x2gobroker.authservice module

class x2gobroker.authservice.AuthClient(sock, logger=None)[source]

Bases: asyncore.dispatcher_with_send

Handle incoming PAM credential verification request and send a response back through the socket.

Parameters

  • sock (<obj>) – open socket connection

  • logger (obj) – logger instance to report log messages to

handle_close()[source]

Close the connected :class:AuthClient connection.

handle_read()[source]

Handle the incoming request after AuthService.accept() and respond accordingly.

The requests are expected line by line, the fields are split by “r”:

<user>\r<password>\r<pam-service>\n

The reponse is sent back over the open socket connection. Possibly answers are either:

ok\n

or…

failn

class x2gobroker.authservice.AuthService(socketfile, owner='root', group_owner='root', permissions='0o660', logger=None)[source]

Bases: asyncore.dispatcher_with_send

Provide an asyncore based authentication socket handler where client can send credential checking requests to.

Access to the sockt is limited by file permissions to given owner and group.

Parameters

  • socketfile (str) – file name path of the to be created Unix domain socket file. The directory in the give path must exist.

  • owner (str) – chown the socket file to this owner

  • group (str) – chgrp the socket file to this group

  • permissions (str) – octal representation of the file permissions (handed over as string)

  • logger (<obj>) – logger instance to report log messages to

handle_accept()[source]

Handle accepted connection requests.

x2gobroker.authservice.authenticate(username, password, service='x2gobroker')[source]

Attempt PAM authentication proxied through X2Go Broker’s Auth Service.

The X2Go Broker Auth Service runs with root privileges. For PAM authentication mechanisms like the pam_unix.so PAM module, the login process requires root privileges (as, staying with the example of pam_unix.so, the /etc/shadow file, where those passwords are stored, is only accessible by the root superuser).

As the X2Go Session Broker runs with reduced system privileges, it has to delegate the actual PAM authentication process to the X2Go Broker Auth Service.

For this, X2Go Session Broker needs to connect to the Auth Service’s authentication socket (see the X2GOBROKER_AUTHSERVICE_SOCKET variable in x2gobroker.defaults) and send the string <username>\r<password>\r<service>\n to the socket (where service is the name of the PAM service file to use.

Parameters

  • username (str) – username to use during authentication

  • password (str) – password to use during authentication

Returns

Authentication success or failure

Return type

bool