Paul van Gerven
Fri, 13 Nov 2009 10:14:50 -0800
Dear FreeNX-team, I installed a FreeNX server on Ubuntu Jaunty. Roughly following the Ubuntu guide <https://help.ubuntu.com/community/FreeNX> and links referenced therein, I noticed FreeNX requires PasswordAuthentication to be set to yes in sshd_config (for authenticating the real user logging in on localhost). This step in itself is not covered in the howto, nor did the installation script take care of it (at least in my case; I did encounter some anomalies). Can you confirm that users have to do that manually in Jaunty and Karmic? If so, I would like to add it to the documentation. (In case you are wondering, I am not quite ready to upgrade to Karmic, hence my asking).
Secondly, I feel setting PasswordAuthencation to yes in SSH is unsafe when the port in question is exposed to the internet. Any other user than nx trying to connect with SSH will be prompted for a password, even if key authentication is set up. Some may not mind this behavior, but I am sure some will want a bit more security. At least people should have the option. I figured out how to disable the SSH authentication on localhost and replace it by passdb (with custom keys for FreeNX authentication that is safe enough), and I am willing to share that procedure in the aforementioned howto, but I hesitate. That is, I am not sure whether 'my' procedure is generally applicable. For example, the procedure intended for the same outcome described in this <http://ubuntuforums.org/showthread.php?t=1062942>post did not work for me. Perhaps you could determine whether 'my' procedure is viable and worth adding to the howto. The thing I did differently - and actually had to do differently to obtain a positive result - compared to the howto, is editing node.conf and running dpkg-reconfigure prior to running nxsetup --install. The procedure thus boils down to: 1) Setting up SSH with key authentication and putting 'PasswordAuthencation no' in sshd_config 2) Editing node.conf to set ENABLE_PASSDB_AUTHENTICATION="1" and ENABLE_SSH_AUTHENTICATION="0" 3) Running dpkg-configure freenx-server, creating custom keys in /var/lib/nxserver/home/custom_keys and selecting passdb as the authentication method 4) Running /usr/lib/nxsetup, selecting custom keys. These are put in /etc/nxserver, but the keys generated in step #3 is the one you need (this puzzles me). 5) Creating a user with nxsetup --adduser and attach a password to it. You might find it interesting that I could not create this setup by any other means after installing FreeNX 'normally', as described in the howto - I had to start with a clean slate. Somehow any chances I made in node.conf were not used. And yes, I did restart the server after making changes or ran nxsetup again after editing ;-) This might be worth looking into. Let me know what you think, Paul
_______________________________________________ Mailing list: https://launchpad.net/~freenx-team Post to : freenx-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~freenx-team More help : https://help.launchpad.net/ListHelp