The X2Go Session Broker falls into three components.
X2Go Session Broker can either be installed as a standalone Daemon, or it can be integrated into Apache2 (or other httpd) using 'mod_wsgi
'.
Package name: 'x2gobroker-daemon
'
On Debian based systems:
$ sudo apt-get install x2gobroker-daemon
The standalone daemon setup works out of the box, but can only bind to IP ports greater than 1024. However, for security, the X2Go Session Broker standalone daemon only binds to the IPv4 localhost device.
Check /etc/defaults/x2gobroker-daemon
for modifying the daemon's bind address.
Package name: 'x2gobroker-wsgi
'
On Debian based systems:
$ sudo apt-get install x2gobroker-wsgi
For production deployments, the WSGI based setup is probably preferrable. With Apache2+WSGI you can provide VirtualHost setups with many different broker configurations on the same machine. You can also use the Apache2-way of setting up SSL support.
With the Apache2+WSGI setup you can integrate the X2Go Session Broker functionality into a complex X2Go Broker site (e.g. with a session configuration WebUI).
In the source code of X2Go Session Broker we provide two example configurations for Apache2+X2GoBroker:
Package name: 'x2gobroker-authservice
'
On Debian based systems:
$ sudo apt-get install x2gobroker-authservice
The X2Go Session Broker Authentication Service normally gets installed on the machine that also has x2gobroker-daemon
or x2gobroker-wsgi
installed. The broker code itself runs as system user x2gobroker
whereas the authentication service has to run as root. By security design, the functionality of the broker that requires root privileges has been separated from the rest of the broker.
The X2Go Session Broker Authentication Service requires root privileges for a few PAM based authentication backends. The default installation authenticates against PAM, on default Linux systems, PAM authentication (pam_unix.so
) requires root privileges by the authentication process.
With other PAM setups (e.g. pam_ldap.so
) root privileges are not required and it is ok to not install x2gobroker-authservice
.
Furthermore, X2Go Session Broker can be extended by other (non-PAM) authentication methods. The currently available authentication mechanisms in X2Go Session Broker are listed here.
Package name: 'x2gobroker-agent
'
On Debian based systems:
$ sudo apt-get install x2gobroker-agent
Installing X2Go Session Broker Agent is optional. The broker agent has to be installed on machines that are in the roll of an X2Go Server (i.e. in the role of a terminal server running X2Go).
The X2GO Session Broker Agent is a requirement for load balancing setups and is also needed if X2Go Client shall be aware of already running X2Go Sessions. X2Go Client in non-broker mode resumes a suspended session (if exactly there is one) automatically. Other than that, X2Go Client in broker mode waits for resuming instructions from the session broker. The session broker, however, requires feedback from the broker agent to notice that there is a suspended/running session for a certain user.
Thus, the broker agent is like a man-in-the-middle. It sits between X2Go Session Broker and the X2Go Server(s) that the session broker provides. Through the X2Go Session Broker Agent the broker core can obtain information on provided X2Go Servers for all users on that server host.
The currently available functions of the broker agent are:
Note: The X2Go Session Broker Agent gets installed setuid root (group: x2gobroker system group, permissions: 0750). System administrators should be aware of this. If someone hacks the x2gobroker user account on one of your X2Go Servers, this hacker can then execute certain X2Go related commands with root privileges on the X2Go Server system.
The design of X2Go Session Broker as provided in X2Go Git is highly modular. The X2Go Session Broker Daemon can be easily extended with broker backends and WebUI frontends.
The backends deal with the storage of, the rendering of and possibly the user/group/client based filtering of session profiles which then get provided via X2Go Session Broker to the querying X2Go client application.
The WebUI frontends deal with delivering the list of session profiles (available for this user/group/client address) to the X2Go client application (X2Go Client: text/plain WebUI, Unity Greeter: UCCS WebUI).
Other broker backends (written in Python) can be added easily if needed. Contact the X2Go developers for further information on custom broker backend development.
'plain
' WebUI frontend: usable with X2Go Client'uccs
' WebUI frontend: usable with Unity Greeter (experimental)For a basic configuration with the INI file backend and the standalone daemon (recommended for beginners) you only need to touch. Click on the config file names below to retrieve more info on how to modify/tweak those individual files.
The X2Go Session Broker uses several more configuration files. Below is a complete list (for version 0.0.2.x, if not applicable to later versions anymore, please update the below lists). The files are linked to their initial layout (in X2Go Git) to show what they look like directly after installation of the session broker packages.
X2Go Session Broker's Core: /etc/default/python-x2gobroker (enviroment variables, used to set defaults in Python X2Go Session Broker with impact on the daemon and the authentication service), /etc/x2go/x2gobroker.conf (main configuration file), /etc/x2go/broker/x2gobroker-sessionprofiles.conf (configuration file for the INI file backend), /etc/pam.d/x2gobroker (PAM configuration for X2Go Session Broker Authservice), /etc/x2go/broker/x2gobroker-loggers.conf (don't touch!)
X2Go Session Broker Daemon: /etc/default/x2gobroker-daemon (enviroment variables, used to set defaults in Python X2Go Session Broker with impact on the daemon only), /etc/logrotate.d/x2gobroker-daemon (rotate broker logfiles)
X2Go Session Broker WSGI: /etc/x2go/x2gobroker-wsgi.apache.conf (global implementation, enabled by default) /etc/x2go/x2gobroker-wsgi.apache.vhost (VirtualHost example for the WSGI implementation of X2Go Session Broker) /etc/logrotate.d/x2gobroker-wsgi (rotate WSGI logfile)
The authentication service normally does not need any configuration, unless you strongly deviated from the default setup.
X2Go Session Broker Authentication Service: /etc/default/x2gobroker-authservice (enviroment variables, used to set defaults in Python X2Go Session Broker with impact on the authentication service only), /etc/x2go/broker/x2gobroker-authservice-logger.conf (don't touch) /etc/logrotate.d/x2gobroker-authservice (rotate the authentication service's logfile)
If you want to check the broker funtionality with your web browser, please make sure you have enabled the debug mode of the broker. Make sure that before launching the 'x2gobroker
' executable the environment variable X2GOBROKER_DEBUG
is set to 1.
On Debian based systems, this can be done in /etc/defaults/x2gobroker-daemon
or the Apache2-WSGI configuration of X2Go Session Broker in /etc/x2go/x2gobroker-wsgi.apache.*
. Make sure to restart the corresponding service (x2gobroker-daemon resp. apache2) after you have changed either of those config files:
For x2gobroker-daemon
…
$ invoke-rc.d x2gobroker-daemon restart
For Apache2/WSGI/X2Go Session Broker setup…
$ invoke-rc.d apache2 restart
The different backends and frontends can be accessed with this URL pattern:
http(s)://<broker-base-url>/<frontend>/<backend>
Where…
<broker-base-url>
is <hostname>:<port>/<broker-base-path><frontend>
can be either of the available broker WebUI frontends (drop the _broker
ending, the files __init__.py
and base_broker.py
are not frontends)<backend>
can be either of the available broker backends (except the files __init__.py
and extras.py
)
Example: http://localhost:8080/plain/zeroconf