A page in your DokuWiki was added or changed. Here are the details:
Date : 2017/11/20 11:23
Browser : Mozilla/5.0 (X11; Linux x86_64; rv:52.9) Gecko/20100101
Goanna/3.4 Firefox/52.9 PaleMoon/27.6.0
IP-Address : 134.3.37.90
Hostname : HSI-KBW-134-3-37-90.hsi14.kabel-badenwuerttemberg.de
Old Revision: https://wiki.x2go.org/doku.php/doc:howto:tce?rev=1511176409
New Revision: https://wiki.x2go.org/doku.php/doc:howto:tce
Edit Summary: Clarifications, style, copyediting, uniform "Attention" and bold
font for security-relevant items
User : stefanbaur
@@ -742,34 +742,34 @@
* Options containing
"tftp|rsync|https|http|ftp://your-http-server-ip-or-dns-here"; should be
replaced with the proper HTTP, HTTPS, FTP, or, where mentioned as an alternative, TFTP or
rsync URL for your server. HTTPS is always preferred for security reasons. IP or DNS name
may be used.
=== These two are mutually exclusive, i.e. never put both of them in the same config ===
*
''broker-url=ssh:<nowiki>//</nowiki>your-broker-address-here'' - this allows
you to specify an X2Go Session Broker instead of a sessions file (not limited to an
ssh-based broker, works with an http-based broker as well)
- *
''sessionsurl=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.sessions''
- use this to specify a sessions file. You need this unless you are using a
session broker. See below for how to add this file to your HTTP, HTTPS, or FTP
server. Note that whoever manages to spoof the server name can inject rogue
session config files into your ThinClients. To mitigate this risk, use HTTPS,
where the attacker would have to spoof both server name and matching
certificate.
+ *
''sessionsurl=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.sessions''
- use this to specify a sessions file. You need this unless you are using a
session broker. See below for how to add this file to your HTTP, HTTPS, or FTP
server. **Attention: Whoever
manages to spoof the server name can inject rogue session config files into
your ThinClients.** To mitigate this risk, use HTTPS, where the attacker would
have to spoof both server name and matching certificate.
=== These are entirely optional ===
- * ''bg=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-bg.svg'' -
use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace
theblue background theme of the login screen. See below for how to add this file to your
HTTP, HTTPS, or FTP server. Note that whoever manages to spoof the server name can
inject rogue images into your ThinClients. To mitigate this risk, use HTTPS, where the
attacker would have to spoof both server name and matching certificate.
+ * ''bg=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-bg.svg'' -
use this to specify an SVG file to "brand" your X2Go-TCE with. It will replace
theblue background theme of the login screen. See below for how to add this
file to your HTTP, HTTPS, or FTP server. **Attention: Whoever manages to spoof
the server name can inject rogue images into your ThinClients.** To mitigate
this risk, use HTTPS, where the attacker would have to spoof both server name
and matching certificate.
* ''blank=n|n:n:n'' - Will disable (''blank=0'') or set screensaver timeout.
Use ''blank=n:n:n'' to set DPMS Standby/Suspend/Off values. Standby value
equals screensaver timeout value. All values are given in seconds.
- *
''branding=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-branding.svg''
- use this to specify an SVG file to "brand" your X2Go-TCE with. It will
replace the seal icon in the lower left of the login screen. See below for how to add
this file to your HTTP, HTTPS, or FTP server. Note that whoever manages to spoof the
server name can inject rogue images into your ThinClients. To mitigate this risk, use
HTTPS, where the attacker would have to spoof both server name and matching
certificate.
- * ''copysecring'' - this will scan for USB media and fixed disk media (with
USB media taking precedence) at boot for one or more of the following
directories: ''config/ssh'', 'ssh', ''.ssh''. Any SSH Secret Keys found there
will be copied into /home/user/.ssh (in the ramdisk), with proper permissions
and ownerships for the default user account. This may come in handy when you
are using SSH Secret Keys on USB media, but need to log in and out of sessions
often, and don't want to leave the USB media plugged in all the time/don't want
to have to re-insert it before each session startup. **Note:** This poses a
security risk when other people are using your thin client afterwards (as they
will have access to your keys), so be sure to power-cycle the thinclient once
you are done.
+ *
''branding=https|http|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce-branding.svg''
- use this to specify an SVG file to "brand" your X2Go-TCE with. It will
replace the seal icon in
the lower left of the login screen. See below for how to add this file to your
HTTP, HTTPS, or FTP server. **Attention: Whoever manages to spoof the server
name can inject rogue images into your ThinClients.** To mitigate this risk,
use HTTPS, where the attacker would have to spoof both server name and matching
certificate.
+ * ''copysecring'' - this will scan for USB media and fixed disk media (with
USB media taking precedence) at boot for one or more of the following
directories: ''config/ssh'', 'ssh', ''.ssh''. Any SSH Secret Keys found there
will be copied into /home/user/.ssh (in the ramdisk), with proper permissions
and ownerships for the default user account. This may come in handy when you
are using SSH Secret Keys on USB media, but need to log in and out of sessions
often, and don't want to leave the USB media plugged in all the time/don't want
to have to re-insert it before each session startup. **Attention: This poses a
security risk when other people are using your
ThinClient afterwards (as they will have access to your keys).** To mitigate
this risk,be sure to power-cycle the ThinClient once you are done.
* ''ldap=ldap.example.com:389:cn=cngoeshere,dc=example,dc=com'' - this
allows you to specify an LDAP server to connect to - note that this is not
needed for LDAP-based authentication, only when you intend to store entire
session profiles in LDAP. You should really consider using the X2Go Session
Broker instead.
* ''ldap1=ldap-backupserver-1.example.com:389'' - this allows you to specify
the first of up to two LDAP backup servers when using LDAP authentication
* ''ldap2=ldap-backupserver-2.example.com:389'' - this allows you to specify the second of up to two LDAP backup servers when using LDAP authentication
* ''nodpms'' - Will not touch DPMS settings at all (by default, ''blank=0'' does both ''xset s off'' and ''xset -dpms''). Use this along with ''blank=n'' if you do want to blank the screen, but your screen is confused by
DPMS settings.
- * ''nomagicpixel=1'' or ''nomagicpixel=2'' - you should set ''nomagicpixel=1'' while
the "magic pixel" (clicking in the upper right corner of the screen will
minimize a fullscreen session) is still active in thinclient mode (this feature is
expected to be disabled at some point in the future). ''nomagicpixel=1'' will disable the
window manager when exactly 3 windows are detected (that's the usual situation when a
fullscreen session is active). It will re-enable openbox whenever more or less than 3
windows are detected. If this fails for you, you can try ''nomagicpixel=2'', which will
try to trigger on the window-minimize command and restore it to fullscreen. Note that
''nomagicpixel=2'' is known to cause problems when trying to run the actual X2Go-TCE
client as a virtual machine guest (the //X2GoServer// you connect to may be a VM guest,
no problems there). To live with the magic pixel bug, simply do not add this option at
all.
- *
''pubkey=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.authorized_keys''
- Allows you to add an ssh public key file to the ThinClient, so your
administrators can log in remotely using SSH. Note that this file needs to be
chmodded 644, not 600, on the web server. **Attention: Whoever manages to
spoof this server name will have root access to your ThinClients. Using HTTPS
will mitigate this - an attacker would not only have to spoof the server name,
but also the matching certificate.**
+ * ''nomagicpixel=1'' or ''nomagicpixel=2'' - you should set ''nomagicpixel=1'' while
the "magic pixel" (clicking in the upper right corner of the screen will
minimize a fullscreen session) is still active in thinclient mode (this feature is
expected to be disabled at some point in the future). ''nomagicpixel=1'' will disable the
window manager when exactly 3 windows are detected (that's the usual situation when a
fullscreen session is active). It will re-enable openbox
whenever more or less than 3 windows are detected. If this fails for you, you
can try ''nomagicpixel=2'', which will try to trigger on the window-minimize
command and restore it to fullscreen (this will cause a short screen flickering
effect). Note that ''nomagicpixel=2'' will make your ThinClient unusable when
trying to run the actual X2Go-TCE client as a virtual machine guest (the
//X2GoServer// you connect to may be a VM guest, no problems there). To live
with the magic pixel bug, simply do not add this option at all.
+ *
''pubkey=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.authorized_keys''
- Allows you to add an ssh public key file to the ThinClient, so your
administrators can log in remotely using SSH. Note that this file needs to be
chmodded 644, not 600, on the web server. **Attention: Whoever manages to
spoof this server name will have root access to your ThinClients.** Using HTTPS
will mitigate this - an attacker would not only have to spoof
the server name, but also the matching certificate.
* ''session=sessionname'' - use this to specify a session by name that should be
pre-selected on startup. The name must be listed in the sessions file and may only
contain characters from the following charset: //a-zA-Z0-9.:/ _-// (We suggest naming the
default session ''default'' and using ''session=default''.) When using a session name
with blanks, please enclose the sessionname in either single or double quotes, like so:
''session="session name"'' / ''session='session name'''
- * ''tcpprint'' - Will allow you to use local LPT/USB printers like "dumb" network
printers (listening to port 9100 and above). Requires MAC->IP mapping in DHCP server (and
optionally, DNS->IP mapping), or static IPs - else your print jobs will end up on random
devices. This setup is preferred over the X2GoClient's built-in printing for locally attached
printers if X2GoServer and ThinClients are on the same network. It is not recommended when your
X2Go connection goes across the internet or when the ThinClient is actually a laptop roaming between different networks. **Attention:** When used without ''tcpprintonlyfrom'' (see below), this means anyone that can reach your thin client via e.g. ping can also send print jobs to it!
- * ''tcpprintonlyfrom=x.x.x.x'' - Will allow you to specify which IP address may connect to Port 9100 and above for printing to a locally attached LPT/USB printer. This should be the IP of your CUPS server or whatever print server system you use. Understands the same syntax as xinetd's ''only_from''.
+ * ''tcpprint'' - Will allow you to use local LPT/USB printers like "dumb" network printers (listening to port 9100 and above). Requires MAC->IP mapping in DHCP server (and optionally, DNS->IP mapping), or static IPs - else your print jobs will end up on random devices. This setup is preferred over the X2GoClient's built-in printing for locally attached printers if X2GoServer and ThinClients are on
the same network. It is not recommended when your X2Go connection goes across the internet or when the ThinClient is actually a laptop roaming between different networks. **Attention: When used without ''tcpprintonlyfrom'' (see below), this means anyone that can reach your thin client via e.g. ping can also send print jobs to it!**
+ * ''tcpprintonlyfrom=x.x.x.x'' - Will allow you to specify which IP address may connect to Port 9100 and above for printing to a locally attached LPT/USB printer. This should be the IP of your CUPS server or whatever print server system you use. Understands the same syntax as ''xinetd'''s ''only_from''.
* ''throttle=n|n:n:n:n:n'' - Will throttle down- and upload speed (''throttle=n'') or set throttling limits as follows: download:upload:smoothingtime:smoothinglength:latency. Defaults for up- and download are 10 (KiloBytes/s), 3.0 (seconds, using decimals is permitted) smoothingtime, 20 (KiloBytes), 0 (ms). for a detailed description of these
parameters, see "man trickle". You can use the first 1, 2, 3, 4 or all 5 parameters. To
set down- and/or upload speed to unlimited, use the letter "u" instead of a numeric value.
* ''xinerama=left-of|right-of|above|below|same-as'' - Allows you to specify how
multiple screens are handled (same-as clones the primary screen to all secondary screens,
the other commands will cascade and thus expand the screen). Note that the current
implementation will enforce "same-as" if it detects a touch screen driver
(wacom) and no other pointing device. This is so you won't get stuck being unable to log
off, for example, due to your touch device being limited to one screen.
* ''xorg-resolution=HRESxVRES'' - will force the horizontal resolution to
HRES and the vertical resolution to VRES, e.g. ''xorg-resolution=1280x1024'',
useful if autodetection for the correct screen size fails, but you do get as
far as seeing the X2Go GUI
- *
''xorgconfurl=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.xorg.conf''
- when a client outright refuses to boot into the graphical X2Go login screen,
but gets stuck at the console or a black screen instead, yet you can get the
GUI to work using a regular Linux on the same hardware, you can disable the X
Server's autodetection and force it to use the xorg.conf specified here. Note
that you should use a more descriptive name for the file, as described below.
Also note that whoever manages to spoof the server name can inject rogue xorg
config files into your ThinClients. To mitigate this risk, use HTTPS, where
the attacker would have to spoof both server name and matching certificate.
+ *
''xorgconfurl=tftp|http|https|ftp://your-http-server-ip-or-dns-here/x2go-tce/x2go-tce.xorg.conf''
- when a client outright refuses to boot into the graphical X2Go login screen,
but gets stuck at the console or a black screen instead, yet you can get the
GUI to work using
a regular Linux on the same hardware, you can disable the X Server's
autodetection and force it to use the xorg.conf specified here. Note that you
should use a more descriptive name for the file, as described below.
**Attention: Whoever manages to spoof the server name can inject rogue xorg
config files into your ThinClients.** To mitigate this risk, use HTTPS, where
the attacker would have to spoof both server name and matching certificate.
=== These are only intended to be used with TCE images stored on local media ===
* ''bwlimit=nnn'' - Will allow you to specify a bandwidth limit (valid
values: 1-100) in percent for the backgrounded update task.
* ''ntfs-uuid='' - Will be required for updating images stored on NTFS filesystems.
Full UUID as shown under /dev/disk/by-uuid/ is preferred, but can work with the volume
serial number shown in the output of "vol c:" as well.
* ''updatesleep=nnnnn'' - Will allow you to specify the upper limit (in
seconds) of the update
timer's randomizer. Allowed range for upper limit: 240-32767. Will default to
900 if unset or set to an out-of-range value. Lower limit is fixed at 120
seconds.
- * ''updateurl=rsync|https|http|ftp://your-http-server-ip-or-dns-here/path-to-update-files'' - Will allow you to update an image in the background when using local storage instead of PXE. Download task will start at a randomized interval to avoid unintentional dDOSing of the update server/network infrastructure. The updater will even work when using NTFS for local storage, but only if the //toram// boot option is used. Regardless of NTFS or not, the updater requires three directories: ''/boot/X2Go-live1, /boot/X2Go-live2, /boot/X2Go-live-download'' **Attention:** Whoever manages to spoof the server name can deploy rogue images to your ThinClients. Even though it is slower, using an HTTPS web server is the safer way of doing this. Be sure that your web server delivers a last-modified header for all files.
+ *
''updateurl=rsync|https|http|ftp://your-http-server-ip-or-dns-here/path-to-update-files'' - Will allow you to update an image in the background when using local storage instead of PXE. Download task will start at a randomized interval to avoid unintentional dDOSing of the update server/network infrastructure. The updater will even work when using NTFS for local storage, but only if the //toram// boot option is used. Regardless of NTFS or not, the updater requires three directories: ''/boot/X2Go-live1, /boot/X2Go-live2, /boot/X2Go-live-download''. **Attention: Whoever manages to spoof the server name can deploy rogue images to your ThinClients.** Even though it is slower, using an HTTPS web server is the safer way of doing this. Be sure that your web server delivers a last-modified header for all files.
===== Querying X2Go-TCE version info =====
images built using the https://github.com/LinuxHaus/live-build-x2go::feature/openbox repository/branch after 2017-07-27 10:50 UTC
will create a file ''/var/run/x2go-timestamps''.
--
This mail was generated by DokuWiki at
https://wiki.x2go.org/
_______________________________________________
x2go-commits mailing list
[email protected]
https://lists.x2go.org/listinfo/x2go-commits
