Re: [X2Go-User] Possible to use server SSH key like FreeNX?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am 20.05.2014 13:31, schrieb Mike Gabriel: > Also, on the todo list for X2Go Client we have two-factor > authentication (password+privkey authentication in sequence). *ahem* to clarify: two-factor authentication, using a secret key that is password-protected, is already present. If you specify a password-protected key file, X2Go will prompt you for the password to unlock the key. What's on the to-do list is a smarter solution to handle not having a running SSH agent while also having autologin (but no keyfile) specified in the session. See Bug 489 in the Bugtracker: http://bugs.x2go.org/cgi-bin/bugreport.cgi?bug=489 - -Stefan -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTe0A+AAoJEG7d9BjNvlEZeDwIAKxmj6XPlp7coZG0ivJR9chV RRY9Q1j2AijPHULHGrWO10Qn9dEVAEI3Sjen51Orlpr952Sm/CsHIAxBAYBMyxBG fYvHYfWCcklPzADkA0oNqNNI84IoVwOrZLv1rnzGbWJ2nWLSo0dfrab5c2T4Yq5w euykPoABjrDuxqELwGdWzyV66PYHhEPerE4ePGwAzEfSBfqh7dYpejSSTeTc9mGn 2QwBmrc2c2wAvvGlgs/sOp8FADWNkhSRe0uikz1hpJKBzoQx1kvXeqRLOiBlxtok BXHqJekirFcV12ChkZ5JdldPRDbcYQCMq6rajSgFaw6GHK0pmqSnb38QNfHIgLI= =Sgw7 -END PGP SIGNATURE- ___ x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Possible to use server SSH key like FreeNX?
Hi Jasmine, On Mo 19 Mai 2014 16:32:07 CEST, Jasmine Lognnes wrote: Dear readers, In FreeNX it is possble to change the default SSH key, so in addition to have a valid username+passphrase to the host, the user also needs a SSH key. The SSH key is the same for all users. Is this also possible in x2go? Kindest regards, Jasmine =) This is considered to be a feature of X2Go. No common SSH key anymore. However, you can create such setups with SSH proxy authentication (which would mean that you have double encryption on the connection). Also, on the todo list for X2Go Client we have two-factor authentication (password+privkey authentication in sequence). Greets, Mike -- DAS-NETZWERKTEAM mike gabriel, herweg 7, 24357 fleckeby fon: +49 (1520) 1976 148 GnuPG Key ID 0x25771B31 mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de freeBusy: https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.xfb pgpdaaJO5ohK8.pgp Description: Digitale PGP-Signatur ___ x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Possible to use server SSH key like FreeNX?
> This NX key is/was never used the way you seem to think it is/was used. > It is *not* a key securing the user's session. OK. What was then the purpose of it? > If you want to improve security, using individual SSH keys makes more sense. > If you're dealing with minimum password requirements - which you can't > enforce on a keyfile, as far as I know - then maybe you should think > about using a VPN connection along with regular password authentication. > VPNs can use shared or individual keys, though again I'd strongly > recommend using individual ones. Not a bad idea to require VPN. It should be interesting to see if any latency will be introduced. ___ x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Possible to use server SSH key like FreeNX?
Am 19.05.2014 17:04, schrieb Jasmine Lognnes: >> NoMachine NX/FreeNX uses a special pair of SSH public/private keys >> during initial session setup. NX ships a default key pair, and you can >> change that to one you (as the admin) created. This key pair will be the >> same for all connections to the server. > > Yes, that is the one, that I would like to use with X2Go =) Of course > my own generated one. =) This NX key is/was never used the way you seem to think it is/was used. It is *not* a key securing the user's session. >> This is independent of the user's SSH authentication method (which, in >> case of X2Go, can be password, an individual SSH key file, or a smartcard). >> >> As far as I know - but Mike#1 should be able to make a more qualified >> statement here - X2Go does not need such an underlying "shared" key pair >> at all. So, since it is not needed, there's no way or reason to change it. > > The reason I would like such shared keyis that, if someone should get > hold of a username and passphrase, then the bad guy still needs the > shared key file, before the account is compromised. If you want to improve security, using individual SSH keys makes more sense. If you're dealing with minimum password requirements - which you can't enforce on a keyfile, as far as I know - then maybe you should think about using a VPN connection along with regular password authentication. VPNs can use shared or individual keys, though again I'd strongly recommend using individual ones. -Stefan ___ x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Possible to use server SSH key like FreeNX?
Dear Stefan, > NoMachine NX/FreeNX uses a special pair of SSH public/private keys > during initial session setup. NX ships a default key pair, and you can > change that to one you (as the admin) created. This key pair will be the > same for all connections to the server. Yes, that is the one, that I would like to use with X2Go =) Of course my own generated one. =) > This is independent of the user's SSH authentication method (which, in > case of X2Go, can be password, an individual SSH key file, or a smartcard). > > As far as I know - but Mike#1 should be able to make a more qualified > statement here - X2Go does not need such an underlying "shared" key pair > at all. So, since it is not needed, there's no way or reason to change it. The reason I would like such shared keyis that, if someone should get hold of a username and passphrase, then the bad guy still needs the shared key file, before the account is compromised. > Using an *individual* SSH key pair for each user instead of simple > password-based authentication is obviously recommended, but this must be > done right. > > The private key file must be kept secret at all times, not even > the admin should have a copy - or read access. Some people have the > "brilliant" idea to store private key files on network shares where > other people can access them, because they fail to realize that a > keyfile that hasn't been properly protected is like handing out a > permanent second key to your home - it doesn't help to change the > password you used to protect the keyfile, because the original password > will still work on the copy the attacker has in his hands, and this can > be brute-forced like a regular password, once the keyfile is in the > enemy's hands. I would never do such a thing. But thanks for clearing that out =) Hugs, Jasmine =) ___ x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
Re: [X2Go-User] Possible to use server SSH key like FreeNX?
Am 19.05.2014 16:32, schrieb Jasmine Lognnes: > In FreeNX it is possble to change the default SSH key, so in addition > to have a valid username+passphrase to the host, the user also needs a > SSH key. The SSH key is the same for all users. > > Is this also possible in x2go? Uh, I think you're either confusing things here or your statement is too vague to figure out what you're actually trying to ask. NoMachine NX/FreeNX uses a special pair of SSH public/private keys during initial session setup. NX ships a default key pair, and you can change that to one you (as the admin) created. This key pair will be the same for all connections to the server. This is independent of the user's SSH authentication method (which, in case of X2Go, can be password, an individual SSH key file, or a smartcard). As far as I know - but Mike#1 should be able to make a more qualified statement here - X2Go does not need such an underlying "shared" key pair at all. So, since it is not needed, there's no way or reason to change it. Using an *individual* SSH key pair for each user instead of simple password-based authentication is obviously recommended, but this must be done right. The private key file must be kept secret at all times, not even the admin should have a copy - or read access. Some people have the "brilliant" idea to store private key files on network shares where other people can access them, because they fail to realize that a keyfile that hasn't been properly protected is like handing out a permanent second key to your home - it doesn't help to change the password you used to protect the keyfile, because the original password will still work on the copy the attacker has in his hands, and this can be brute-forced like a regular password, once the keyfile is in the enemy's hands. -Stefan ___ x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user
[X2Go-User] Possible to use server SSH key like FreeNX?
Dear readers, In FreeNX it is possble to change the default SSH key, so in addition to have a valid username+passphrase to the host, the user also needs a SSH key. The SSH key is the same for all users. Is this also possible in x2go? Kindest regards, Jasmine =) ___ x2go-user mailing list x2go-user@lists.x2go.org http://lists.x2go.org/listinfo/x2go-user