[FreeNX-kNX] Re: Client restart capability

Andreas Stanescu andreas at rrohio.com
Thu Mar 31 21:21:13 UTC 2005 

I wonder if other developers can weigh in regarding a possible solution. Here 
wis what I am thinking.

Consider this: it would be great if the user stays authenticated throughout a 
period of time, say a day's work, regardless of what physical client they 
use. The first part is already securely implemented by Kerberos; the second 
part is implemented by storing the kerberos cache on a usb dongle. With that 
in mind, here is the solution...

Instead of authenticating the NX user & the real user to ssh, use the kerberos 
server and kerberized telnet. If we set each user's default shell to 
nxserver, upon connecting to telnet, the startup sequence, minus the 
time-consuming authentication, can proceed. To make it more secure, I would 
also prevent direct authentication to telnet: only the kerberos ST can start 
a telnet NX session.

The client then needs to 1) use kinit to authenticate to kerberos, and 2) 
telnet to the NX machine. Since the default shell is nxserver, the server 
automatically does its startup procedure. The client can now pick up from 
there. 

So, what's left to change?
Only the client. The client must be able to authenticate to kerberos and send 
the proper nx command to nxserver to start the server, bypassing 
userid/password authentication. Since telnet will automatically reject any 
client not authenticated, the nxserver will never see them, so it can 
securely assume that it has a valid user.

I think this is *much* faster to build and to execute. Furthermore, since the 
client now holds the kerberos TGT and the telnet ST in the USB dongle cache, 
reconnection should be trivial, right?

Andreas

On Wednesday 30 March 2005 18:44, Andreas wrote:
> I was wondering how difficult it would be to implement a faster method to
> reconnect to the server. Consider a kiosk application such as a student
> center: students login in the morning on one machine, and then, throughout
> the day, the simply stop at some other kiosk, look up their next class, and
> move on.
>
> The requirements for this type of application are a little different than
> the original NX client. Consider this:
> 1. the users authenticate once in the morning, with the expectation of not
> having to do the same until the following day
> 2. the actual usage of the session is very short - establish connections,
> lookup something, suspend connection
> 3. establishing the reconnect should be as fast as turning on a TV monitor
> 4. the network is closed, in that the kiosk machines are not open to the
> outside world, and so the connection is within a (more or less) trusted
> network
> 5. users change their kiosk location with each session reconnect
> 6. users share the kiosk in a serialized fashion (earlier user caches and
> personal info must therefore be removed or stored elsewhere, ie: USB
> dongle).
>
> Essentially, I would like to hold some form of a session ticket, either
> kerberos, X MIT cookie, whatever, on a USB device and bypass the RSA
> exchange and the userid/password authentication on session reconnects. The
> only thing left to do is instantiate the X server on the client and
> establish the network connection to the NXAgent.
>
> My question is: where do I look to start changing this code. Of course, if
> someone more familiar with the code already has such knowledge, I'd use
> their implementation instead. :)
>
> Andreas

More information about the FreeNX-kNX mailing list