Re: [X2Go-User] Questions regarding features and configuration advice of X2go
Am 20.12.2021 um 17:44 schrieb Stefan Baur: Am 20.12.21 um 16:14 schrieb richard lucassen: In short: forget about it. If you're allowing users SSH access for X2Go, they WILL be able to copy data. You can make it a little harder for them if you think you have to, but as long as they are in control of the client hardware, they will always be able to do so. I have no complete answer to it, but if you use keys instead of user/pass then you will be able to restrict ssh in ~/.ssh/authorized_keys from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa (all in 1 line) This is an example of what I use here, I think there must be many other options available. see "man authorized_keys" That's all fine for non-interactive commands or simple scripts. But have you tried to use this with X2Go? That's an interesting question. @richard: Do you use this config with X2Go? Does it work? Thanks for your answers so far. I'm aware that there is no such thing as 100% security. I just try to figure out what's possible and what risks will remain. In the end it's not my job to decide whether to take the risk or not. But I would like to know what maybe possible to prevent to advice the project on this. So I ask in a very early stage of the project so I won't have to hurry later. Regards, Joerg smime.p7s Description: S/MIME Cryptographic Signature ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
[X2Go-User] Failed messages during startup & small session menu
Hi! The start process from the boot menu to the session menu takes an extremely long time, several minutes. The three graphic points in the middle on a black background suddenly become confusing characters, then comes: Starting User Login Management... [ OK ] Finished Hold until boot process finished up. [ OK ] Finished Terminate Plymouth Boot Screen. [FAILED] Failed to start User Login Management. See 'systemctl status systemd-logind.service' for details. [FAILED] Failed to start User Login Management. [FAILED] Failed to start Load Kernel Module drm. [FAILED] Failed to start User Login Management. [FAILED] Failed to start Load Kernel Module drm. [FAILED] Failed to start User Login Management. After that Debian GNU/Linux 11 x2gothinclient tty1 x2gothinclient login: After that ultimately, the session menu appears graphically correct in the upper left corner, but much too small, as if the screen size was not recognized. Or is there somewhere a setting option for the size? If you select a session, the session will be opened correctly in full screen. The termination (shutdown) of the session also takes a lot of time, until the small session menu. What can be the reason? Greetings, Olaf (Tested in the preview window of vmware esxi client and locally with a real client.) ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Questions regarding features and configuration advice of X2go
On Mon, 20 Dec 2021 17:44:06 +0100 Stefan Baur wrote: > > see "man authorized_keys" > > That's all fine for non-interactive commands or simple scripts. But > have you tried to use this with X2Go? No need for it, and for x2go I'm the only (happy) user :-) -- richard lucassen http://contact.xaq.nl/ ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Questions regarding features and configuration advice of X2go
Am 20.12.21 um 16:14 schrieb richard lucassen: >> In short: forget about it. If you're allowing users SSH access for >> X2Go, they WILL be able to copy data. You can make it a little harder >> for them if you think you have to, but as long as they are in control >> of the client hardware, they will always be able to do so. > I have no complete answer to it, but if you use keys instead of > user/pass then you will be able to restrict ssh in > ~/.ssh/authorized_keys > > from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty > ssh-rsa > > (all in 1 line) > > This is an example of what I use here, I think there must be many other > options available. > > see "man authorized_keys" That's all fine for non-interactive commands or simple scripts. But have you tried to use this with X2Go? Even with commandline-only tools like vim or mc, this becomes a royal PITA (and yes, I know about rvim). -Stefan -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Questions regarding features and configuration advice of X2go
On Mon, 20 Dec 2021 16:53:44 +0100 Ulrich Sibiller wrote: > > I have no complete answer to it, but if you use keys instead of > > user/pass then you will be able to restrict ssh in > > ~/.ssh/authorized_keys > > > > from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty > > ssh-rsa > > > > (all in 1 line) > > > > This is an example of what I use here, I think there must be many > > other options available. > > Although I only have used it with keys so far it seems not to be > restricted to keys only, see man sshd_config: > ForceCommand > Forces the execution of the command specified by > ForceCommand, ignoring any command supplied by the client and > ~/.ssh/rc if present. The command is invoked by using the user's > login shell > with the -c option. This applies to shell, command, or > subsystem execution. It is most useful inside a Match block. The > command originally supplied by the client is available in the > SSH_ORIGINAL_COMMAND environment variable. Specifying a > command of internal-sftp will force the use of an in-process SFTP > server that requires no support files when used with > ChrootDirectory. The default is none. Ok, thnx Uli for pointing this out. I'm not an authorized_keys expert ;-) R. -- richard lucassen http://contact.xaq.nl/ ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Questions regarding features and configuration advice of X2go
On Mon, Dec 20, 2021 at 4:14 PM richard lucassen wrote: > > On Mon, 20 Dec 2021 12:15:01 +0100 > Stefan Baur wrote: > > > In short: forget about it. If you're allowing users SSH access for > > X2Go, they WILL be able to copy data. You can make it a little harder > > for them if you think you have to, but as long as they are in control > > of the client hardware, they will always be able to do so. > > I have no complete answer to it, but if you use keys instead of > user/pass then you will be able to restrict ssh in > ~/.ssh/authorized_keys > > from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty > ssh-rsa > > (all in 1 line) > > This is an example of what I use here, I think there must be many other > options available. Although I only have used it with keys so far it seems not to be restricted to keys only, see man sshd_config: ForceCommand Forces the execution of the command specified by ForceCommand, ignoring any command supplied by the client and ~/.ssh/rc if present. The command is invoked by using the user's login shell with the -c option. This applies to shell, command, or subsystem execution. It is most useful inside a Match block. The command originally supplied by the client is available in the SSH_ORIGINAL_COMMAND environment variable. Specifying a command of internal-sftp will force the use of an in-process SFTP server that requires no support files when used with ChrootDirectory. The default is none. Uli ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Questions regarding features and configuration advice of X2go
On Mon, 20 Dec 2021 12:15:01 +0100 Stefan Baur wrote: > In short: forget about it. If you're allowing users SSH access for > X2Go, they WILL be able to copy data. You can make it a little harder > for them if you think you have to, but as long as they are in control > of the client hardware, they will always be able to do so. I have no complete answer to it, but if you use keys instead of user/pass then you will be able to restrict ssh in ~/.ssh/authorized_keys from="1.2.3.4,2.3.4.5,9.8.7.6",no-port-forwarding,command="/path/to/script",no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa (all in 1 line) This is an example of what I use here, I think there must be many other options available. see "man authorized_keys" HTH R. -- richard lucassen http://contact.xaq.nl/ ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Questions regarding features and configuration advice of X2go
On Mon, Dec 20, 2021 at 12:08 PM Jörg Kastning wrote: > > Dear X2go users, > > I'm trying to figure out whether X2go is a fitting solution for our > project or not. > > Users should get remote access to a host to execute applications in a > graphical environment. These users must not be able to transfer any data > or files to or from the target host. > > Question 1: Is there a way to deactivate the clipboard or any > drag'n'drop feature in x2go-server to prevent users from transering data? You can disable clipboard for one or both directions. Drag and drop is not supported by x2go, so this is not an issue. You can also disable file transfer and printer support. Of course you cannot prevent screenshots or similar approaches. > Question 2: The documentation (at URL > https://wiki.x2go.org/doku.php/doc:newtox2go#installation_and_use) > mentions that the SSH server handels the X2go connections. Are there > example configs that restrict SSH access to X2go but prevent users from > transferring data via tools like scp or rsync? This can be close to impossible as there are various ways to transfer files. Disabling or restricting stuff makes it more difficult but never impossible. So in the end it depends on your users' abilities... I am not aware of any x2go specific examples, but basically you have to check what commands are started from the client and restrict ssh access to those by forcing ssh to always run a checker script instead of the command that the clients sends (read about ForceCommand e.g. here https://serverfault.com/questions/749474/ssh-authorized-keys-command-option-multiple-commands). You have to prepare for several rounds of trial and error to catch all command variations the client might send. I have done this in the past on various occasions but never tried for x2go. Please note that if the user can run arbitrary commands on the server you will probably never reach 100% security. E.g. you also need to prevent the users from opening tunnels and from connecting back to the client using the server side ssh. Also things like running an own server (e.g. nc) must be restricted, too. Or if the server has internet access data can be routed via some third-party server... the list is endless. Uli ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Questions regarding features and configuration advice of X2go
Joerg, In short: forget about it. If you're allowing users SSH access for X2Go, they WILL be able to copy data. You can make it a little harder for them if you think you have to, but as long as they are in control of the client hardware, they will always be able to do so. X2Go is great to stop accidental copying when properly configured, but intentional copying - no. Also, remember that keyboard input can be scripted and redirected to a file on the server, and screenshots can be OCR'ed on a client, or people can convert your data into QR codes on the server and screenshot and scan those. So even if you'd use VNC and disable the clipboard there, you'd still not be safe from intentional copying. Decades ago, in a lawsuit, a judge defined a computer as "a machine to copy ones and zeroes", and to be honest, that's what it does. If you want to try to stop it from doing that, good luck. -Stefan Am 20.12.21 um 12:08 schrieb Jörg Kastning: > Dear X2go users, > > I'm trying to figure out whether X2go is a fitting solution for our > project or not. > > Users should get remote access to a host to execute applications in a > graphical environment. These users must not be able to transfer any data > or files to or from the target host. > > Question 1: Is there a way to deactivate the clipboard or any > drag'n'drop feature in x2go-server to prevent users from transering data? > > Question 2: The documentation (at URL > https://wiki.x2go.org/doku.php/doc:newtox2go#installation_and_use) > mentions that the SSH server handels the X2go connections. Are there > example configs that restrict SSH access to X2go but prevent users from > transferring data via tools like scp or rsync? > > Thank you in advance for your replys. > > Regards, > Joerg > > ___ > x2go-user mailing list > x2go-user@lists.x2go.org > https://lists.x2go.org/listinfo/x2go-user > -- BAUR-ITCS UG (haftungsbeschränkt) Geschäftsführer: Stefan Baur Eichenäckerweg 10, 89081 Ulm | Registergericht Ulm, HRB 724364 Fon/Fax 0731 40 34 66-36/-35 | USt-IdNr.: DE268653243 ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
[X2Go-User] Questions regarding features and configuration advice of X2go
Dear X2go users, I'm trying to figure out whether X2go is a fitting solution for our project or not. Users should get remote access to a host to execute applications in a graphical environment. These users must not be able to transfer any data or files to or from the target host. Question 1: Is there a way to deactivate the clipboard or any drag'n'drop feature in x2go-server to prevent users from transering data? Question 2: The documentation (at URL https://wiki.x2go.org/doku.php/doc:newtox2go#installation_and_use) mentions that the SSH server handels the X2go connections. Are there example configs that restrict SSH access to X2go but prevent users from transferring data via tools like scp or rsync? Thank you in advance for your replys. Regards, Joerg smime.p7s Description: S/MIME Cryptographic Signature ___ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
