Hi Mike,
you wrote:
> > Which would be a NX/x2go-migration-blocker for those currently using
> > the "store password" function of the NXclient.
>
> OK, you are thinking in migration NX2X2go-terms... I see.
That is the main objective that led me to the x2go project - as "FreeNX
is dying, NetCraft confirms it". ;-)
> SSH keyfiles are indeed possible to use with both clients.
Interesting. I never used them with NX and can'T remember seeing a GUI
option for this; then again, I'm not using the latest client.
> However, neither with PyHoca-GUI nor with X2goClient-qt you have a key
> generation mechanism at hand. However, this would be really a need
> feature:
>
> o The client generates a key pair
> o at first login, the pubkey is pushed to the server (this needs a
password)
> o at further logins, the pubkey is used for Auth...
>
> What do you think about something like this?
The idea of automatically generating a key pair sounds nice.
I'm not sure how to deal with the password issue, though.
I know that I can block password-based logins for root in sshd_config,
so that root always requires a key file, but I wouldn't know how to tell
SSH "if the user has a keyfile, disallow password-based logins" for
regular users and on a per-user basis.
Also, this would mean that the initial password remains unchanged on the
server, so someone gaining physical access to it could try to log in on
the console as that particular user. Of course, physical security of the
server is another issue that needs to be dealth with by the server
administrator (and not by us) - but still, leaving an initial password
unchanged sounds like asking for trouble.
If we had a mechanism to issue a passwd -l <username> after the keyfile
has been transferred, things would look better. (AFAIK, a key file will
still allow you access to your account even if your password has been
locked).
> > Usability: The user is already authenticated on the Windows machine
> > or the Windows Domain. No one else has access to the particular
> > configuration file, as it is stored in the user's home directory
> > (for this concept, it doesn't matter if it's a NX config file with a
> > plaintext password, or a passwordless ssh secret key for x2go).
> > There is absolutely no need to ask the user for a password again.
>
> Single-Sign-On is always a neat thing to have...
Indeed, and on Windows, it can usually only be achieved using
third-party tools (and even with them, it's still a RPITA when it comes
to proper administration of these tools: Detecting "Password expired,
please change" application popups, fulfilling minimum password
requirements, etc.). Very few programs query the Windows authentication
to check if a particular user is permitted to run them.
[snip]
> Please let me known your opinion about the above approach (SSH key
> generation). It should be rather easy to implement this into Python
> X2go. If you are interested, I will add that to the PyHoca-GUI
> enhancement wishlist.
I'd say add it to the wishlist, but with a "needs-more-thoughts" flag
regarding proper implementation, see my worries above.
I hope my comments don't turn this wish into the following wish from the
PuTTY wishlist: <http://goo.gl/CwZa8>
Kind Regards,
Stefan
_______________________________________________
X2go-dev mailing list
X2go-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/x2go-dev
