NAME

x2gobroker{,-daemon,-ssh} - Session Broker for X2Go

SYNOPSIS

x2gobroker
[ options ]

x2gobroker-daemon
[ options ]

x2gobroker-ssh
[ options ]

DESCRIPTION

x2gobroker (resp. x2gobroker-daemon) is a Python Tornado based implementation of the X2Go Session Broker API. x2gobroker-ssh is the same application but designed for usage via SSH (as a command line tool).

The HTTP(S) implementation of x2gobroker is normally executed either through the host's init system or via the WSGI module in your httpd server. The SSH implementation is executed by X2Go clients through SSH.

See the included README and TODO for further information on x2gobroker.

GENERAL OPTIONS

x2gobroker{,-daemon,-ssh} accepts the following common options:

-M, --mode {HTTP|SSH}: Set X2Go Session Broker into HTTP or SSH mode. If this option is omitted, then SSH is the default mode. If x2gobroker-daemon is used as executable name, then the default mode is HTTP(S).
-C, --config FILENAME: Specify an alternative configuration file name, default is: /etc/x2go/x2gobroker.conf.
-d, --debug: Enable debugging code. This also makes http's POST method available as GET method, which then allows it to test the broker API through a normal web browser.
-h, --help: Display a help with all available command line options and exit.

SSH MODE COMMAND LINE OPTIONS

x2gobroker-ssh, i.e., when run from the command line or via SSH, accepts/requires these additional options:

--task {listsessions, selectsession, setpass, testcon}: Specify the either of the known broker tasks (listsessions, selectsession, setpass, testcon). This parameter is compulsory, the command execution will fail if it is omitted.
--user USERNAME: If x2gobroker is run by the `magic' user (the x2gobroker account by default), then the x2gobroker is allowed to change its user context and do queries on behalf of the user specified with this parameter.
--auth-cookie, --auth-id AUTHENTICATION_COOKIE: It is possible to enforce a stronger authentication via an additional pre-shared authentication cookie. This authentication cookie must be stored in a client-side file so that X2Go Client can access it and then pass it on to the X2Go Session Broker (via the X2Go Client option --auth-id=<fullpath-to-file>) while authenticating against the broker.
The server-side cookie hash can be set in /etc/x2go/x2gobroker.conf (option: my-cookie). You have to set the option require-cookie-auth to true to enable the additional cookie comparison in the X2Go Session Broker.
--profile-id, --sid SESSION_PROFILE_ID: For the selectsession task the session profile ID has to be given as an additional parameter.
--backend BACKEND_NAME: Query another than the default broker backend.

HTTP(S) DAEMON OPTIONS

x2gobroker-daemon in standalone HTTP(S) daemon mode accepts these additional options:

-b, --bind ADDRESS:PORT: The [address:]port that the Tornado http-engine will bind to (default: 127.0.0.1:8080).
-D, --daemonize: Fork this application to background and detach from the running terminal.
-P, --pidfile: Custom PID file location when daemonizing (default: <RUNDIR>/x2gobroker/x2gobroker-daemon.pid).
-L, --logdir: Directory where stdout/stderr will be redirected after having daemonized (default: /var/log/x2gobroker/).
-D, --drop-privileges: If started as root, drop privileges to uid X2GO_DAEMON_USER and gid X2GO_DAEMON_GROUP (as configured in /etc/x2go/broker/defaults.conf on systemd systems or /etc/defaults/python-x2gobroker on SystemV systems).

SECURITY NOTICE / DISCLAIMER

Users are advised to not misinterpret X2Go Session Broker's capabilities as a security feature. Even when using X2Go Session Broker, it is still possible for users to locally configure an X2Go Client with any settings they want, and use that to connect. So if you're trying to keep users from running a certain application on the host, using X2Go Session Broker to "lock" the configuration is the *wrong* way. The users will still be able to run that application by creating their own, local configuration file and using that.

To keep users from running an application on the server, you have to use filesystem permissions on the X2Go Server. In the simplest case, this means setting chmod 750 or 550 on the particular application on the host, and making sure the users in question are not the owner and also not a member of the group specified for the application.

FILES

/etc/x2go/x2gobroker.conf, /etc/x2go/broker/* (configuration files)

/etc/default/python-x2gobroker, /etc/default/x2gobroker-daemon (environment for X2Go Session Broker when run as a standalone daemon via SystemV or upstart)

/var/log/x2gobroker/* (log files of X2Go Session Broker)

AUTHOR

This manual has been written for the X2Go project by Mike Gabriel <mike.gabriel@das-netzwerkteam.de>.

Apr 2020

Version 0.0.4.x