On 30.12.2015 10:21 AM, Mike Gabriel wrote: > On So 23 Aug 2015 23:10:59 CEST, git-admin wrote: >> [...] >> commit bfe3ba761c1d3e9143285ca17edc87ac763ce35d >> Author: Mihai Moldovan <[email protected]> >> Date: Sun Aug 23 23:08:45 2015 +0200 >> >> x2goserver/bin/x2gostartagent: changes to Robert Nowotny's >> SSH_PORT patch. Fixes: #922. >> [...] > > Haven't looked at X2Go Server code for a while... Today I found the below... > >> +# Get server IP address. >> +get_server_ip_address() { >> [...] > > Has anyone of you ever heard of IPv6? And has anyone ever seen setups > where the IPv6 traffic is routed via a different interface compared to > IPv4 traffic?
Yes, and this is exactly why that function is not used by default. Instead, the "real" port randomization is used. IPv4-address-based randomization can be enabled by setting "randomize_ssh_port" to "0", but administrators have to edit the script manually to do this. Even though the comment says otherwise, I think it shouldn't be configurable in x2goserver.conf either for exactly this reason. > Furthermore, within the last years, I never had any problems with > server-side ports being the same on different servers. I mostly > connect through PyHoca. So if there is a problem in X2Go Client > regarding server-side SSH tunnel ports, why--the hack--do you fix that > in X2Go Server? > > If the port allocation is a problem at all, it certainly is a problem > that requires fixing in X2Go Client, not X2Go Server. > > Please consider reverting this flawed patch!!! I don't think port randomization is bad per se, so I'd like to keep it. It's true that the real problem lies within x2goclient and I should eventually get rid of that, too, by checking whether a port is already in use and incrementing it, though. On 30.12.2015 10:40 AM, Mike Gabriel wrote: > Since when does X2Go promote Google??? Or even depend on them? > > As this patch is IPv6-flawed anyway, the next request is pointless... > In case the patch is kept, please make this configurable and use the > IP address of japsand.x2go.org or some other static IP on the internet > that is more political correct, please. I don't promote or depend upon Google in any way. As the comment makes clear, the IPv4 address provided there is not contacted in any way, I just need some address predictably outside of any local network to get the default outgoing address from the routing table. I chose 8.8.8.8 instead of Japsand's address or any other address, because I didn't want users with malicious intents to try to attack whatever address is written in the source code "for fun", assuming that 8.8.8.8 is well-known and well protected. Any other address would have made us "responsible" for "providing" the address if an attack was based on that information. Mihai
signature.asc
Description: OpenPGP digital signature
_______________________________________________ x2go-dev mailing list [email protected] http://lists.x2go.org/listinfo/x2go-dev
