By Heinz-M. Graesing, Markus Feilner
X2Go [1] is a free, fast, and flexible terminal server for any client that supports modern authentication technologies, such as card readers, USB tokens, centralized user management via LDAP, and authentication tools integrated in the KDE system management system.
The X2Go project was inspired by the Sun Ray product line [2], which has impressed thin client fans since 2006. The second Sun Ray release included lean devices that lets users log on using a smartcard to work on a centralized terminal server [3] [4].
In addition to the multimedia extras and security features integrated into the Sun Ray products, a session management system, dubbed "Hot Desktop Mobility" or "Hot Desking" by Sun, was probably the sexiest feature.
When user A removes his chip card from the internal card reader, the software automatically interrupts the session, freeing up the thin client for the next user. If A then inserts his smartcard into the reader on any other machine, the server immediately offers him the interrupted session.
Of course, Linux users were very much interested in a similar all-round system that, in contrast to Sun Ray, did not rely on special hardware, and it was just a question of time until the open source community delivered the goods.
Oleksandr Shneyder and Heinz Gräsing, system administrators with the City of Treuchtlingen, Germany, spent much of their leisure time developing a free terminal server that supported laptops and arbitrary clients, in contrast to Sun's model. Thanks to an intelligent combination of GPL'd software and their own developments, the team came up with a convincing answer: X2Go.
The developers integrated tools such as PXE boot and Debootstrap [5], NoMachine's free NX libraries [6][7], and tools like FUSE [8] and SSHFS [9] with desktop utilities and extensions for Gnome and KDE. PAM libraries add smartcard support and USB stick-based authentication to X2Go (Figure 1).
Thanks to the NX server's ability to suspend and resume sessions, version 2 was the first to support Sun Ray-style sign-on.
X2Go is now deployed on the clients and servers developed for Linux4Afrika [10] in Tanzania and Mozambique and Linux4Paraguay in Paraguay, as well as in many German schools (see the "Linux4Afrika and X2Go" box).
| Linux4Afrika and X2Go |
|
In Spring 2008, the Linux4Afrika [10] project, by the Freiburg, Germany-based NGO FreiOSS.net, moved from Edubuntu to X2Go. Hans-Peter Merkel, one of the project's leaders explains the move: "The new X2Go version of the Linux4-Afrika sample server has put the association in a position to support networks larger than the typical classroom solution. LDAP integration is a very good solution for extending our project from schools to universities. Additional authentication tasks occur here in daily operations. Physical Linux clients can now log on to the Linux4Afrika LDAP server; packages from the standard repository allow for this with just a few configuration changes. Of course, deployment in this kind of environment necessitates operations in a heterogeneous operating system landscape. For this reason, the developers are currently working hard on integrating Windows clients. "With most of our users preferring the Gnome desktop, Heinz Gräsing's team responded quickly to requests and implemented modifications for local device support in Gnome. "The latest offshoot of the Linux4Afrika project in South America, Linux4Paraguay, will be the first to benefit from X2Go technology. At the end of 2008, Mozambique and Ethiopia will be the first to receive the new sample solution." |
Version 3 will probably be available for production use by the time this issue hits the newsstands. The project is Debian oriented, so the X2Go developers are waiting for the stable version of Lenny before they go stable.
Four new features on the list outshine the numerous bug fixes and detail improvements: Besides Windows, Mac OS X, and Linux, they now have a mobile client for the open source Maemo [11] platform for Nokia phones and the long-anticipated Gtk client, including Gnome integration. The fourth addition is the ability for users to run individual applications without a desktop (Figure 2), just as on Citrix.
Although the Qt client supports all the new functions, the developers are still smoothing off some rough edges. For example, the newly implemented USB authentication is not quite finished. If you need this, you might want to wait until the developers have completed security features like timestamps, client IDs, and changing tokens before you update.
The next item on the to-do list is a web service for individual X2Go modules that will allow users to access files, sound, applications, or the complete desktop of a Linux machine over the Internet.
As the X2Go developers revealed at Ubuconf, they envisage a kind of private cloud computing dubbed Pccloud some time in the future; the cloud would use profile data to synchronize the session with the individual environment, including applications and data from online storage.
An X2Go USB stick is also planned as a portable Windows application.
X2Go seeks to create an open - but complete - terminal server environment, which explains the many software additions to the distribution. Additions include mechanisms for distributing the client filesystem via PXE boot, a login manager, administrative plugins for the KDE control center, and tools. NX compression methods allow for sessions over low-bandwidth links.
X2Go is not compatible with LTSP or NX, but goes its own way. The project wants to avoid the need to integrate applications for file or media shares in the server and client; thus, it relies on solutions such as FUSE and SSHFS, which are both maintained by other parties. All the components are open source, and the full source code is available for download from the project's homepage.
The three X2Go clients differ only slightly with respect to functionality, although they rely on different libraries. The Qt 4 client in Figure 3 runs on Linux, Windows, Mac OS X, and Maemo, and - just like its new Gtk counterpart (Figure 4) - either as a full-screen display manager in the style of XDM or as a standalone application. In both cases, administrators either can allow individual configurations or tell X2Go to use a central LDAP server.
All graphical clients follow the same usability concept (see Figures 2--4). The widget set used here was dubbed Cardview and uses a business card-style approach.
Sessions, users, and configurations are configurable via drop-down lists and pop-ups in this view, without the need to switch to an admin tool. However, if an LDAP server is used to manage user and configuration data, a client-side configuration is not needed; the tool simply shows a list of users allowed to log on from the current system.
The X2Go client can be configured via a simple desktop program that is reminiscent of a physical terminal server client. Again access to a central LDAP directory is possible, and on top of this, users can access other servers and resize and hide the window during use. The third option is a flexible command-line client, x2goclient-cli, which is best suited for launching from other programs.
In contrast, the new Gtk client is designed for Gnome and Linux users who want to avoid Qt-based programs and KDE. It was implemented natively and does completely without Qt dependencies. Officially, this client was still under development when this issue went to press, although no bugs are currently known.
Client programs are not restricted to connecting to the graphical display on the X2Go server but can also connect the local filesystem with the server and redirect the server's sound output to the client machine.
The SSH port 22 and the X2Go tunnel are all it takes to access the server. But in contrast to NoMachine, the project uses SSHFS for file transfers, relying on the packages maintained by the distribution for this.
X2Go uses Udev to support local mass storage devices, such as CD-ROMs, and automatically connects them to the server. For computers that do not have a hardware key to eject media, the desktop displays an icon that forwards the commands to the client; this feature is important for Mac clients.
While a session is running, users can share additional directories (Figure 5). X2Go automatically adds them to the desktop like statically configured filesystem shares and adds entries for unmounting to the drop-down menu.
Besides simple username and password-based logins, X2Go also supports Sun-style flexible sessions to go, including smartcard or USB stick-based authentication. However, there is no alternative to a crypto filesystem on the USB stick; otherwise, users that gain access to a lost stick could simply read the ID number.
Admins in professional environments will probably want to opt for the security of a smartcard instead, the advantage being that the smartcard calculates the ID rather than storing it.
Cherry keyboards with integrated card readers are a good choice of hardware, as are attractively priced devices by Towitoko, or any other Class 1 card reader (or better) that supports OpenPGP card [12].
A range of variants of the X2Go server component are available; the basic version takes less than 10 minutes to install and is perfectly okay for test purposes and for most private desktops. It includes secure remote access, shares, and sound output and does not rely on an LDAP installation [13][14].
Admins prepared to invest more time in installing X2Go will be rewarded with multiserver capabilities and central management for settings, users, and groups via LDAP using Luma [15], for example.
If you need to support thin clients that use PXE to boot individual images, there is no alternative to setting up a directory service. X2Go does not require individual schemas but will integrate with existing configurations. Centralized management of active sessions is supported by a PostgreSQL database; a central instance is sufficient for multiple X2Go servers on a network.
Sudo helps admins specify which user groups are permitted to log on to the X2Go service. Because during the installation phase the visudo-based configuration is difficult for newcomers, the new client version now checks to see whether the user is a member of the required group and, if not, displays matching error messages (Figure 5).
Besides the server and client, X2Go offers graphical administrative tools, which integrate with the KDE control center. Modules for daily use are available for user, group, and device management, along with session control and configuration modules for X2Go itself.
Directly linked to this is a separate, rich text-capable pushmail system (x2gomail), a front end for Samba administration, and a front end to manage desktop sharing. Simultaneous use of a single session allows multiple users to work collaboratively with a single application. Administrators will also appreciate the ability to monitor user activities in support cases (Figure 6).
As an added goody, the KDE control center modules also can be used to manage an LDAP server. Because the user and group management features support convenient live searches and have auto-complete functionality, the tools are useful for larger numbers of users. Administrators can search for sessions on all X2Go servers with a clear-cut tree view showing individual server assignments.
The current X2Go system requirements include a display of 640x800 or more and a client machine with an 800MHz CPU.
This said, the Qt engine's SVG renderer will take 5 seconds to display the login manager under these circumstances. X2Go is developed exclusively on Debian, which is why you will need a Debian system to install X2Go with all its features, although packages for Mandriva, Arch, and Alt Linux also exist.
The developers still refer to X2Go as a leisure-time project, even though it has an impressive feature scope and references. Resources are limited; the team focuses on programming, which explains the fairly sparse information on the website. Fortunately, members of the Linux4Afrika project have started publishing installation HOWTOs and problem-solving guides online.
Currently, the Windows client installation routine in X2Go version 3 will not run on Vista; some manual file copying is required. The Mac variant has a problem with the version of X11 included with OS X, and USB authentication is not finished. Add to this the known issues with the NX libraries on FreeNX and OpenNX and their X.org code components, which prevent integration with the Debian repositories.
Admins have more interesting add-ons, such as x2gospyglass, which is useful for teachers; it displays thumbnails of student desktops, organized by classroom, Posix group, or individually.
X2Go is one of the most substantial remote access open source software projects available. It impresses with its selection of clients, extremely flexible administration, comprehensive selection of tools, and state-of-the-art authentication methods.
X2Go has also convinced other projects and many schools; the report in the "Linux4Afrika and X2Go" box explains why the development aid project switched from Edubuntu to X2Go. Also, X2Go is interesting for anyone wanting to give multiple users access to a single system, if bandwidth is insufficient for VNC, or if you need file shares and audio forwarding on top.
R-zwo-R in Rohrdorf, Germany [16], offers service-level agreements for anyone interested in running X2Go in an enterprise environment: A major part of the revenue generated from support goes directly to X2Go. The developers deliberately avoided a dual license.
For comparison's sake, Sun charges EUR$ 90 per user and more than EUR$ 200 for each hardware-based Sun Ray client.
An ISO image of the Live CD is now available [17].
| INFO |
|
[1] X2Go: http://x2go.berlios.de/index-en.html
[2] Sun virtual desktop infrastructure: http://www.sun.com/software/vdi/index.jsp [3] "Das Sun-Ray-Konzept" by Jens-Christoph Brendel, Linux Technical Review 06: Server Based Computing, pg. 62 (German) [4] Sun Ray server 4: http://www.sun.com/software/sunray/index.jsp [5] Debootstrap: http://www.debian-administration.org/articles/426 [6] NoMachine: http://www.nomachine.com [7] FreeNX: http://freenx.berlios.de [8] FUSE: http://fuse.sourceforge.net [9] SSHFS: http://fuse.sourceforge.net/sshfs.html [10] Linux4Afrika: http://www.linux4afrika.de/vision.html [11] Maemo: http://maemo.org [12] OpenPGP Card: http://www.g10code.com/p-card.html [13] Installation guide by Linux4Afrika: http://www.linux4afrika.de/x2go [14] "Terminaldienste mit X2Go" by Heinz-M. Graesing, Linux Technical Review 06: Server Based Computing, pg. 20 (German) [15] Luma: http://luma.sourceforge.net [16] R-zwo-R: http://www.rzwor.de (German) [17] Live CD: http://developer.berlios.de/project/showfiles.php?group_id=8454 |