[FreeNX-kNX] Restricting login access to an NX-server
Ragnar Wisløff
ragnar.wisloff at linuxlabs.no
Wed Oct 12 09:01:04 UTC 2005
The NX system works very well, actually impressive :) But we have seen it as a
slight problem that it would be possible to log in to a server running NX by
using any SSH client. It turned out be relatively easy to prevent this using
sshd_config settings. In the process we looked at a few other options that
did not work. One of them was using various types of restricted shells.
Authentication always failed in the NX client when using things
like /bin/rbash as user shells, even if it was possible to log in using
console-based SSH clients.
Apparently there are commands being executed before any GUI is started, but
which? I guess the answer to which commands these are is in the code, but I
am asking here anyway. It would be nice to have a restricted shell, possibly
with a chroot environment as an extra safety net. Any thoughts on this issue?
What are sysadmins doing to harden their (publicly available) NX servers?
I've done the testing on Debian Sarge with the NoMachine client 1.5.0-113 for
LInux, freenx server 0.4.4+0.4.5.3 (src debs from kanotix) and NoMachine nx*
1.4.92+1.5.0-4 (again src debs from kanotix).
--
Med vennlig hilsen
Ragnar Wisløff
LinuxLabs AS
Tlf 90 89 41 52
More information about the FreeNX-kNX
mailing list