Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-12-01 Thread Bill Damage 


>On Monday, 30 November 2015, 8:17, Bill Damage  wrote:


Sorry to be a pain here but this is still broken. Any more ideas for info I can 
supply please?

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-30 Thread Bill Damage 
I also read the link you sent which prompted me to run the query: 

~]# ssh -G nx 
user root 
hostname nx 
port 22 
addressfamily any 
batchmode no 
canonicalizefallbacklocal yes 
canonicalizehostname false 
challengeresponseauthentication yes 
checkhostip yes 
compression no 
controlmaster false 
enablesshkeysign no 
exitonforwardfailure no 
forwardagent no 
forwardx11 no 
forwardx11trusted yes 
gatewayports no 
gssapiauthentication yes 
gssapidelegatecredentials no 
hashknownhosts no 
hostbasedauthentication no 
identitiesonly no 
kbdinteractiveauthentication yes 
nohostauthenticationforlocalhost no 
passwordauthentication yes 
permitlocalcommand no 
protocol 2 
proxyusefdpass no 
pubkeyauthentication yes 
requesttty auto 
rhostsrsaauthentication no 
rsaauthentication yes 
streamlocalbindunlink no 
stricthostkeychecking ask 
tcpkeepalive yes 
tunnel false 
useprivilegedport no 
verifyhostkeydns false 
visualhostkey no 
updatehostkeys false 
canonicalizemaxdots 1 
compressionlevel 6 
connectionattempts 1 
forwardx11timeout 1200 
numberofpasswordprompts 3 
serveralivecountmax 3 
serveraliveinterval 0 
ciphers 
chacha20-poly1...@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-...@openssh.com,aes256-...@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se
 
hostkeyalgorithms 
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
hostbasedkeytypes 
ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
 
kexalgorithms 
curve25519-sha...@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
 
loglevel INFO 
macs 
umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-sha1-...@openssh.com,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96
 
xauthlocation /usr/bin/xauth 
identityfile ~/.ssh/id_rsa 
identityfile ~/.ssh/id_dsa 
identityfile ~/.ssh/id_ecdsa 
identityfile ~/.ssh/id_ed25519 
canonicaldomains 
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 
userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2 
sendenv LANG 
sendenv LC_CTYPE 
sendenv LC_NUMERIC 
sendenv LC_TIME 
sendenv LC_COLLATE 
sendenv LC_MONETARY 
sendenv LC_MESSAGES 
sendenv LC_PAPER 
sendenv LC_NAME 
sendenv LC_ADDRESS 
sendenv LC_TELEPHONE 
sendenv LC_MEASUREMENT 
sendenv LC_IDENTIFICATION 
sendenv LC_ALL 
sendenv LANGUAGE 
sendenv XMODIFIERS 
fingerprinthash SHA256 MD5 
connecttimeout none 
tunneldevice any:any 
controlpersist no 
escapechar ~ 
ipqos lowdelay throughput 
rekeylimit 0 0 
streamlocalbindmask 0177

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-29 Thread Bill Damage 
I meant the log for the SSH server, on the machine you are trying to

connect to, not the nx log. On the SSH server, run

grep sshd /var/log/messages


Here it is:

Nov 29 11:07:18 tiger kernel: audit: type=1109 audit(1448795238.479:95): 
pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? 
acct="?" exe="/usr/sbin/sshd" hostname=192.168.62.40 addr=192.168.62.40 
terminal=ssh res=failed' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=destroy kind=server 
fp=SHA256:c8:65:0c:ad:44:4d:7e:a3:b7:1b:2a:34:5f:a6:a9:61:16:26:21:8d:20:de:80:27:ce:50:dc:6c:ed:8d:c9:f8
 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=destroy kind=server 
fp=SHA256:59:9f:43:66:77:9e:77:a7:66:77:71:0c:8c:0c:aa:28:61:b4:69:be:ec:77:ed:46:7f:eb:3f:eb:e7:b0:de:7e
 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=destroy kind=server 
fp=SHA256:b9:48:9f:4f:b7:bd:63:39:b5:49:e9:41:89:0b:64:b2:6a:6a:6d:03:2e:b1:ae:49:9d:9f:89:18:02:28:b3:8c
 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=destroy kind=server 
fp=SHA256:3a:ae:49:b7:b1:94:f6:b3:a4:88:62:45:b3:36:5d:1f:46:9d:c9:9d:e2:a7:1b:23:94:c2:f9:1b:a4:0e:46:99
 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: USER_LOGIN pid=12140 uid=0 auid=4294967295 
ses=4294967295 msg='op=login acct="nx" exe="/usr/sbin/sshd" hostname=? 
addr=192.168.62.40 terminal=ssh res=failed' 
[root@tiger ~]# 


-- 
Neil Bothwick

Why is the word abbreviation so long?

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-28 Thread Neil Bothwick 
On Sat, 28 Nov 2015 10:24:32 + (UTC), Bill Damage wrote:

> The log I see says its not using the password but the key. I have
> regenerated the key but it didn't help. This setup has been fine for
> years. Could there be key *types* which became invalid, or now need
> special configuration, which was caused by the OpenSSL update?

Yes, DSS keys are now disabled by default, but can be re-enabled if
really needed. See http://www.openssh.com/legacy.html

> NX> 203 NXSSH running with pid: 3708 
> NX> 285 Enabling check on switch command 
> NX> 285 Enabling skip of SSH config files 

However, if nx is ignoring your SSH config, I'm not sure how you can tell
it to use 
> NX> 285 Setting the preferred NX options 
> NX> 200 Connected to address: 192.168.62.4 on port: 22 
> NX> 202 Authenticating user: nx 
> NX> 208 Using auth method: publickey 
> NX> 204 Authentication failed.  
 
Where is the information from the *server* log.


-- 
Neil Bothwick

Earlier, I didn't have time to finish anything. This time I w


pgpuKTeEuoytz.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-28 Thread Bill Damage 
The log I see says its not using the password but the key. I have regenerated 
the key but it didn't help. This setup has been fine for years. Could there be 
key *types* which became invalid, or now need special configuration, which was 
caused by the OpenSSL update?

NX> 203 NXSSH running with pid: 3708 
NX> 285 Enabling check on switch command 
NX> 285 Enabling skip of SSH config files 
NX> 285 Setting the preferred NX options 
NX> 200 Connected to address: 192.168.62.4 on port: 22 
NX> 202 Authenticating user: nx 
NX> 208 Using auth method: publickey 
NX> 204 Authentication failed.




On Friday, 27 November 2015, 9:10, Peter Humphrey  wrote:
On Thursday 26 November 2015 21:39:57 Bill Damage wrote:

> Is this better? Damn Yahoo webmail...

Yes, it's fine.

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-28 Thread Bill Damage 
Thanks for your hep and patience!
I want to report the full log.
I see the log file at /var/log/nx/nxserver.log is always 0 bytes. 
To try to enable it I changed the entry in /etc/nxserver/node.conf 
NX_LOG_LEVEL=0 to NX_LOG_LEVEL=6 but it still creates the 0 length log file.



On Saturday, 28 November 2015, 12:33, Neil Bothwick  wrote:
On Sat, 28 Nov 2015 10:24:32 + (UTC), Bill Damage wrote:

> The log I see says its not using the password but the key. I have
> regenerated the key but it didn't help. This setup has been fine for
> years. Could there be key *types* which became invalid, or now need
> special configuration, which was caused by the OpenSSL update?

Yes, DSS keys are now disabled by default, but can be re-enabled if
really needed. See http://www.openssh.com/legacy.html

> NX> 203 NXSSH running with pid: 3708 
> NX> 285 Enabling check on switch command 
> NX> 285 Enabling skip of SSH config files 

However, if nx is ignoring your SSH config, I'm not sure how you can tell
it to use 

> NX> 285 Setting the preferred NX options 
> NX> 200 Connected to address: 192.168.62.4 on port: 22 
> NX> 202 Authenticating user: nx 
> NX> 208 Using auth method: publickey 
> NX> 204 Authentication failed.  

Where is the information from the *server* log.


-- 
Neil Bothwick

Earlier, I didn't have time to finish anything. This time I w

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-28 Thread Neil Bothwick 
On Sat, 28 Nov 2015 20:31:43 + (UTC), Bill Damage wrote:

Please don't top post.

> Thanks for your hep and patience!
> I want to report the full log.
> I see the log file at /var/log/nx/nxserver.log is always 0 bytes. 
> To try to enable it I changed the entry in /etc/nxserver/node.conf
> NX_LOG_LEVEL=0 to NX_LOG_LEVEL=6 but it still creates the 0 length log
> file.

I meant the log for the SSH server, on the machine you are trying to
connect to, not the nx log. On the SSH server, run

grep sshd /var/log/messages


-- 
Neil Bothwick

Why is the word abbreviation so long?


pgpJwBPRCxx0e.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-27 Thread Bill Damage 


Thanks.
I want root to be able to SSH in, so I commented out the "without-password" 
one, but it made no difference.



On Thursday, 26 November 2015, 23:59, Neil Bothwick  wrote:
On Thu, 26 Nov 2015 21:39:57 + (UTC), Bill Damage wrote:

> PermitRootLogin yes 
[snip]

> PermitRootLogin without-password

You have specified this option twice, with different values. Pick the one
you want and remove or comment out the other.


-- 
Neil Bothwick

Top Oxymorons Number 39: Almost exactly

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-27 Thread Peter Humphrey 
On Thursday 26 November 2015 21:39:57 Bill Damage wrote:
> Is this better? Damn Yahoo webmail...

Yes, it's fine.

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Bill Damage 
Is this better? Damn Yahoo webmail...
My /var/log/nx/nxserver.log remains at 0 bytes even though in node.conf I set 
NX_LOG_LEVEL to 6 from 0. 

Anyway, I will dump my sshd_config for completeness:

[root@example~]# cat /etc/ssh/sshd_config 
#   $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ 

# This is the sshd server system-wide configuration file.  See 
# sshd_config(5) for more information. 

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin 

# The strategy used for options in the default sshd_config shipped with 
# OpenSSH is to specify options with their default value where 
# possible, but leave them commented.  Uncommented options override the 
# default value. 

#Port 22 
#AddressFamily any 
#ListenAddress 0.0.0.0 
#ListenAddress :: 

# The default requires explicit activation of protocol 1 
#Protocol 2 

# HostKey for protocol version 1 
#HostKey /etc/ssh/ssh_host_key 
# HostKeys for protocol version 2 
#HostKey /etc/ssh/ssh_host_rsa_key 
#HostKey /etc/ssh/ssh_host_dsa_key 
#HostKey /etc/ssh/ssh_host_ecdsa_key 

# Lifetime and size of ephemeral version 1 server key 
#KeyRegenerationInterval 1h 
#ServerKeyBits 1024 

# Logging 
# obsoletes QuietMode and FascistLogging 
#SyslogFacility AUTH 
SyslogFacility AUTHPRIV 
#LogLevel INFO 

# Authentication: 

#LoginGraceTime 2m 
PermitRootLogin yes 
#StrictModes yes 
#MaxAuthTries 6 
#MaxSessions 10 

#RSAAuthentication yes 
#PubkeyAuthentication yes 

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 
# but this is overridden so installations will only check .ssh/authorized_keys 
#AuthorizedKeysFile .ssh/authorized_keys 

#AuthorizedKeysCommand none 
#AuthorizedKeysCommandRunAs nobody 

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
#RhostsRSAAuthentication no 
# similar for protocol version 2 
#HostbasedAuthentication no 
# Change to yes if you don't trust ~/.ssh/known_hosts for 
# RhostsRSAAuthentication and HostbasedAuthentication 
#IgnoreUserKnownHosts no 
# Don't read the user's ~/.rhosts and ~/.shosts files 
#IgnoreRhosts yes 

# To disable tunneled clear text passwords, change to no here! 
#PasswordAuthentication yes 
#PermitEmptyPasswords no 
PasswordAuthentication yes 

# Change to no to disable s/key passwords 
#ChallengeResponseAuthentication yes 
ChallengeResponseAuthentication no 

# Kerberos options 
#KerberosAuthentication no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes 
#KerberosGetAFSToken no 
#KerberosUseKuserok yes 

# GSSAPI options 
#GSSAPIAuthentication no 
GSSAPIAuthentication yes 
#GSSAPICleanupCredentials yes 
GSSAPICleanupCredentials yes 
#GSSAPIStrictAcceptorCheck yes 
#GSSAPIKeyExchange no 

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and 
# PasswordAuthentication.  Depending on your PAM configuration, 
# PAM authentication via ChallengeResponseAuthentication may bypass 
# the setting of "PermitRootLogin without-password". 
# If you just want the PAM account and session checks to run without 
# PAM authentication, then enable this but set PasswordAuthentication 
# and ChallengeResponseAuthentication to 'no'. 
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several 
# problems. 
#UsePAM no 
UsePAM yes 

#AllowAgentForwarding yes 
#AllowTcpForwarding yes 
#GatewayPorts no 
#X11Forwarding no 
X11Forwarding yes 
#X11DisplayOffset 10 
#X11UseLocalhost yes 
#PrintMotd yes 
#PrintLastLog yes 
#TCPKeepAlive yes 
#UseLogin no 
#UsePrivilegeSeparation yes 
#PermitUserEnvironment no 
#Compression delayed 
#ClientAliveInterval 0 
#ClientAliveCountMax 3 
#ShowPatchLevel no 
#UseDNS yes 
#PidFile /var/run/sshd.pid 
#MaxStartups 10 
#PermitTunnel no 
#ChrootDirectory none 

# no default banner path 
#Banner none 

# Accept locale-related environment variables 
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 
AcceptEnv XMODIFIERS 

# override default of no subsystems 
Subsystem   sftp/usr/libexec/openssh/sftp-server 

# Uncomment this if you want to use .local domain 
#Host *.local 
#   CheckHostIP no 

# Example of overriding settings on a per-user basis 
#Match User anoncvs 
#   X11Forwarding no 
#   AllowTcpForwarding no 
#   ForceCommand cvs server 

#http://www.gossamer-threads.com/lists/gentoo/user/308350?page=last 
PubkeyAcceptedKeyTypes=+ssh-dss 
PermitRootLogin without-password

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Neil Bothwick 
On Thu, 26 Nov 2015 21:39:57 + (UTC), Bill Damage wrote:

> PermitRootLogin yes 
[snip]
> PermitRootLogin without-password

You have specified this option twice, with different values. Pick the one
you want and remove or comment out the other.


-- 
Neil Bothwick

Top Oxymorons Number 39: Almost exactly


pgpQvAJEzjqr7.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Bill Damage 
Thanks, but either way I'm still getting nowhere:
NX> 203 NXSSH running with pid: 9904NX> 285 Enabling check on switch commandNX> 
285 Enabling skip of SSH config filesNX> 285 Setting the preferred NX 
optionsNX> 200 Connected to address: 192.168.62.4 on port: 22NX> 202 
Authenticating user: nxNX> 208 Using auth method: publickeyNX> 204 
Authentication failed.
I take it to try this you edit /etc/sshd_config then restart the sshd service?
 


On Wednesday, 25 November 2015, 20:04, Neil Bothwick  
wrote:
 

 On Wed, 25 Nov 2015 12:55:43 -0700, the...@sys-concept.com wrote:

> > Which you would expect if that was not the problem. From memory, I
> > think your problem was caused by password logins as root being
> > disabled. That was another change for 7.0 and my only comment on that
> > is "why the hell did they wait until version 7.0 before getting rid
> > of such and insecure default?".
> > 
> >  
> in sshd_config
> 
> #PermitRootLogin yes
> or
> #PermitRootLogin no
> 
> I can connect using openssh-6 but not 7-xx

Because the setting is commented out so it falls back to the default,
which is yes in 6 and no in 7. Set it to what you need instead of relying
on defaults which can change.


-- 
Neil Bothwick

The people who are wrapped up in themselves are overdressed.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Bill Damage 
Somehow the details of my message wasn't posted:
NX> 203 NXSSH running with pid: 10200NX> 285 Enabling check on switch 
commandNX> 285 Enabling skip of SSH config filesNX> 285 Setting the preferred 
NX optionsNX> 200 Connected to address: 192.168.62.4 on port: 22NX> 202 
Authenticating user: nxNX> 208 Using auth method: publickeyNX> 204 
Authentication failed.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Neil Bothwick 
On Thu, 26 Nov 2015 09:07:07 + (UTC), Bill Damage wrote:

> NX> 203 NXSSH running with pid: 10200NX> 285 Enabling check on switch
> NX> commandNX> 285 Enabling skip of SSH config filesNX> 285 Setting the
> NX> commandNX> preferred NX optionsNX> 200 Connected to address:
> NX> commandNX> 192.168.62.4 on port: 22NX> 202 Authenticating user:
> NX> commandNX> nxNX> 208 Using auth method: publickeyNX> 204
> NX> commandNX> nxNX> Authentication failed.  

What does the log on the server say?


-- 
Neil Bothwick

Accordion: a bagpipe with pleats.


pgpsXpu6Y3qfR.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Peter Humphrey 
I would need a magnifying glass to read this. Please don't use HTML on this 
list.

On Wednesday 25 November 2015 18:50:14 Bill Damage wrote:
> I have exactly the same problem mentioned in this thread. I think
> something changed and broke the authentication during an update. i found
> this message by Googling and just joined the mail list to ask for help. I
> have done everything mentioned in the thread, and here's where I'm at:
> (it worked fine before some regular update broke it) Thanks!
> [root@tiger ssh]# nxsetup --test
> > Testing your nxserver configuration ...Warning: Invalid value
> "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libX
> ext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/l
> ib64/nx/libXrender.so.1". /usr/lib64/nx/libX11.so.6 could not be found.
> Users will not be able to run a single application in non-rootless
> mode.Warning: Invalid value "COMMAND_START_CDE=cdwm" Users 
will
> not be able to request a CDE session.Warning: Invalid value
> "COMMAND_SMBMOUNT=smbmount". You'll not be able to use 
SAMBA.Warning:
> Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not be able to use
> SAMBA.Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version
> 1.2. Users will not be able to enable printing. Ignore if you use
> cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 or 3.[012345].0 version
> string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012345].0 backend is needed
> for this version of FreeNX. Warnings occured during config check.  To
> enable these features please correct the configuration file. < done
> > Testing your nxserver connection ...Permission denied
> (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not
> connect to NX Server. Please check your ssh setup:
> The following are _examples_ of what you might need to check.
> - Make sure "nx" is one of the AllowUsers in sshd_config.(or
> that the line is outcommented/not there)- Make sure "nx" is one
> of the AllowGroups in sshd_config.(or that the line is
> outcommented/not there)- Make sure your sshd allows public key
> authentication.- Make sure your sshd is really running on port
> 22.- Make sure your sshd_config AuthorizedKeysFile in sshd_config
> is set to authorized_keys.(this should be a filename not a
> pathname+filename)  - Make sure you allow ssh on localhost, this could
> come from somerestriction of:  -the tcp wrapper. Then add in
> /etc/hosts.allow: ALL:localhost  -the iptables. add to it: $
> iptables -A INPUT  -i lo -j ACCEPT $ iptables -A OUTPUT -o lo -j
> ACCEPT[root@tiger ssh]#

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-26 Thread Bill Damage 
On Thursday, 26 November 2015, 9:51, Peter Humphrey  
wrote:

I would need a magnifying glass to read this. Please don't use HTML on this 
list.



It's damn Yahoos webmail, I switched to plain text maybe it's better now?

Anyway the log at /var/log/nx/nxserver.log is always 0 bytes.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread Neil Bothwick 
On Wed, 25 Nov 2015 11:58:47 -0700, the...@sys-concept.com wrote:

> I had the same problem.
> openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
> nxserver is using).

That's not what the error message you posted said.

> Trying to enable the "ssh-dss" via sshd_config does not work!

Which you would expect if that was not the problem. From memory, I think
your problem was caused by password logins as root being disabled. That
was another change for 7.0 and my only comment on that is "why the hell
did they wait until version 7.0 before getting rid of such and insecure
default?".


-- 
Neil Bothwick

Age and treachery will always overcome youth and skill.


pgpgeoNTsMrwi.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread thelma 
On 11/25/2015 12:31 PM, Neil Bothwick wrote:
> On Wed, 25 Nov 2015 11:58:47 -0700, the...@sys-concept.com wrote:
> 
>> I had the same problem.
>> openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
>> nxserver is using).
> 
> That's not what the error message you posted said.
> 
>> Trying to enable the "ssh-dss" via sshd_config does not work!
> 
> Which you would expect if that was not the problem. From memory, I think
> your problem was caused by password logins as root being disabled. That
> was another change for 7.0 and my only comment on that is "why the hell
> did they wait until version 7.0 before getting rid of such and insecure
> default?".
> 
> 
in sshd_config

#PermitRootLogin yes
or
#PermitRootLogin no

I can connect using openssh-6 but not 7-xx

Thelma

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread Mick 
On Wednesday 25 Nov 2015 20:04:14 Neil Bothwick wrote:
> On Wed, 25 Nov 2015 12:55:43 -0700, the...@sys-concept.com wrote:
> > > Which you would expect if that was not the problem. From memory, I
> > > think your problem was caused by password logins as root being
> > > disabled. That was another change for 7.0 and my only comment on that
> > > is "why the hell did they wait until version 7.0 before getting rid
> > > of such and insecure default?".
> > 
> > in sshd_config
> > 
> > #PermitRootLogin yes
> > or
> > #PermitRootLogin no
> > 
> > I can connect using openssh-6 but not 7-xx
> 
> Because the setting is commented out so it falls back to the default,
> which is yes in 6 and no in 7. Set it to what you need instead of relying
> on defaults which can change.

Also, check your *uncommented* setting for PermitEmptyPasswords, if for some 
reason you have not set up a password for your NX account.  The default is no.

-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread thelma 
On 11/25/2015 01:04 PM, Neil Bothwick wrote:
> On Wed, 25 Nov 2015 12:55:43 -0700, the...@sys-concept.com wrote:
> 
>>> Which you would expect if that was not the problem. From memory, I
>>> think your problem was caused by password logins as root being
>>> disabled. That was another change for 7.0 and my only comment on that
>>> is "why the hell did they wait until version 7.0 before getting rid
>>> of such and insecure default?".
>>>
>>>   
>> in sshd_config
>>
>> #PermitRootLogin yes
>> or
>> #PermitRootLogin no
>>
>> I can connect using openssh-6 but not 7-xx
> 
> Because the setting is commented out so it falls back to the default,
> which is yes in 6 and no in 7. Set it to what you need instead of relying
> on defaults which can change.

Yes, nxserver works with openssh-7; I don't know why I couldn't make it
to work during upgrade few weeks ago :-/

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread Neil Bothwick 
On Wed, 25 Nov 2015 12:55:43 -0700, the...@sys-concept.com wrote:

> > Which you would expect if that was not the problem. From memory, I
> > think your problem was caused by password logins as root being
> > disabled. That was another change for 7.0 and my only comment on that
> > is "why the hell did they wait until version 7.0 before getting rid
> > of such and insecure default?".
> > 
> >   
> in sshd_config
> 
> #PermitRootLogin yes
> or
> #PermitRootLogin no
> 
> I can connect using openssh-6 but not 7-xx

Because the setting is commented out so it falls back to the default,
which is yes in 6 and no in 7. Set it to what you need instead of relying
on defaults which can change.


-- 
Neil Bothwick

The people who are wrapped up in themselves are overdressed.


pgpFl1uth0Idu.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

2015-11-25 Thread thelma 
On 11/25/2015 11:50 AM, Bill Damage wrote:
> I have exactly the same problem mentioned in this thread. I think something 
> changed and broke the authentication during an update. i found this message 
> by Googling and just joined the mail list to ask for help. I have done 
> everything mentioned in the thread, and here's where I'm at: (it worked fine 
> before some regular update broke it)
> Thanks!
> [root@tiger ssh]# nxsetup --test
> > Testing your nxserver configuration ...Warning: Invalid value 
> "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libXext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/lib64/nx/libXrender.so.1".
>  /usr/lib64/nx/libX11.so.6 could not be found. Users will not be able to run 
> a single application in non-rootless mode.Warning: Invalid value 
> "COMMAND_START_CDE=cdwm" Users will not be able to request a CDE 
> session.Warning: Invalid value "COMMAND_SMBMOUNT=smbmount". You'll not be 
> able to use SAMBA.Warning: Invalid value "COMMAND_SMBUMOUNT=smbumount". 
> You'll not be able to use SAMBA.Warning: Invalid cupsd version of 
> "/usr/sbin/cupsd". Need version 1.2. Users will not be able to enable 
> printing. Ignore if you use cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 
> or 3.[012345].0 version string in nxagent. NX 1.5.0 or 2.[01].0 or 
> 3.[012345].0 backend is needed for this version of FreeNX.
>   Warnings occured during config check.  To enable these features please 
> correct the configuration file.
> < done
> > Testing your nxserver connection ...Permission denied 
> (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not 
> connect to NX Server.
> Please check your ssh setup:
> The following are _examples_ of what you might need to check.
> - Make sure "nx" is one of the AllowUsers in sshd_config.(or that 
> the line is outcommented/not there)- Make sure "nx" is one of the 
> AllowGroups in sshd_config.(or that the line is outcommented/not there)   
>  - Make sure your sshd allows public key authentication.- Make 
> sure your sshd is really running on port 22.- Make sure your 
> sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys.
> (this should be a filename not a pathname+filename)  - Make sure you allow 
> ssh on localhost, this could come from somerestriction of:  -the tcp 
> wrapper. Then add in /etc/hosts.allow: ALL:localhost  -the iptables. add 
> to it: $ iptables -A INPUT  -i lo -j ACCEPT $ iptables -A 
> OUTPUT -o lo -j ACCEPT[root@tiger ssh]#
> 

I had the same problem.
openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
nxserver is using).
Trying to enable the "ssh-dss" via sshd_config does not work!

So the only way to go about it is to downgrade to openssh-6.xxx

--
Thelma

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-15 Thread Neil Bothwick 
On Sat, 14 Nov 2015 16:27:27 -0700, the...@sys-concept.com wrote:

> >> > Testing your nxserver connection ...
> >> Permission denied (publickey,password,keyboard-interactive).
> >> Fatal error: Could not connect to NX Server.  
> > 
> > That doesn't look like the error you get from an unsupported key,
> > which is something like
> > 
> > Unable to negotiate with x.x.x.x: no matching host key type found.
> > Their offer: ssh-dss
> > 
> > Is nxserver trying to connect as root? It looks more like the
> > disabling of passworded root logins in OpenSSH.  
> 
> Here is my sshd_config: (nxserver works with openssh-6.9_p1-r2)
> As soon as I upgrade to openssh-7, enable:
> PubkeyAcceptedKeyTypes=+ssh-dss
> 
> restart: sshd
> and nxserver gives me an error message (like above).

Which has nothing to do with keys
 
> Yes, I'm running "nxsetup --test" as root.

and everything to do with this. While the use of DSS keys may cause a
problem, you haven't reached that point yet because the default config
not blocks root logins. Add "PermitRootLogin without-password" to your
config.


-- 
Neil Bothwick

The computer revolution is over. The computers won.


pgpoCtT22Sdvl.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-14 Thread Mick 
On Saturday 14 Nov 2015 06:49:22 the...@sys-concept.com wrote:
> Thelma
> 
> On 11/13/2015 11:08 PM, the...@sys-concept.com wrote:
> > I'm running: nxserver-freenx-0.7.3_p104-r7
> > After recent upgrade, system installed new stable openssh-7.1_p1-r2
> > 
> > The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver"
> > to connect, I get an error: Permission denied
> > (publickey,keyboard-interactive) see below:
> > 
> > nxsetup --test
> > ...
> > < done
> > 
> > > Testing your nxserver connection ...
> > Permission denied (publickey,keyboard-interactive).
> > Fatal error: Could not connect to NX Server.
> > 
> > Please check your ssh setup:
> > 
> > The following are _examples_ of what you might need to check.
> > 
> > - Make sure "nx" is one of the AllowUsers in sshd_config.
> > 
> > (or that the line is outcommented/not there)
> > 
> > - Make sure "nx" is one of the AllowGroups in sshd_config.
> > 
> > (or that the line is outcommented/not there)
> > 
> > - Make sure your sshd allows public key authentication.
> > - Make sure your sshd is really running on port 22.
> > - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set 
to
> > authorized_keys2.
> > 
> > (this should be a filename not a pathname+filename)
> >   
> >   - Make sure you allow ssh on localhost, this could come from some
> >   
> > restriction of:
> >   -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
> >   
> >   -the iptables. add to it:
> >  $ iptables -A INPUT  -i lo -j ACCEPT
> >  $ iptables -A OUTPUT -o lo -j ACCEPT
> > 
> > What I should be getting is this:
> > > Testing your nxserver connection ...
> > HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend:
> > 3.5.0) NX> 105 quit
> > Quit
> > NX> 999 Bye
> > <--- done
> > 
> > I did not change anything in sshd_config.
> > But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK.
> > 
> > What could be the problem with new: openssh-7.1_p1-r2
> 
> I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default
> https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html
> 
> And and nxserver is using ssh-dss keys by default.
> 
> I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/
> with RSA one.
> 
> Do I just run: ssh-keygen -t rsa
> and copy the key pair to /etc/nxserver/ directory?
> 
> --
> Thelma

Since openssh-7.0 DSS keys are disabled and about time too!

==
if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
elog "Starting with openssh-7.0, support for ssh-dss keys were 
disabled due to their"
elog "weak sizes.  If you rely on these key types, you can re-enable 
the key types by"
elog "adding to your sshd_config:"
elog "  PubkeyAcceptedKeyTypes=+ssh-dss"
elog "You should however generate new keys using rsa or ed25519."
fi
==


Also SHA1 hashes are disabled and you will get errors like these when you try 
to login to a server which is still using deprecated ciphers:

Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their 
offer: ssh-dss

Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. 
Their offer: diffie-hellman-group1-sha1

If this is within your LAN and therefore relatively protected, you could 
specify deprecated ciphers and hashes like so:

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o HostKeyAlgorithms=+ssh-dss 
my_u...@xxx.xx.xxx.X


Alternatively, after you create a strong prime:

ssh-keygen -t rsa -b 4096


or probably better to use ed25519:

ssh-keygen -t ed25519

HTH.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-14 Thread thelma 

On 11/14/2015 04:11 AM, Mick wrote:
[snip]
> 
> Since openssh-7.0 DSS keys are disabled and about time too!
> 
> ==
> if has_version "<${CATEGORY}/${PN}-7.1_p1" ; then #557388
> elog "Starting with openssh-7.0, support for ssh-dss keys were 
> disabled due to their"
> elog "weak sizes.  If you rely on these key types, you can re-enable 
> the key types by"
> elog "adding to your sshd_config:"
> elog "  PubkeyAcceptedKeyTypes=+ssh-dss"
> elog "You should however generate new keys using rsa or ed25519."
> fi
> ==
> 
> 
> Also SHA1 hashes are disabled and you will get errors like these when you try 
> to login to a server which is still using deprecated ciphers:
> 
> Unable to negotiate with XXX.XX.XXX.X: no matching host key type found. Their 
> offer: ssh-dss
> 
> Unable to negotiate with XXX.XX.XXX.X: no matching key exchange method found. 
> Their offer: diffie-hellman-group1-sha1
> 
> If this is within your LAN and therefore relatively protected, you could 
> specify deprecated ciphers and hashes like so:
> 
> ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 -o 
> HostKeyAlgorithms=+ssh-dss 
> my_u...@xxx.xx.xxx.X
> 
> 
> Alternatively, after you create a strong prime:
> 
> ssh-keygen -t rsa -b 4096
> 
> 
> or probably better to use ed25519:
> 
> ssh-keygen -t ed25519
> 
> HTH.

The only software that uses ssh-dss key and I need is nxserver.

I just added a line to my: sshd_config
PubkeyAcceptedKeyTypes=+ssh-dss

restarted "sshd and nxserver" but I nxserver still doesn't work,
running:  nxsetup --test (I get):

> Testing your nxserver connection ...
Permission denied (publickey,password,keyboard-interactive).
Fatal error: Could not connect to NX Server.

--
Thelma

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-14 Thread Neil Bothwick 
On Sat, 14 Nov 2015 08:54:38 -0700, the...@sys-concept.com wrote:

> The only software that uses ssh-dss key and I need is nxserver.
> 
> I just added a line to my: sshd_config
> PubkeyAcceptedKeyTypes=+ssh-dss

You should add this to a Host section, so it only enables the wek
encryption for that host.

> restarted "sshd and nxserver" but I nxserver still doesn't work,
> running:  nxsetup --test (I get):
> 
> > Testing your nxserver connection ...  
> Permission denied (publickey,password,keyboard-interactive).
> Fatal error: Could not connect to NX Server.

That doesn't look like the error you get from an unsupported key, which
is something like

Unable to negotiate with x.x.x.x: no matching host key type found. Their offer: 
ssh-dss

Is nxserver trying to connect as root? It looks more like the disabling
of passworded root logins in OpenSSH.


-- 
Neil Bothwick

What do you get if you cross an agnostic, an insomniac and adyslexic?
Someone who lies awake at night wondering if there really is a dog.


pgp2e6tycZpN0.pgp
Description: OpenPGP digital signature

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-14 Thread thelma 
On 11/14/2015 02:22 PM, Neil Bothwick wrote:
> On Sat, 14 Nov 2015 08:54:38 -0700, the...@sys-concept.com wrote:
> 
>> The only software that uses ssh-dss key and I need is nxserver.
>>
>> I just added a line to my: sshd_config
>> PubkeyAcceptedKeyTypes=+ssh-dss
> 
> You should add this to a Host section, so it only enables the wek
> encryption for that host.
> 
>> restarted "sshd and nxserver" but I nxserver still doesn't work,
>> running:  nxsetup --test (I get):
>>
>> > Testing your nxserver connection ...  
>> Permission denied (publickey,password,keyboard-interactive).
>> Fatal error: Could not connect to NX Server.
> 
> That doesn't look like the error you get from an unsupported key, which
> is something like
> 
> Unable to negotiate with x.x.x.x: no matching host key type found. Their 
> offer: ssh-dss
> 
> Is nxserver trying to connect as root? It looks more like the disabling
> of passworded root logins in OpenSSH.



Here is my sshd_config: (nxserver works with openssh-6.9_p1-r2)
As soon as I upgrade to openssh-7, enable:
PubkeyAcceptedKeyTypes=+ssh-dss

restart: sshd
and nxserver gives me an error message (like above).

Yes, I'm running "nxsetup --test" as root.

#   $OpenBSD: sshd_config,v 1.95 2015/04/27 21:42:48 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and
.ssh/authorized_keys2
# but this is overridden so installations will only check
.ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys

# Added Nov 14/15, needed for nxserver to work
# PubkeyAcceptedKeyTypes=+ssh-dss

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox  # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# here are the new patched ldap related tokens
# entries in your LDAP must have posixAccount & ldapPublicKey objectclass
#UseLPK yes
#LpkLdapConf /etc/ldap.conf
#LpkServers  ldap://10.1.7.1/ ldap://10.1.7.2/
#LpkUserDN   ou=users,dc=phear,dc=org
#LpkGroupDN  ou=groups,dc=phear,dc=org
#LpkBindDN

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect

2015-11-13 Thread thelma 


Thelma

On 11/13/2015 11:08 PM, the...@sys-concept.com wrote:
> I'm running: nxserver-freenx-0.7.3_p104-r7
> After recent upgrade, system installed new stable openssh-7.1_p1-r2
> 
> The problem is the new openssh-7.1_p1-r2 will not allow my my "nxserver" to 
> connect, I get an error:
> Permission denied (publickey,keyboard-interactive) see below:
>  
> nxsetup --test
> ...
> < done
> 
> > Testing your nxserver connection ...
> Permission denied (publickey,keyboard-interactive).
> Fatal error: Could not connect to NX Server.
> 
> Please check your ssh setup:
> 
> The following are _examples_ of what you might need to check.
> 
>   - Make sure "nx" is one of the AllowUsers in sshd_config.
> (or that the line is outcommented/not there)
>   - Make sure "nx" is one of the AllowGroups in sshd_config.
> (or that the line is outcommented/not there)
>   - Make sure your sshd allows public key authentication.
>   - Make sure your sshd is really running on port 22.
>   - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set 
> to authorized_keys2.
> (this should be a filename not a pathname+filename)
>   - Make sure you allow ssh on localhost, this could come from some
> restriction of:
>   -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>   -the iptables. add to it:
>  $ iptables -A INPUT  -i lo -j ACCEPT
>  $ iptables -A OUTPUT -o lo -j ACCEPT
> 
> What I should be getting is this:
> > Testing your nxserver connection ...
> HELLO NXSERVER - Version 3.2.0-74-TEAMBZR104 OS (GPL, using backend: 3.5.0)
> NX> 105 quit
> Quit
> NX> 999 Bye
> <--- done
> 
> I did not change anything in sshd_config.
> But I downgraded to: openssh-6.9_p1-r2 and nxserver connects OK.
> 
> What could be the problem with new: openssh-7.1_p1-r2

I think the reason is that OpenSSH 7.0 disables ssh-dss keys by default
https://www.gentoo.org/support/news-items/2015-08-13-openssh-weak-keys.html

And and nxserver is using ssh-dss keys by default.

I have to find a way a way to replace the ssh-dss key in: /etc/nxserver/ with 
RSA one.

Do I just run: ssh-keygen -t rsa
and copy the key pair to /etc/nxserver/ directory? 

--
Thelma