = Ted Gould (ted) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
This needs a security review, assigning ubuntu-security. ** Changed in: remote-login-service (Ubuntu) Assignee: Ted Gould (ted) = Ubuntu Security Team (ubuntu-security) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
** Description changed: - This is a MIR placeholder. + remote-login-service is a new package from Canonical to track remote + servers used for Landscape thin client support. + + I'll keep this description abbreviated, since I'll just do the MIR + myself in verbose fashion. ** Changed in: remote-login-service (Ubuntu) Assignee: (unassigned) = Michael Terry (mterry) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1037296] Re: [MIR] remote-login-service
I haven't finished looking at this, but it needs its test suite enabled. ** Changed in: remote-login-service (Ubuntu) Status: New = Incomplete ** Changed in: remote-login-service (Ubuntu) Assignee: Michael Terry (mterry) = (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs