Logout, relogin then enable OpenGL offload:
User Access 2.1 Client Software Installation 2.1.1 Windows servers) that each user is allowed to access to.Īdd -uid-owner userid and/or -gid-owner groupid into iptables firewall rules. Linux iptables supports user and group ID filtering, so administrator can differentiate which destination (e.g. * * * * * who | awk '' 1.1.6 User-based Network Access Control Set all consoles' speed to 9600 bps every minute by adding task below into crontab scheduler We can minimize this risk by lowering SSH console speed to 9600 bpsĢ. SSHFS is used by X2GO's built-in file sharing.ĭisable SSHF and SCP by setting the executable unaccesible by non root users:Ĭhmod 700 /usr/bin/scp 1.1.5.2 Limit SSH Console SpeedĪs X2GO needs SSH and BASH shell, users will still be able to access Linux shell and download file by SSH client logging. usr/libexec/openssh/sftp-server -Q requests | sortĪddtionally, we also need to disable or limit other file download channels below: 1.1.5.1 Disable SSHFS and SCP for Non Root Use other blacklisted operation to change the mode to read-only or etc. Subsystem sftp /usr/libexec/openssh/sftp-server -P read,readlink PermitOpen localhost:22 1.1.5 Upload/Write Only SFTPĮdit /etc/ssh/sshd_config and edit this line to block file read/download: It also requires TCP Forwarding but we can prevent clients not to use X2GO server as SSH TCP forwarding proxy to other server.Įdit /etc/ssh/sshd_config and add/uncomment these lines: X2GO_NXAGENT_DEFAULT_OPTIONS+=" -clipboard client" 1.1.4 Disable SSH Tunnel to Other DestinationsĪs X2GO uses X Window, we need to allow X11 forwarding. X2GO_NXAGENT_DEFAULT_OPTIONS+=" +extension BIG-REQUESTS" 1.1.3 Limit Clipboard Transfer to Client-to-Server OnlyĮdit /etc/x2go/x2goagent.options and add this text: X2GO_NXAGENT_DEFAULT_OPTIONS+=" +extension GLX" usr/bin/xfconf-query -c xfwm4 -p /general/box_resize -s trueĮnable GLX and BIG REQUESTS: Edit /etc/x2go/x2goagent.options and add these texts: usr/bin/xfconf-query -c xfwm4 -p /general/box_move -s true usr/bin/xfconf-query -c xfwm4 -p /general/use_compositing -s false Run ntsysv and check/enable rviceĮnable OpenGL offload and disable incompatible XFWM4 compositor: Edit /etc/profile and add these texts in the end of the file Some configurations is needed to increase performance and security.
Install ntsysv to ease service control:ĭnf install ntsysv 1.1 Server-side Performance and Security ConfigurationĪt this point, the X2GO server might work with standard configuration. I chose XFCE as it is lighter than regular GNOME:Ĥ.
Enable Oracle and Redhat EPEL and CodeReady repositories.ģ. Adding UEK repository will automatically install UEK kernel.Ģ. Install Oracle Linux 8 with UEK repository added. I choose Oracle Linux as it is downstream of stable Redhat Enterprise Linux, its stable UEK kernel is newer than regular RHEL kernel, and needs no subscription for software updatesġ. In this example, I will use Oracle Linux 8 as X2GO server. It also allows reguler X Window's OpenGL graphics processing offload to client side, so no GPU is needed in server side.
X2GO works by compression remote X Window protocol to achieve low bandwidth usage. XVNC, XRDP and non-free NoMachine, but X2GO is the best for my need. I tried several low bandwidth Linux based remote dekstop platforms, e.g. Regular remote X Window is also not acceptable due to high bandwith requirement.
Using Microsoft Windows based platform is not an option as it will need Microsoft RDS/VDA license for every user. This situation violates data privacy regulations in many countries which requires company to prevent leaks of customer data. Regular VPN can provide the connectivity but giving VPN access directly to vendor server will allow them to download data easily. Such remote desktop capability is needed because some management tools are graphical applications, e.g. I deployed Linux based X2GO remote desktop server for vendor access that works in low bandwitdh, allows vendor to upload files but not to download file, and also only allows 1-way clipboard transfer from client to server.