SSH Agent support in PyHoca-GUI / Python X2Go
=============================================
Quotation from the ssh-agent man page:
"""
[...]
The agent will never send a private key over its request channel.
Instead, operations that require a private key will be performed
by the agent, and the result will be returned to the requester.
This way, private keys are not exposed to clients using the agent.
A UNIX-domain socket is created and the name of this socket is stored
in the SSH_AUTH_SOCK environment variable. The socket is made
accessible only to the current user. This method is easily abused by
root or another instance of the same user.
[...]
"""
So the benefit of SSH agent support is: no need to have private SSH keys
on remote systems anymore. You can keep your private ID files locally
and use SSH agent to handle authentication requests, even if you have
a chain of systems that you log in to:
local-machine -> machine-1 -> machine-2 -> machine-3 ...
The requirement for SSH agent usage: the system administrators of the
remote hosts must be trustworthy. They cannot obtain your private keys,
but they can use the SSH agent socket and log into systems in your
login chain under your identity. So, BEWARE!!!
1. AUTHENTICATION AGAINST SSH AGENT
-----------------------------------
This feature has been added to Python X2Go 0.2.1.0.
PyHoca-GUI / Python X2Go is aware of local SSH agents and can authenticated
against those. Use this feature with the following session profile options
set:
[x] Discover SSH keys or use SSH agent for X2Go authentication
autologin = true (or 1)
[x] Discover SSH keys or use SSH agent for proxy authentication
sshproxyautologin = true (or 1)
Do not forget to run ssh-add (see the man page for more info).
2. AUTHENTICATION REQUEST FORWARDING TO YOUR LOCAL SSH AGENT
------------------------------------------------------------
This feature has been added to Python X2Go 0.2.1.0 and requires Python Paramiko
1.8.0.
PyHoca-GUI / Python X2Go supports forwarding of SSH agent authentication request.
Basically, you could say that the -A command line switch of the OpenSSH client
is now also available with X2Go. Please read the ssh man page for more
info on this.
With this little howto, you can test SSH agent authentication request forwarding:
Place your SSH pubkey on machine-1 and machine-2 (which can be reached via
machine-1) into the (for this demo) otherwise empty files:
user-1@machine-1:~user-1/.ssh/authorized_keys
and
user-2@machine-2:~user-2/.ssh/authorized_keys
Return to your local client:
$ ssh-add [<priv-keyfile>]
$ pyhoca-gui
Enable SSH agent forwarding in connection tab of a session profile for
machine-1. Use a simple TERMINAL session command.
Connect to user-1@machine-1 and start a session on machine-1
$ echo $SSH_AUTH_SOCK
/tmp/ssh-<hash>/agent.<pid>
$ ssh <user-2>@<machine-2>
(should work without password)
For the authentication from user-1@machine-1 to user-2@machine-2 you use an
SSH agent connection that is tunneled back through Python X2Go to your client
machine (the machine you run PyHoca-GUI on). So, the SSH agent on your client
machine serves a challenge/response request from SSH client programs within
X2Go sessions.
Note: if you try the above with a GNOME desktop (XFCE probably as well) the
gnome-keyring will hijack the SSH agent functionality and ignore forwarded
SSH agent connections. (This normally happens with the x2goserver-xsession
bin:package installed.)
Use the below command to disable the SSH agent feature in gnome-keyring (within the
X2Go Session):
$ gconftool-2 -s /apps/gnome-keyring/daemon-components/ssh false --type bool
After you have applied this gconf change, logout and re-start a new GNOME (or XFCE)
session. Now SSH agent stuff is handled properly through ssh-agent and the ssh-agent
should also be aware of SSH agent forwarding connections.
Fleckeby (Germany), 20142010
Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Generated by dwww version 1.15 on Sat May 18 15:28:21 CEST 2024.