Em 04-06-2014 12:36, sven falempin escreveu: > On Wed, Jun 4, 2014 at 9:47 AM, Giancarlo Razzolini > <[email protected]> wrote: >> Em 04-06-2014 10:29, Predrag Punosevac escreveu: >>> I was not able to connect to X2Go server without GSSAPIAuthentication >>> yes I can send you the picture of error from x2go client via private >>> e-mail if you want. >> I don't doubt you. And its not that you can't connect. I had this >> problem in the past, the connection will appear to hang and it might be >> well more than a minute before you have a shell on the machine. Try >> logging in with ssh -vvv and see what happens. But this is an issue with >> your ssh clients (assuming linux clients here), rather than your OpenBSD >> openssh server. You could try the following configuration in your ssh >> clients: >> >> Host * >> GSSAPIAuthentication no >> >>> Why? This OpenBSD machine serves no other purposes but to be shell >>> gateway. What will happen if it gets hacked? >> What happens when any other machine gets hacked. Nothing more, nothing >> less. Giving your users shell access, even when they don't have root >> access, you are opening yourself to bugs that aren't otherwise >> exploitable. So, in this case, there is little you can do, just always >> follow openbsd stable and keep your environment as clean as possible. >>> Well then I am already in trouble because probably my computing nodes >>> and my users which I am trying to protect are hacked. As somebody who >>> is maintaining OpenVPN server and 20 or so clients on our LAB remote >>> location I am intimately familiar how "simple" is VPN solution. The >>> Lab exists to serve the needs of people who have access to shell >>> gateway machine no the other way around. >> There are lots of options for "simplifying" OpenVPN deploying. You could >> generate a windows installer with the users certificates, or, you could >> drop certs altogether and use only user/pass authentication. Or use the >> same certs for every user in combination with user/pass. Also, you don't >> need necessarily to use OpenVPN. There is the l2tp/ipsec option, plain >> ipsec and (argh) pptp. Depending on which operating system your clients >> are using, they can have all of these vpn options already installed with it. >> >> Cheers, >> >> -- >> Giancarlo Razzolini >> GPG: 4096R/77B981BC >> > > +giancarlo if you have an OpenBSD setup that provide an ipsec vpn > working for windows > AND ipad AND android I would really be listenning carefully how you > perform that. > > I don't know about windows clients, been a long time since I ever used windows that wasn't on a virtual machine for only one specific purpose. But, with npppd I did had a vpn setup with pptp that worked both on ios and on android. I believe that with l2tp/ipsec it would be relatively simple as well to implement working on both, also. But, since Apple approved the OpenVPN iOS client, I've been using only this, for my VPN needs.
Predrag, I really believe that you should take a look at relayd(8). It does what you want with the plus of nothing needing to give your users a shell on the machine. Another plus is the possibility of redirecting your clients to their respective nodes, without the need for them to selecting the node beforehand, and also with failover and round robing capabilities. Cheers, -- Giancarlo Razzolini GPG: 4096R/77B981BC
