Em 04-06-2014 10:29, Predrag Punosevac escreveu:
> I was not able to connect to X2Go server without GSSAPIAuthentication
> yes I can send you the picture of error from x2go client via private
> e-mail if you want.
I don't doubt you. And its not that you can't connect. I had this
problem in the past, the connection will appear to hang and it might be
well more than a minute before you have a shell on the machine. Try
logging in with ssh -vvv and see what happens. But this is an issue with
your ssh clients (assuming linux clients here), rather than your OpenBSD
openssh server. You could try the following configuration in your ssh
clients:
Host *
GSSAPIAuthentication no
> Why? This OpenBSD machine serves no other purposes but to be shell
> gateway. What will happen if it gets hacked?
What happens when any other machine gets hacked. Nothing more, nothing
less. Giving your users shell access, even when they don't have root
access, you are opening yourself to bugs that aren't otherwise
exploitable. So, in this case, there is little you can do, just always
follow openbsd stable and keep your environment as clean as possible.
> Well then I am already in trouble because probably my computing nodes
> and my users which I am trying to protect are hacked. As somebody who
> is maintaining OpenVPN server and 20 or so clients on our LAB remote
> location I am intimately familiar how "simple" is VPN solution. The
> Lab exists to serve the needs of people who have access to shell
> gateway machine no the other way around.
There are lots of options for "simplifying" OpenVPN deploying. You could
generate a windows installer with the users certificates, or, you could
drop certs altogether and use only user/pass authentication. Or use the
same certs for every user in combination with user/pass. Also, you don't
need necessarily to use OpenVPN. There is the l2tp/ipsec option, plain
ipsec and (argh) pptp. Depending on which operating system your clients
are using, they can have all of these vpn options already installed with it.
Cheers,
--
Giancarlo Razzolini
GPG: 4096R/77B981BC
