X2Go - everywhere@home

User Tools

Site Tools

Trace:
doc:installation:x2gobroker

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
doc:installation:x2gobroker [2013/05/12 21:05]
sunweaver [X2Go Session Broker Config] 		doc:installation:x2gobroker [2023/03/27 15:22] (current)
gratuxri typo
Line 41: Line 41:
   * [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob_plain;f=etc/x2gobroker-wsgi.apache.conf|X2Go Session Broker WSGI support added globally]]   * [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob_plain;f=etc/x2gobroker-wsgi.apache.conf|X2Go Session Broker WSGI support added globally]]
   * [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob_plain;f=etc/x2gobroker-wsgi.apache.vhost|X2Go Session Broker WSGI support as VirtualHost]]   * [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob_plain;f=etc/x2gobroker-wsgi.apache.vhost|X2Go Session Broker WSGI support as VirtualHost]]
 +
 +
 +
 +===== X2Go Session Broker Authentication Service =====
 +
 +Package name: '''x2gobroker-authservice'''
 +
 +On Debian based systems:
 +
 +<code bash>
 +$ sudo apt-get install x2gobroker-authservice
 +</code>
 +
 +The X2Go Session Broker Authentication Service normally gets installed on the machine that also has ''x2gobroker-daemon'' or ''x2gobroker-wsgi'' installed. The broker code itself runs as system user ''x2gobroker'' whereas the authentication service has to run as root. By security design, the functionality of the broker that requires root privileges has been separated from the rest of the broker.
 +
 +The X2Go Session Broker Authentication Service requires root privileges for a few PAM based authentication backends. The default installation authenticates against PAM, on default Linux systems, PAM authentication (''pam_unix.so'') requires root privileges by the authentication process.
 +
 +With other PAM setups (e.g. ''pam_ldap.so'') root privileges are not required and it is ok to not install ''x2gobroker-authservice''.
 +
 +Furthermore, X2Go Session Broker can be extended by other (non-PAM) authentication methods. The currently available authentication mechanisms in X2Go Session Broker are listed [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=tree;f=x2gobroker/authmechs|here]].
 +
 +===== X2Go Session Broker Agent =====
 +
 +Package name: '''x2gobroker-agent'''
 +
 +On Debian based systems:
 +
 +<code bash>
 +$ sudo apt-get install x2gobroker-agent
 +</code>
 +
 +Installing X2Go Session Broker Agent is optional. The broker agent has to be installed on machines that are in the roll of an X2Go Server (i.e. in the role of a terminal server running X2Go).
 +
 +The X2GO Session Broker Agent is a requirement for load balancing setups and is also needed if X2Go Client shall be aware of already running X2Go Sessions. X2Go Client in non-broker mode resumes a suspended session (if exactly there is one) automatically. Other than that, X2Go Client in broker mode waits for resuming instructions from the session broker. The session broker, however, requires feedback from the broker agent to notice that there is a suspended/running session for a certain user.
 +
 +Thus, the broker agent is like a man-in-the-middle. It sits between X2Go Session Broker and the X2Go Server(s) that the session broker provides. Through the X2Go Session Broker Agent the broker core can obtain information on provided X2Go Servers for all users on that server host. 
 +
 +The currently available functions of the broker agent are:
 +
 +  * list user sessions of any user
 +  * deploy SSH public keys on behalf of any user
 +  * drop SSH public keys on behalf of any user
 +  * render an ordered list of X2Go Servers and their usage (by number of running/suspended sessions), only needed in load balancing setups
 +  * suspend sessions on behalf of any user
 +  * render a list of used X2Go Servers
 +  * (more to come...)
 +
 +**Note:** The X2Go Session Broker Agent gets installed setuid root (group: x2gobroker system group, permissions: 0750). System administrators should be aware of this. If someone hacks the x2gobroker user account on one of your X2Go Servers, this hacker can then execute certain X2Go related commands with root privileges on the X2Go Server system.
  
  
Line 66: Line 114:
   * The '''plain''' WebUI frontend: usable with X2Go Client   * The '''plain''' WebUI frontend: usable with X2Go Client
   * The '''uccs''' WebUI frontend: usable with Unity Greeter (experimental)   * The '''uccs''' WebUI frontend: usable with Unity Greeter (experimental)
- 
- 
-===== X2Go Session Broker Authentication Service ===== 
- 
-Package name: '''x2gobroker-authservice''' 
- 
-On Debian based systems: 
- 
-<code bash> 
-$ sudo apt-get install x2gobroker-authservice 
-</code> 
- 
-The X2Go Session Broker Authentication Service normally gets installed on the machine that also has ''x2gobroker-daemon'' or ''x2gobroker-wsgi'' installed. The broker code itself runs as system user ''x2gobroker'' whereas the authentication service has to run as root. By security design, the functionality of the broker that requires root privileges has been separated from the rest of the broker. 
- 
-The X2Go Session Broker Authentication Service requires root privileges for a few PAM based authentication backends. The default installation authenticates against PAM, on default Linux systems, PAM authentication (''pam_unix.so'') requires root privileges by the authentication process. 
- 
-With other PAM setups (e.g. ''pam_ldap.so'') root privileges are not required and it is ok to not install ''x2gobroker-authservice''. 
- 
-Furthermore, X2Go Session Broker can be extended by other (non-PAM) authentication methods. The currently available authentication mechanisms in X2Go Session Broker are listed [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=tree;f=x2gobroker/authmechs|here]]. 
  
 ===== Setting up Config Files ===== ===== Setting up Config Files =====
Line 156: Line 185:
 Where... Where...
   * ''<broker-base-url>'' is <hostname>:<port>/<broker-base-path>   * ''<broker-base-url>'' is <hostname>:<port>/<broker-base-path>
-  * ''<frontend>'' can be either of [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob_plain;f=x2gobroker/web|the available broker WebUI frontends]] (except the files base.py and extras.py all files here are broker WebUI frontends) +  * ''<frontend>'' can be either of [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=tree;f=x2gobroker/brokers|the available broker WebUI frontends]] (drop the ''%%_%%broker'' ending, the files ''%%__%%init%%__%%.py'' and ''base_broker.py'' are not frontends) 
-  * ''<backend>'' can be either of [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=blob_plain;f=x2gobroker/web|the available broker WebUI frontends]]+  * ''<backend>'' can be either of [[http://code.x2go.org/gitweb?p=x2gobroker.git;a=tree;f=x2gobroker/web|the available broker backends]] (except the files ''%%__%%init%%__%%.py'' and ''extras.py'')
  
 **Example:** ''http://localhost:8080/plain/zeroconf'' **Example:** ''http://localhost:8080/plain/zeroconf''
  
doc/installation/x2gobroker.1368392723.txt.gz · Last modified: 2013/05/12 21:05 by sunweaver

Page Tools

Imprint & Legal Disclaimer - Data Protection & Privacy Statement
Except where otherwise noted, content on this wiki is licensed under the following license: GNU Free Documentation License 1.3
GNU Free Documentation License 1.3 Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki