Giancarlo Razzolini <[email protected]> wrote:

> Em 04-06-2014 02:52, Predrag Punosevac escreveu:
> > Correct! X2Go servers (30 of them) run on Linux computing nodes which
> > are accessible only via OpenBSD ssh gateway.
> Figured.
> >
> > I am going to answer my own question. I have not been able to use
> > OpenBSD shell gateway as a proxy from the X2Go client probably due to
> > the fact that only root can do forwarding on privileged ports.
> >
> > However combining 
> >
> > ssh -L 8080:x2goserver.int.mydomain.org:22 shell.mydomain.org
> >
> > With editing /etc/ssh/sshd_config 
> >
> > GSSAPIAuthentication yes
> > AllowAgentForwarding yes
> > AllowTcpForwarding yes
> > X11Forwarding yes
> >
> > And pointing x2go client on my local machine to 
> >
> > localhost:8080
> >
> > I had no problem running MATLAB on the remote computing node and having
> > it GUI displayed locally on my desktop. 
> In this case, you only need to allow tcp forwarding, since that is the
> only thing you're doing when logging into the OpenBSD machine. You might
> want to take a look at the chroot functionalities of the openssh server,

I was not able to connect to X2Go server without 

GSSAPIAuthentication yes

I can send you the picture of error from x2go client via private e-mail
if you want.


> I don't think it's a good idea to allow this many users with
> unrestricted shell access in your OpenBSD machine. Also, I believe that
> in your case, a VPN would make your life much simpler.

Why? This OpenBSD machine serves no other purposes but to be shell
gateway. What will happen if it gets hacked? Well then I am already in
trouble because probably my computing nodes and my users which I am
trying to protect are hacked.

As somebody who is maintaining OpenVPN server and 20 or so clients on
our LAB remote location I am intimately familiar how "simple" is VPN
solution. The Lab exists to serve the needs of people who have access to
shell gateway machine no the other way around.

Predrag

> 
> Cheers,
> 
> -- 
> Giancarlo Razzolini
> GPG: 4096R/77B981BC

Reply via email to