Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-12-01 Thread Bill Damage 


>On Monday, 30 November 2015, 8:17, Bill Damage  wrote:


Sorry to be a pain here but this is still broken. Any more ideas for info I can 
supply please?

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-30 Thread Bill Damage 
I also read the link you sent which prompted me to run the query: 

~]# ssh -G nx 
user root 
hostname nx 
port 22 
addressfamily any 
batchmode no 
canonicalizefallbacklocal yes 
canonicalizehostname false 
challengeresponseauthentication yes 
checkhostip yes 
compression no 
controlmaster false 
enablesshkeysign no 
exitonforwardfailure no 
forwardagent no 
forwardx11 no 
forwardx11trusted yes 
gatewayports no 
gssapiauthentication yes 
gssapidelegatecredentials no 
hashknownhosts no 
hostbasedauthentication no 
identitiesonly no 
kbdinteractiveauthentication yes 
nohostauthenticationforlocalhost no 
passwordauthentication yes 
permitlocalcommand no 
protocol 2 
proxyusefdpass no 
pubkeyauthentication yes 
requesttty auto 
rhostsrsaauthentication no 
rsaauthentication yes 
streamlocalbindunlink no 
stricthostkeychecking ask 
tcpkeepalive yes 
tunnel false 
useprivilegedport no 
verifyhostkeydns false 
visualhostkey no 
updatehostkeys false 
canonicalizemaxdots 1 
compressionlevel 6 
connectionattempts 1 
forwardx11timeout 1200 
numberofpasswordprompts 3 
serveralivecountmax 3 
serveraliveinterval 0 
ciphers 
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
 
hostkeyalgorithms 
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
hostbasedkeytypes 
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
kexalgorithms 
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
 
loglevel INFO 
macs 
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 
xauthlocation /usr/bin/xauth 
identityfile ~/.ssh/id_rsa 
identityfile ~/.ssh/id_dsa 
identityfile ~/.ssh/id_ecdsa 
identityfile ~/.ssh/id_ed25519 
canonicaldomains 
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 
userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2 
sendenv LANG 
sendenv LC_CTYPE 
sendenv LC_NUMERIC 
sendenv LC_TIME 
sendenv LC_COLLATE 
sendenv LC_MONETARY 
sendenv LC_MESSAGES 
sendenv LC_PAPER 
sendenv LC_NAME 
sendenv LC_ADDRESS 
sendenv LC_TELEPHONE 
sendenv LC_MEASUREMENT 
sendenv LC_IDENTIFICATION 
sendenv LC_ALL 
sendenv LANGUAGE 
sendenv XMODIFIERS 
fingerprinthash SHA256 MD5 
connecttimeout none 
tunneldevice any:any 
controlpersist no 
escapechar ~ 
ipqos lowdelay throughput 
rekeylimit 0 0 
streamlocalbindmask 0177

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-29 Thread Bill Damage 
I meant the log for the SSH server, on the machine you are trying to

connect to, not the nx log. On the SSH server, run

grep sshd /var/log/messages


Here it is:

Nov 29 11:07:18 tiger kernel: audit: type=1109 audit(1448795238.479:95): 
pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? 
acct="?" exe="/usr/sbin/sshd" hostname=192.168.62.40 addr=192.168.62.40 
terminal=ssh res=failed' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=destroy kind=server 
fp=SHA256:c8:65:0c:ad:44:4d:7e:a3:b7:1b:2a:34:5f:a6:a9:61:16:26:21:8d:20:de:80:27:ce:50:dc:6c:ed:8d:c9:f8
 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=destroy kind=server 
fp=SHA256:59:9f:43:66:77:9e:77:a7:66:77:71:0c:8c:0c:aa:28:61:b4:69:be:ec:77:ed:46:7f:eb:3f:eb:e7:b0:de:7e
 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=destroy kind=server 
fp=SHA256:b9:48:9f:4f:b7:bd:63:39:b5:49:e9:41:89:0b:64:b2:6a:6a:6d:03:2e:b1:ae:49:9d:9f:89:18:02:28:b3:8c
 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=destroy kind=server 
fp=SHA256:3a:ae:49:b7:b1:94:f6:b3:a4:88:62:45:b3:36:5d:1f:46:9d:c9:9d:e2:a7:1b:23:94:c2:f9:1b:a4:0e:46:99
 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: USER_LOGIN pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=login acct="nx" exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=ssh res=failed' 
[root@tiger ~]# 


-- 
Neil Bothwick

Why is the word abbreviation so long?

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-28 Thread Neil Bothwick 
On Sat, 28 Nov 2015 10:24:32 + (UTC), Bill Damage wrote:

> The log I see says its not using the password but the key. I have
> regenerated the key but it didn't help. This setup has been fine for
> years. Could there be key *types* which became invalid, or now need
> special configuration, which was caused by the OpenSSL update?

Yes, DSS keys are now disabled by default, but can be re-enabled if
really needed. See http://www.openssh.com/legacy.html

> NX> 203 NXSSH running with pid: 3708 
> NX> 285 Enabling check on switch command 
> NX> 285 Enabling skip of SSH config files 

However, if nx is ignoring your SSH config, I'm not sure how you can tell
it to use 
> NX> 285 Setting the preferred NX options 
> NX> 200 Connected to address: 192.168.62.4 on port: 22 
> NX> 202 Authenticating user: nx 
> NX> 208 Using auth method: publickey 
> NX> 204 Authentication failed.  
 
Where is the information from the *server* log.


-- 
Neil Bothwick

Earlier, I didn't have time to finish anything. This time I w


pgpuKTeEuoytz.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-28 Thread Bill Damage 
The log I see says its not using the password but the key. I have regenerated 
the key but it didn't help. This setup has been fine for years. Could there be 
key *types* which became invalid, or now need special configuration, which was 
caused by the OpenSSL update?

NX> 203 NXSSH running with pid: 3708 
NX> 285 Enabling check on switch command 
NX> 285 Enabling skip of SSH config files 
NX> 285 Setting the preferred NX options 
NX> 200 Connected to address: 192.168.62.4 on port: 22 
NX> 202 Authenticating user: nx 
NX> 208 Using auth method: publickey 
NX> 204 Authentication failed.




On Friday, 27 November 2015, 9:10, Peter Humphrey  wrote:
On Thursday 26 November 2015 21:39:57 Bill Damage wrote:

> Is this better? Damn Yahoo webmail...

Yes, it's fine.

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-28 Thread Bill Damage 
Thanks for your hep and patience!
I want to report the full log.
I see the log file at /var/log/nx/nxserver.log is always 0 bytes. 
To try to enable it I changed the entry in /etc/nxserver/node.conf 
NX_LOG_LEVEL=0 to NX_LOG_LEVEL=6 but it still creates the 0 length log file.



On Saturday, 28 November 2015, 12:33, Neil Bothwick  wrote:
On Sat, 28 Nov 2015 10:24:32 + (UTC), Bill Damage wrote:

> The log I see says its not using the password but the key. I have
> regenerated the key but it didn't help. This setup has been fine for
> years. Could there be key *types* which became invalid, or now need
> special configuration, which was caused by the OpenSSL update?

Yes, DSS keys are now disabled by default, but can be re-enabled if
really needed. See http://www.openssh.com/legacy.html

> NX> 203 NXSSH running with pid: 3708 
> NX> 285 Enabling check on switch command 
> NX> 285 Enabling skip of SSH config files 

However, if nx is ignoring your SSH config, I'm not sure how you can tell
it to use 

> NX> 285 Setting the preferred NX options 
> NX> 200 Connected to address: 192.168.62.4 on port: 22 
> NX> 202 Authenticating user: nx 
> NX> 208 Using auth method: publickey 
> NX> 204 Authentication failed.  

Where is the information from the *server* log.


-- 
Neil Bothwick

Earlier, I didn't have time to finish anything. This time I w

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-28 Thread Neil Bothwick 
On Sat, 28 Nov 2015 20:31:43 + (UTC), Bill Damage wrote:

Please don't top post.

> Thanks for your hep and patience!
> I want to report the full log.
> I see the log file at /var/log/nx/nxserver.log is always 0 bytes. 
> To try to enable it I changed the entry in /etc/nxserver/node.conf
> NX_LOG_LEVEL=0 to NX_LOG_LEVEL=6 but it still creates the 0 length log
> file.

I meant the log for the SSH server, on the machine you are trying to
connect to, not the nx log. On the SSH server, run

grep sshd /var/log/messages


-- 
Neil Bothwick

Why is the word abbreviation so long?


pgpJwBPRCxx0e.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-27 Thread Bill Damage 


Thanks.
I want root to be able to SSH in, so I commented out the "without-password" 
one, but it made no difference.



On Thursday, 26 November 2015, 23:59, Neil Bothwick  wrote:
On Thu, 26 Nov 2015 21:39:57 + (UTC), Bill Damage wrote:

> PermitRootLogin yes 
[snip]

> PermitRootLogin without-password

You have specified this option twice, with different values. Pick the one
you want and remove or comment out the other.


-- 
Neil Bothwick

Top Oxymorons Number 39: Almost exactly

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-27 Thread Peter Humphrey 
On Thursday 26 November 2015 21:39:57 Bill Damage wrote:
> Is this better? Damn Yahoo webmail...

Yes, it's fine.

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Bill Damage 
Is this better? Damn Yahoo webmail...
My /var/log/nx/nxserver.log remains at 0 bytes even though in node.conf I set 
NX_LOG_LEVEL to 6 from 0. 

Anyway, I will dump my sshd_config for completeness:

[root@example~]# cat /etc/ssh/sshd_config 
#   $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ 

# This is the sshd server system-wide configuration file.  See 
# sshd_config(5) for more information. 

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin 

# The strategy used for options in the default sshd_config shipped with 
# OpenSSH is to specify options with their default value where 
# possible, but leave them commented.  Uncommented options override the 
# default value. 

#Port 22 
#AddressFamily any 
#ListenAddress 0.0.0.0 
#ListenAddress :: 

# The default requires explicit activation of protocol 1 
#Protocol 2 

# HostKey for protocol version 1 
#HostKey /etc/ssh/ssh_host_key 
# HostKeys for protocol version 2 
#HostKey /etc/ssh/ssh_host_rsa_key 
#HostKey /etc/ssh/ssh_host_dsa_key 
#HostKey /etc/ssh/ssh_host_ecdsa_key 

# Lifetime and size of ephemeral version 1 server key 
#KeyRegenerationInterval 1h 
#ServerKeyBits 1024 

# Logging 
# obsoletes QuietMode and FascistLogging 
#SyslogFacility AUTH 
SyslogFacility AUTHPRIV 
#LogLevel INFO 

# Authentication: 

#LoginGraceTime 2m 
PermitRootLogin yes 
#StrictModes yes 
#MaxAuthTries 6 
#MaxSessions 10 

#RSAAuthentication yes 
#PubkeyAuthentication yes 

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 
# but this is overridden so installations will only check .ssh/authorized_keys 
#AuthorizedKeysFile .ssh/authorized_keys 

#AuthorizedKeysCommand none 
#AuthorizedKeysCommandRunAs nobody 

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
#RhostsRSAAuthentication no 
# similar for protocol version 2 
#HostbasedAuthentication no 
# Change to yes if you don't trust ~/.ssh/known_hosts for 
# RhostsRSAAuthentication and HostbasedAuthentication 
#IgnoreUserKnownHosts no 
# Don't read the user's ~/.rhosts and ~/.shosts files 
#IgnoreRhosts yes 

# To disable tunneled clear text passwords, change to no here! 
#PasswordAuthentication yes 
#PermitEmptyPasswords no 
PasswordAuthentication yes 

# Change to no to disable s/key passwords 
#ChallengeResponseAuthentication yes 
ChallengeResponseAuthentication no 

# Kerberos options 
#KerberosAuthentication no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes 
#KerberosGetAFSToken no 
#KerberosUseKuserok yes 

# GSSAPI options 
#GSSAPIAuthentication no 
GSSAPIAuthentication yes 
#GSSAPICleanupCredentials yes 
GSSAPICleanupCredentials yes 
#GSSAPIStrictAcceptorCheck yes 
#GSSAPIKeyExchange no 

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and 
# PasswordAuthentication.  Depending on your PAM configuration, 
# PAM authentication via ChallengeResponseAuthentication may bypass 
# the setting of "PermitRootLogin without-password". 
# If you just want the PAM account and session checks to run without 
# PAM authentication, then enable this but set PasswordAuthentication 
# and ChallengeResponseAuthentication to 'no'. 
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several 
# problems. 
#UsePAM no 
UsePAM yes 

#AllowAgentForwarding yes 
#AllowTcpForwarding yes 
#GatewayPorts no 
#X11Forwarding no 
X11Forwarding yes 
#X11DisplayOffset 10 
#X11UseLocalhost yes 
#PrintMotd yes 
#PrintLastLog yes 
#TCPKeepAlive yes 
#UseLogin no 
#UsePrivilegeSeparation yes 
#PermitUserEnvironment no 
#Compression delayed 
#ClientAliveInterval 0 
#ClientAliveCountMax 3 
#ShowPatchLevel no 
#UseDNS yes 
#PidFile /var/run/sshd.pid 
#MaxStartups 10 
#PermitTunnel no 
#ChrootDirectory none 

# no default banner path 
#Banner none 

# Accept locale-related environment variables 
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 
AcceptEnv XMODIFIERS 

# override default of no subsystems 
Subsystem   sftp/usr/libexec/openssh/sftp-server 

# Uncomment this if you want to use .local domain 
#Host *.local 
#   CheckHostIP no 

# Example of overriding settings on a per-user basis 
#Match User anoncvs 
#   X11Forwarding no 
#   AllowTcpForwarding no 
#   ForceCommand cvs server 

#http://www.gossamer-threads.com/lists/gentoo/user/308350?page=last 
PubkeyAcceptedKeyTypes=+ssh-dss 
PermitRootLogin without-password

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Neil Bothwick 
On Thu, 26 Nov 2015 21:39:57 + (UTC), Bill Damage wrote:

> PermitRootLogin yes 
[snip]
> PermitRootLogin without-password

You have specified this option twice, with different values. Pick the one
you want and remove or comment out the other.


-- 
Neil Bothwick

Top Oxymorons Number 39: Almost exactly


pgpQvAJEzjqr7.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Bill Damage 
Thanks, but either way I'm still getting nowhere:
NX> 203 NXSSH running with pid: 9904NX> 285 Enabling check on switch commandNX> 
285 Enabling skip of SSH config filesNX> 285 Setting the preferred NX 
optionsNX> 200 Connected to address: 192.168.62.4 on port: 22NX> 202 
Authenticating user: nxNX> 208 Using auth method: publickeyNX> 204 
Authentication failed.
I take it to try this you edit /etc/sshd_config then restart the sshd service?
 


On Wednesday, 25 November 2015, 20:04, Neil Bothwick  
wrote:
 

 On Wed, 25 Nov 2015 12:55:43 -0700, the...@sys-concept.com wrote:

> > Which you would expect if that was not the problem. From memory, I
> > think your problem was caused by password logins as root being
> > disabled. That was another change for 7.0 and my only comment on that
> > is "why the hell did they wait until version 7.0 before getting rid
> > of such and insecure default?".
> > 
> >  
> in sshd_config
> 
> #PermitRootLogin yes
> or
> #PermitRootLogin no
> 
> I can connect using openssh-6 but not 7-xx

Because the setting is commented out so it falls back to the default,
which is yes in 6 and no in 7. Set it to what you need instead of relying
on defaults which can change.


-- 
Neil Bothwick

The people who are wrapped up in themselves are overdressed.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Bill Damage 
Somehow the details of my message wasn't posted:
NX> 203 NXSSH running with pid: 10200NX> 285 Enabling check on switch 
commandNX> 285 Enabling skip of SSH config filesNX> 285 Setting the preferred 
NX optionsNX> 200 Connected to address: 192.168.62.4 on port: 22NX> 202 
Authenticating user: nxNX> 208 Using auth method: publickeyNX> 204 
Authentication failed.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Neil Bothwick 
On Thu, 26 Nov 2015 09:07:07 + (UTC), Bill Damage wrote:

> NX> 203 NXSSH running with pid: 10200NX> 285 Enabling check on switch
> NX> commandNX> 285 Enabling skip of SSH config filesNX> 285 Setting the
> NX> commandNX> preferred NX optionsNX> 200 Connected to address:
> NX> commandNX> 192.168.62.4 on port: 22NX> 202 Authenticating user:
> NX> commandNX> nxNX> 208 Using auth method: publickeyNX> 204
> NX> commandNX> nxNX> Authentication failed.  

What does the log on the server say?


-- 
Neil Bothwick

Accordion: a bagpipe with pleats.


pgpsXpu6Y3qfR.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Peter Humphrey 
I would need a magnifying glass to read this. Please don't use HTML on this 
list.

On Wednesday 25 November 2015 18:50:14 Bill Damage wrote:
> I have exactly the same problem mentioned in this thread. I think
> something changed and broke the authentication during an update. i found
> this message by Googling and just joined the mail list to ask for help. I
> have done everything mentioned in the thread, and here's where I'm at:
> (it worked fine before some regular update broke it) Thanks!
> [root@tiger ssh]# nxsetup --test
> > Testing your nxserver configuration ...Warning: Invalid value
> "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libX
> ext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/l
> ib64/nx/libXrender.so.1". /usr/lib64/nx/libX11.so.6 could not be found.
> Users will not be able to run a single application in non-rootless
> mode.Warning: Invalid value "COMMAND_START_CDE=cdwm" Users 
will
> not be able to request a CDE session.Warning: Invalid value
> "COMMAND_SMBMOUNT=smbmount". You'll not be able to use 
SAMBA.Warning:
> Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not be able to use
> SAMBA.Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version
> 1.2. Users will not be able to enable printing. Ignore if you use
> cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 or 3.[012345].0 version
> string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012345].0 backend is needed
> for this version of FreeNX. Warnings occured during config check.  To
> enable these features please correct the configuration file. < done
> > Testing your nxserver connection ...Permission denied
> (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not
> connect to NX Server. Please check your ssh setup:
> The following are _examples_ of what you might need to check.
> - Make sure "nx" is one of the AllowUsers in sshd_config.(or
> that the line is outcommented/not there)- Make sure "nx" is one
> of the AllowGroups in sshd_config.(or that the line is
> outcommented/not there)- Make sure your sshd allows public key
> authentication.- Make sure your sshd is really running on port
> 22.- Make sure your sshd_config AuthorizedKeysFile in sshd_config
> is set to authorized_keys.(this should be a filename not a
> pathname+filename)  - Make sure you allow ssh on localhost, this could
> come from somerestriction of:  -the tcp wrapper. Then add in
> /etc/hosts.allow: ALL:localhost  -the iptables. add to it: $
> iptables -A INPUT  -i lo -j ACCEPT $ iptables -A OUTPUT -o lo -j
> ACCEPT[root@tiger ssh]#

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Bill Damage 
On Thursday, 26 November 2015, 9:51, Peter Humphrey  
wrote:

I would need a magnifying glass to read this. Please don't use HTML on this 
list.



It's damn Yahoos webmail, I switched to plain text maybe it's better now?

Anyway the log at /var/log/nx/nxserver.log is always 0 bytes.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread Neil Bothwick 
On Wed, 25 Nov 2015 11:58:47 -0700, the...@sys-concept.com wrote:

> I had the same problem.
> openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
> nxserver is using).

That's not what the error message you posted said.

> Trying to enable the "ssh-dss" via sshd_config does not work!

Which you would expect if that was not the problem. From memory, I think
your problem was caused by password logins as root being disabled. That
was another change for 7.0 and my only comment on that is "why the hell
did they wait until version 7.0 before getting rid of such and insecure
default?".


-- 
Neil Bothwick

Age and treachery will always overcome youth and skill.


pgpgeoNTsMrwi.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread thelma 
On 11/25/2015 12:31 PM, Neil Bothwick wrote:
> On Wed, 25 Nov 2015 11:58:47 -0700, the...@sys-concept.com wrote:
> 
>> I had the same problem.
>> openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
>> nxserver is using).
> 
> That's not what the error message you posted said.
> 
>> Trying to enable the "ssh-dss" via sshd_config does not work!
> 
> Which you would expect if that was not the problem. From memory, I think
> your problem was caused by password logins as root being disabled. That
> was another change for 7.0 and my only comment on that is "why the hell
> did they wait until version 7.0 before getting rid of such and insecure
> default?".
> 
> 
in sshd_config

#PermitRootLogin yes
or
#PermitRootLogin no

I can connect using openssh-6 but not 7-xx

Thelma

[gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread Bill Damage 
I have exactly the same problem mentioned in this thread. I think something 
changed and broke the authentication during an update. i found this message by 
Googling and just joined the mail list to ask for help. I have done everything 
mentioned in the thread, and here's where I'm at: (it worked fine before some 
regular update broke it)
Thanks!
[root@tiger ssh]# nxsetup --test
> Testing your nxserver configuration ...Warning: Invalid value 
"APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libXext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/lib64/nx/libXrender.so.1".
 /usr/lib64/nx/libX11.so.6 could not be found. Users will not be able to run a 
single application in non-rootless mode.Warning: Invalid value 
"COMMAND_START_CDE=cdwm"         Users will not be able to request a CDE 
session.Warning: Invalid value "COMMAND_SMBMOUNT=smbmount". You'll not be able 
to use SAMBA.Warning: Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not 
be able to use SAMBA.Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need 
version 1.2.         Users will not be able to enable printing. Ignore if you 
use cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 or 3.[012345].0 version 
string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012345].0 backend is needed for 
this version of FreeNX.
  Warnings occured during config check.  To enable these features please 
correct the configuration file.
< done
> Testing your nxserver connection ...Permission denied 
(publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not 
connect to NX Server.
Please check your ssh setup:
The following are _examples_ of what you might need to check.
        - Make sure "nx" is one of the AllowUsers in sshd_config.    (or that 
the line is outcommented/not there)        - Make sure "nx" is one of the 
AllowGroups in sshd_config.    (or that the line is outcommented/not there)     
   - Make sure your sshd allows public key authentication.        - Make sure 
your sshd is really running on port 22.        - Make sure your sshd_config 
AuthorizedKeysFile in sshd_config is set to authorized_keys.    (this should be 
a filename not a pathname+filename)  - Make sure you allow ssh on localhost, 
this could come from some    restriction of:      -the tcp wrapper. Then add in 
/etc/hosts.allow: ALL:localhost      -the iptables. add to it:         $ 
iptables -A INPUT  -i lo -j ACCEPT         $ iptables -A OUTPUT -o lo -j 
ACCEPT[root@tiger ssh]#

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread Mick 
On Wednesday 25 Nov 2015 20:04:14 Neil Bothwick wrote:
> On Wed, 25 Nov 2015 12:55:43 -0700, the...@sys-concept.com wrote:
> > > Which you would expect if that was not the problem. From memory, I
> > > think your problem was caused by password logins as root being
> > > disabled. That was another change for 7.0 and my only comment on that
> > > is "why the hell did they wait until version 7.0 before getting rid
> > > of such and insecure default?".
> > 
> > in sshd_config
> > 
> > #PermitRootLogin yes
> > or
> > #PermitRootLogin no
> > 
> > I can connect using openssh-6 but not 7-xx
> 
> Because the setting is commented out so it falls back to the default,
> which is yes in 6 and no in 7. Set it to what you need instead of relying
> on defaults which can change.

Also, check your *uncommented* setting for PermitEmptyPasswords, if for some 
reason you have not set up a password for your NX account.  The default is no.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread thelma 
On 11/25/2015 01:04 PM, Neil Bothwick wrote:
> On Wed, 25 Nov 2015 12:55:43 -0700, the...@sys-concept.com wrote:
> 
>>> Which you would expect if that was not the problem. From memory, I
>>> think your problem was caused by password logins as root being
>>> disabled. That was another change for 7.0 and my only comment on that
>>> is "why the hell did they wait until version 7.0 before getting rid
>>> of such and insecure default?".
>>>
>>>   
>> in sshd_config
>>
>> #PermitRootLogin yes
>> or
>> #PermitRootLogin no
>>
>> I can connect using openssh-6 but not 7-xx
> 
> Because the setting is commented out so it falls back to the default,
> which is yes in 6 and no in 7. Set it to what you need instead of relying
> on defaults which can change.

Yes, nxserver works with openssh-7; I don't know why I couldn't make it
to work during upgrade few weeks ago :-/

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread Neil Bothwick 
On Wed, 25 Nov 2015 12:55:43 -0700, the...@sys-concept.com wrote:

> > Which you would expect if that was not the problem. From memory, I
> > think your problem was caused by password logins as root being
> > disabled. That was another change for 7.0 and my only comment on that
> > is "why the hell did they wait until version 7.0 before getting rid
> > of such and insecure default?".
> > 
> >   
> in sshd_config
> 
> #PermitRootLogin yes
> or
> #PermitRootLogin no
> 
> I can connect using openssh-6 but not 7-xx

Because the setting is commented out so it falls back to the default,
which is yes in 6 and no in 7. Set it to what you need instead of relying
on defaults which can change.


-- 
Neil Bothwick

The people who are wrapped up in themselves are overdressed.


pgpFl1uth0Idu.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread thelma 
On 11/25/2015 11:50 AM, Bill Damage wrote:
> I have exactly the same problem mentioned in this thread. I think something 
> changed and broke the authentication during an update. i found this message 
> by Googling and just joined the mail list to ask for help. I have done 
> everything mentioned in the thread, and here's where I'm at: (it worked fine 
> before some regular update broke it)
> Thanks!
> [root@tiger ssh]# nxsetup --test
> > Testing your nxserver configuration ...Warning: Invalid value 
> "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libXext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/lib64/nx/libXrender.so.1".
>  /usr/lib64/nx/libX11.so.6 could not be found. Users will not be able to run 
> a single application in non-rootless mode.Warning: Invalid value 
> "COMMAND_START_CDE=cdwm" Users will not be able to request a CDE 
> session.Warning: Invalid value "COMMAND_SMBMOUNT=smbmount". You'll not be 
> able to use SAMBA.Warning: Invalid value "COMMAND_SMBUMOUNT=smbumount". 
> You'll not be able to use SAMBA.Warning: Invalid cupsd version of 
> "/usr/sbin/cupsd". Need version 1.2. Users will not be able to enable 
> printing. Ignore if you use cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 
> or 3.[012345].0 version string in nxagent. NX 1.5.0 or 2.[01].0 or 
> 3.[012345].0 backend is needed for this version of FreeNX.
>   Warnings occured during config check.  To enable these features please 
> correct the configuration file.
> < done
> > Testing your nxserver connection ...Permission denied 
> (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not 
> connect to NX Server.
> Please check your ssh setup:
> The following are _examples_ of what you might need to check.
> - Make sure "nx" is one of the AllowUsers in sshd_config.(or that 
> the line is outcommented/not there)- Make sure "nx" is one of the 
> AllowGroups in sshd_config.(or that the line is outcommented/not there)   
>  - Make sure your sshd allows public key authentication.- Make 
> sure your sshd is really running on port 22.- Make sure your 
> sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys.
> (this should be a filename not a pathname+filename)  - Make sure you allow 
> ssh on localhost, this could come from somerestriction of:  -the tcp 
> wrapper. Then add in /etc/hosts.allow: ALL:localhost  -the iptables. add 
> to it: $ iptables -A INPUT  -i lo -j ACCEPT $ iptables -A 
> OUTPUT -o lo -j ACCEPT[root@tiger ssh]#
> 

I had the same problem.
openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
nxserver is using).
Trying to enable the "ssh-dss" via sshd_config does not work!

So the only way to go about it is to downgrade to openssh-6.xxx

--
Thelma