package: x2gobroker-ssh
version: 0.0.4.0-0~972~ubuntu16.04.1
priority: bug
Using the ssh broker is great because it adds the ability for the x2goclient to
interact with the auth mechanism such as PAM so that you get notified that you
need to renew a password for example.
This is great but it doesn't always work well.
For example, the user don't get the reason why the access is denied.
Here are different tests I made based on the following setup : x2gobroker in
ssh mode with local PAM auth based on Samba Winbind/Kerberos.
I tried both situations to compare :
* with the x2goclient in broker-ssh mode
* with a term rying to connect through SSH
1) Account set for password change with temporary password in Active Directory,
user type wrong password (neither old or new one)
* with x2goclient: get message "Access denied. Authentication that can
continue: publickey,password,keyboard-interactive"
* with term : "Your account has been locked. Please contact your System
administrator. Password: "
2) Account set for password change with temporary password in Active Directory,
user type good password
* with x2goclient: get a new password form in order to type (and confirm) the
new password. Reseting password works and you get logged in to the broker with
the sessions list displayed.
However, if you click on the "cancel" button, x2goclient freeze and must be
killed, you're not sent back to the login form.
On the other hand, if you change your password and then be logged in, clicking
on the session slot fails because this is the old password that is relayed to
the session slot and not the new one. When it fails, you get a new login form
to enter your password again, if you type the new password there, it works.
* with term:
"Password: ******"
"Password expired. You must change it now."
"Enter new password: ******"
"Enter it again: ******"
If you cancel (ctrl+c), nothing happen and you get back to the prompt.
If you enter the good old password, you're prompted to change it then you're
logged in.
If you enter the wrong password, your prompted to retry 2 times then you get
this message "Your account has been locked. Please contact your System
administrator" (this is our security policy, this is normal behaviour, 2 fauils
then blocked for 10mn.
3) Account disabled in Active Directory
* with x2goclient: get message "Access denied. Authentication that can
continue: publickey,password,keyboard-interactive"
* with term : "Your account has been locked. Please contact your System
administrator. Password: "
Would be great to fix the issues in 2) and would be great to retrieve the error
message directly from PAM so that we get the reason.
Regards,
Walid Moghrabi
TRAVAUX.COM
BAT I - PARC CEZANNE 2 290 AVENUE GALILEE - CS 80403
13591 AIX EN PROVENCE CEDEX 3
---
DISCLAIMER: This e-mail is private and confidential and may contain proprietary
or legally privileged information. It is for the intended recipient only. If
you have received this email in error, please notify the author by replying to
it and then destroy it. If you are not the intended recipient you must not use,
disclose, distribute, copy, print or rely on this e-mail or any attachment.
Thank you
_______________________________________________
x2go-dev mailing list
x2go-dev@lists.x2go.org
https://lists.x2go.org/listinfo/x2go-dev
