On Sun, 2010-03-14 at 04:18 -0400, John A. Sullivan III wrote: > Hello, all. We recently recreated an X2Go Server and found we had > serious ssh key issues when we tried to connect from the previously > existing X2Go clients. We're still working these through so I'll list > them in the order we find them. > > The GUI key popping up Accept Key dialogs with Yes and No options but no > text. It was only when we canceled that we saw the error message about > there being an old, conflicting key. By the way, we use both hashed > known_host files and non-default ssh ports. This created a problem when > we went to remove the offending keys in that the syntax ssh-keygen -R > <server name> did not work. We needed to use ssh-keygen -R [<server > name>]:<port number> (note the brackets). > > We then hit a problem where the X2Go Client for some reason started > trying to open an SSH sessions as root. Since we use active host > intrusion detection (OSSEC), the failed login attempts lock out the user > and the screen stops at the X2Go logo. Oops! This was our > misunderstanding of the auth.log. The problem was that our users are > only defined in LDAP. We configured pam to look at pam_unix first. > This tripped our HIDS and blocked our users. From our internal > documentation: > > Now we need to fix some pam files. It is critical that the ldap modules > are processed first even though that is non-standard. In the X2Go > environment, many ssh sessions are fired off in quick succession. Since > the pam_unix authentications fail for the LDAP users (as they are not > defined locally), all the failed authentications trip the OSSEC > auto-response and block the user from access to VD01. Thus, LDAP > credentials MUST be processed first. > > This just leaves the empty dialog box. Thanks - John <snip> Oops! We've hit some nastier issues. Using an X2Go Client on a different station this morning, I encountered the empty dialog. I cleared the offending entry from known_hosts and tried again. This time I was told I needed to answer yes or no. Clicking Yes had no effect. Clicking no caused the entire x2goclient to crash and disappear - I assume a seg fault.
I had a sneaking suspicion of what was happening. Connecting from a console gave me this: Warning: the RSA host key for '[vdhost01.ssiservices.biz]:443' differs from the key for the IP address '[208.46.93.8]:443' Offending key for IP in /home/jsullivan/.ssh/known_hosts:3 Matching host key in /home/jsullivan/.ssh/known_hosts:24 Are you sure you want to continue connecting (yes/no)? I cleared the offending IP address entry and all worked well but we do have this seg fault to address - John _______________________________________________ X2go-dev mailing list X2go-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/x2go-dev
