x2gobroker.authmechs.pam_authmech module

class x2gobroker.authmechs.pam_authmech.X2GoBrokerAuthMech[source]

Bases: object

X2Go Session Broker’s PAM authentication mechanism:

This is the most commonly used and most flexible authentication mechanism in X2Go Session Broker. You can run the full scope of PAM authentication mechanisms (POSIX, LDAP, Kerberos, etc.) over it.

NOTE: You can fine-tune PAM’s authentication backends in the corresponding PAM service file /etc/pam.d/x2gobroker.

WARNING: The PAM authentication mechanism requires an extra X2Go Session Broker tool: the X2Go Session Broker’s Authentication Service. Reason: Some PAM authentication modules (e.g. pam_unix.so) require root privileges during the authentication process. The X2Go Session Broker’s Auth Service runs with these root privileges and provides a communication socket to the X2Go Session Broker where authentication requests are proxied over. See x2gobroker.authservice.authenticate().

If you don’t need root privileges for PAM authentication (e.g. LDAP), simply don’t run the X2Go Broker Auth Service and authentication against PAM are done directly by the session broker as system user x2gobroker.

authenticate(username, password, **kwargs)[source]

The PAM authentication mechanism’s authenticate() tries to proxy authentication through X2Go Session Broker’s Auth Service first and, if that fails, attempts another authentication against PAM directly (which fails for some PAM modules).

It returns True to the user, if authentication against PAM has been successful.

Parameters:
  • username (str) – The broker username sent by the client
  • password (str) – The broker password sent by the client
  • kwargs (dict) – Any other parameter (for future features’ compatibility, all ignored for now)
Returns:

Authentication success or failure.

Return type:

bool