User Tools

Site Tools


doc:howto:ssh-agent-workaround

Workaround to use SSH Agent Forwarding in an X2Go Session

X2GoClient uses libssh and thus is unable to forward SSH Agent credentials by default.

However, there is a workaround:

Put this at the end of /etc/bash.bashrc on your X2Go Server:

# --- BEGIN X2Go SSH forwarding workaround ---


# Part that runs in regular SSH session

# check we have an agent socket and
# check we have an ~/.x2go directory
if [ -n "$SSH_AUTH_SOCK" ] && \
   [ -d ~/.x2go ] ; then
        # touch the output file and set permissions
        # (as tight as possible)
        touch ~/.x2go/agentsocket
        chmod 600 ~/.x2go/agentsocket
        chown $USER ~/.x2go/agentsocket
        # write file name of agent socket into file
        echo $SSH_AUTH_SOCK >~/.x2go/agentsocket
fi

# Part that runs in X2Go session

# check we're on an X2GoServer (x2golistsessions is in path),
# check we have a DISPLAY set, and
# check our client DISPLAY and SSH client IP correspond to
# a running X2Go session and
# check ~/.x2go/agentsocket is a regular file
if which x2golistsessions >/dev/null && \
   [ -n "$DISPLAY" ] && \
   [ -n "$(x2golistsessions | \
        awk -F '|' '":"$3 == "'$DISPLAY'" && \
                    $5 == "R" && \
                    $8 == "'$(echo $SSH_CLIENT | \
                    awk '{print $1}')'" { print $3 }')" ] && \
   [ -f ~/.x2go/agentsocket ] ; then
        # all checks passed, read content of file
        # (might still contain stale agent socket or garbage
        MIGHTBEOURAGENT=$(cat ~/.x2go/agentsocket)
        # check if it corresponds to an existing socket
        if [ -S "$MIGHTBEOURAGENT" ]; then
                # export path to agent socket
                export SSH_AUTH_SOCK=$MIGHTBEOURAGENT
        fi
fi


# ---- END X2Go SSH forwarding workaround ----

Now, start a regular SSH session with Agent Forwarding enabled first, and leave that session running in the background. After that, start X2GoClient and connect to your session. You should now be able to use the Agent Forwarding created with your regular SSH session from inside your X2Go session.

Inherent problems:

  1. Once you close the SSH session, you will be unable to use the SSH Agent Forwarding for new connections within the X2Go session (existing connections will not be terminated, however).
  2. If you create a new SSH session to the same server after starting the X2Go session, it will overwrite the setting. Again, existing connections will not be affected, but new connections will use the SSH Agent Forwarding set by the latest SSH connection you made, and once you close the latest SSH session, connections will fail.
  3. If you share /home (e.g. via NFS) across different X2Go Servers, this workaround will not work reliably.

There's hope that future versions of X2Go will support SSH Agent Forwarding natively, as a patch to add SSH Agent Forwarding has been submitted to the libssh maintainers in March 2016 - but we will have to wait until that patch makes it into all the major distributions.

doc/howto/ssh-agent-workaround.txt · Last modified: 2018/07/03 13:24 by stefanbaur