X2Go Client Authentication Failure: Passphrase Prompt Followed by “Authentication Failed” Error on CentOS 6.7 Server


8 views

When attempting to connect to a CentOS 6.7 server via X2Go client (version 4.0.5.0) from Windows 7/10 machines, users encounter a specific authentication sequence:

  • The client prompts for SSH key passphrase (even when using password-less keys)
  • After 3 passphrase prompts, displays "Authentication failed"
  • Falls back to username/password authentication (which also fails)

Several important facts emerge from troubleshooting:

1. SSH connections via PuTTY work flawlessly with RSA keys
2. Server-side SSHd config already has PasswordAuthentication no
3. AV software (AVG) flagged X2Go client as suspicious
4. Behavior persists across different Windows clients

First, verify your X2Go server installation on CentOS:

# Check installed packages
rpm -qa | grep x2go

# Verify running services
service x2goserver status

# Review SSHd config (critical settings)
cat /etc/ssh/sshd_config | grep -E "PubkeyAuthentication|PasswordAuthentication"

On the Windows client, try these diagnostic approaches:

1. Run X2Go client with verbose logging:
   x2goclient.exe --debug

2. Temporarily disable AV software during testing
3. Create fresh SSH keys specifically for X2Go:
   ssh-keygen -t rsa -b 4096 -C "x2go-specific-key"

The triple passphrase prompt suggests X2Go is attempting multiple authentication methods. This typically indicates:

  • Mismatch between client and server authentication expectations
  • SSH agent forwarding issues
  • Key file permission problems

Here's a working configuration that resolved similar issues:

# On server (CentOS 6.7)
# Edit /etc/ssh/sshd_config
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM yes

# Restart services
service sshd restart
service x2goserver restart

For the Windows client:

1. Uninstall existing X2Go client completely
2. Download fresh copy from official repo
3. During installation:
   - Select "Custom" install
   - Enable "SSH Agent Integration"
   - Disable "Try other authentication methods"

If issues persist, consider these workarounds:

# Create ~/.ssh/config on server with specific settings:
Host *
    ForwardAgent yes
    IdentitiesOnly yes
    IdentityFile ~/.ssh/x2go_key

# Or force specific auth method in X2Go client:
<connection>
    <authentication method="pubkey" />
</connection>

To confirm everything works:

1. From Windows command prompt:
   where x2goclient.exe

2. Check event logs after connection attempt:
   Get-EventLog -LogName Application -Source X2Go* -Newest 10

When attempting to establish an X2Go remote desktop connection from Windows 7/10 clients to a CentOS 6.7 server (OVH hosted), users encounter the following sequence:

  1. Initial passphrase prompt for key decryption
  2. Two additional passphrase prompts (when entered)
  3. Final "authentication fail" message
  4. Fallback to username/password authentication

Before diving into X2Go specifics, confirm basic SSH functionality:

# Test SSH connection with verbose output
ssh -vvv user@server.example.com -i ~/.ssh/private_key

# Expected successful output:
# Authenticated to server.example.com ([IP]:22) using "publickey"

On the CentOS 6.7 server, verify these critical components:

# Verify installed packages
rpm -qa | grep -E 'x2go|nx'

# Expected output should include:
# x2goserver-4.0.1.20-1.el6.x86_64
# x2goserver-xsession-4.0.1.20-1.el6.x86_64

The core issue appears to stem from key authentication handoff between X2Go client and SSH:

# Check SSH daemon configuration
grep -E 'PubkeyAuthentication|AuthorizedKeysFile' /etc/ssh/sshd_config

# Expected:
# PubkeyAuthentication yes
# AuthorizedKeysFile .ssh/authorized_keys

Try these adjustments in the X2Go client settings:

  1. In "Session Preferences" → "SSH" tab:
    • Set "Connect with SSH" to "Direct TCP connection"
    • Check "Use SSH compression"
  2. In "Session Preferences" → "Security" tab:
    • Enable "Use internal SSH agent"
    • Disable "Try other authentication methods if primary fails"

Enable verbose logging on the server to capture authentication attempts:

# Temporary SSH debug mode
/usr/sbin/sshd -d -p 22

# Monitor auth logs in real-time
tail -f /var/log/secure | grep x2go

If the issue persists, consider these workarounds:

# Option 1: Create dedicated SSH config
cat > ~/.ssh/config << EOF
Host x2go-server
    HostName server.example.com
    User remoteuser
    IdentityFile ~/.ssh/x2go_specific_key
    IdentitiesOnly yes
EOF

# Option 2: Test with newer client version
wget http://code.x2go.org/releases/binary-win32/x2goclient/testing/x2goclient-4.1.2.0-2020.07.27-setup.exe

On CentOS 6.7, SELinux might interfere:

# Check current status
sestatus

# Temporary disable for testing
setenforce 0

# If successful, create proper policy
grep x2go /var/log/audit/audit.log | audit2allow -M x2gopolicy
semodule -i x2gopolicy.pp