On Mon, Dec 20, 2021 at 12:08 PM Jörg Kastning <joerg.kastn...@uni-bielefeld.de> wrote: > > Dear X2go users, > > I'm trying to figure out whether X2go is a fitting solution for our > project or not. > > Users should get remote access to a host to execute applications in a > graphical environment. These users must not be able to transfer any data > or files to or from the target host. > > Question 1: Is there a way to deactivate the clipboard or any > drag'n'drop feature in x2go-server to prevent users from transering data?
You can disable clipboard for one or both directions. Drag and drop is not supported by x2go, so this is not an issue. You can also disable file transfer and printer support. Of course you cannot prevent screenshots or similar approaches. > Question 2: The documentation (at URL > https://wiki.x2go.org/doku.php/doc:newtox2go#installation_and_use) > mentions that the SSH server handels the X2go connections. Are there > example configs that restrict SSH access to X2go but prevent users from > transferring data via tools like scp or rsync? This can be close to impossible as there are various ways to transfer files. Disabling or restricting stuff makes it more difficult but never impossible. So in the end it depends on your users' abilities... I am not aware of any x2go specific examples, but basically you have to check what commands are started from the client and restrict ssh access to those by forcing ssh to always run a checker script instead of the command that the clients sends (read about ForceCommand e.g. here https://serverfault.com/questions/749474/ssh-authorized-keys-command-option-multiple-commands). You have to prepare for several rounds of trial and error to catch all command variations the client might send. I have done this in the past on various occasions but never tried for x2go. Please note that if the user can run arbitrary commands on the server you will probably never reach 100% security. E.g. you also need to prevent the users from opening tunnels and from connecting back to the client using the server side ssh. Also things like running an own server (e.g. nc) must be restricted, too. Or if the server has internet access data can be routed via some third-party server... the list is endless. Uli _______________________________________________ x2go-user mailing list x2go-user@lists.x2go.org https://lists.x2go.org/listinfo/x2go-user
