[FreeNX-kNX] Alioth projekt for FreeNX debian packages

Paul van der Vlis paul at vandervlis.nl
Wed Jun 15 09:08:32 UTC 2005 

Kurt Pfeifle schreef:
> On Wednesday 15 June 2005 00:03, Paul van der Vlis wrote:
> 
> 
>>apt-get install nxserver nxagent
>>nxsetup --setup-nomachine-key
>>
>>This is not really secure, 
> 
> To be honest, this is a sentence of ... shall I say "pure rubbish"? 

It is not pure rubbish, SSH is used in a "strange way", it lets
everybody in to the NX-script. I am not sure this is good enough for the
Debian developpers.

> A sentence created once by someone who understood little about the NX 
> login concept, and repeated ever since by many, many people.
> 
> To set the record straight: this key (or the custom one you can create
> yourself) doesnt let you or any user log in to the NX server, and it
> doesnt give any normal shell access to anybody.
> 
> This key is used to establish an initial secure tunnel, over which in
> the next stage the real login of the user, with his real (and hopefully
> kept secret by him!) credentials happens. 

By FreeNX, not by SSH. As a "stupid user", you maybe think you have SSH
security because only port 22 is open.

> The "nomachine-key" (or any custom key you might use in its place) is 
> only useful for the special "nx" user who builds the tunnel from the NX 
> client to the NX server.
> 
> This user has for his "login shell" a something called "nxserver". All
> "nx" can do with that shell, is conduct a sort of handshake, pass the
> real user's credentials in a save way and start the executables needed
> to establish the NX session. No more. And it is restricted to exactly
> the commands the NX session initiation needs. And it is explicitely
> prohibiting f.e. port forwarding.
> 
> So it is a gross missrepresentation to paint the "--setup-nomachine-key"
> option as a "not really secure" one. It *IS* secure. 

It opens a door with a very secure lock (SSH) to a door with a less
tested lock (FreeNX).

> Yes, it can slightly improve security to create a separate custom key 
> for each NX server. I concede that..  But that "improvement" comes for 
> a price: 
> 
>  * it will also greatly increase the inconvenience to your users and to 
>    the NX server administrators, who will have to distribute the keys to 
>    their users, and teach them how to switch keys when they switch servers.

I know.

> Using the standard key for the nx user will allow anybody to get to the
> login prompt for the real NX session. Big deal. I can get to the login
> prompt of nearly every server or machine on the planet anyway, if it is 
> connected at all to the Net.
> 
> Yes, it is a risk to have a machine on the Net that allows remote logins.
> This is true for NX as well as non-NX services. If you want to avoid
> that risk, disconnect the machine. 
> 
> Please stop repeating this mantra "'nxsetup --setup-nomachine-key' is not
> really secure". Please start explaining what the the real deal is 
> (improving good security to whatever degree of even better security for
> the price of whatever increased work and inconvenience). Then it is a
> fair deal.
> 
> If "security expert" people really cared about security of GUI programs, 
> they would start an audit of the old, old, old, never-touched-again X 
> code (originating from old age XFree86 times), and make sure that f.e.
> it does not happen that every single X server known to mankind and 
> derived from that common root, with the excepting of the NoMachine-modified
> one, will fall back to a "xhost +localhost" behaviour when it cannot read
> its Xauthority file.
> 
>>because it uses the default nomachine SSH key 
>>without password, but it's really easy. All users can login with the
>>normal password. 
> 
> Not true. You *can* set it up so that all users can login with their
> normal password. 

It's the default.

> You can also set it up that *some* users can login
> (via NX), and others can not. And you can set it up for users to use
> a different NX password from their normal password.
> 
>>Take a look at /home/.nx and in /etc/passwd at the user 
>>"nx".
>  
> Yes, do it! What does it tell you?

The naked truth ;-)

With regards,
Paul van der Vlis.

More information about the FreeNX-kNX mailing list