freenx-team team mailing list archive

Thread
Date

[Bug 252013] Re: policykit cannot obtain actions over ssh (or anything that uses ssh)

To: freenx-team@xxxxxxxxxxxxxxxxxxx
From: "eye.zak" <eye.zak@xxxxxxxxx>
Date: Sat, 26 Jul 2008 00:14:23 -0000
Reply-to: Bug 252013 <252013@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 221363 ***
    https://bugs.launchpad.net/bugs/221363

** This bug has been marked a duplicate of bug 221363
   Policy Kit Unlock Buttons Greyed Out when using NX

-- 
policykit cannot obtain actions over ssh (or anything that uses ssh)
https://bugs.launchpad.net/bugs/252013
You received this bug notification because you are a member of FreeNX
Team, which is the registrant for FreeNX Server (via bug 221363).

Status in “policykit” source package in Ubuntu: New

Bug description:
Binary package hint: policykit

Problem:
Unable to authenticate through policykit when logged in through ssh or nx (uses ssh).  This happens on both localhost and remote machines.  Thus, unable to use "unlock" in administration gui apps.

System:
Ubuntu Hardy Heron x86 and amd64, updated as of July25th using updates and security sources.

Steps to Reproduce:
In a terminal, ssh to your local computer and run:
    polkit-auth --show-obtainable
This produces no results.
Compare to the output generated when run in a normal terminal (even unprivileged users are OK).  Example excerpt:
  org.freedesktop.systemtoolsbackends.set
  org.freedesktop.systemtoolsbackends.self.set
  org.gnome.clockapplet.mechanism.settimezone
  org.gnome.clockapplet.mechanism.settime
  org.gnome.clockapplet.mechanism.configurehwclock
  org.freedesktop.hal.power-management.shutdown-multiple-sessions
  org.freedesktop.hal.power-management.reboot-multiple-sessions

Another method is to login using ssh -X and run something like users-admin and see that the unlock button is grayed.

Version Info:
I also tried this with the debian unstable policykit-0.8 and even the newer policykit-0.9 from source, with the same results.  

I don't know if this has something to do with ssh specifically or if it is all policykit.  But it is definitely the cause of the bug reporting issues with nx client/server package as it uses ssh.

Workaround or (bad) Solution ?
I was able to acquire desired actions through the authentications admin app and set implicit authentications for Anyone to the same authentication as the Active Console (ex: from 'No' to 'AdminAuthentication').  I believe this is because the ssh session is not recognized by policykit as an Active Console, or as a Console.  
I am not at all a security expert but I would think this might pose a security risk.

I would hope that my remote session would have the identical capabilities of my local session through policykit.  Changing each action that I am or could be authorized to take to include allowing the 'Anyone' group so as to achieve this is undesirable.