[FreeNX-kNX] nxclient and "challengeresponseauthentication no"

[* *]

On 1/27/06, Kurt Pfeifle wrote:
> On Friday 27 January 2006 14:11, * * wrote:
>
> > The nx user must be in the wheel group, so that he can
> > change to the user account.  Of course, this permits all your clueful
> > NX users to use su... because they own the nx login key.  In fact you
> > must use an other-than-NoMachine-NX-public private key, or else
> > everyone on the 'Net will be able to use su.
>
> <sarcasm>
>   Oh my god!!!! You have just discovered a glaring security
>   hole in NX! The world can now use su to impersonate me on
>   any NX server I've an account on!! And nobody discovered this
>   vulnerability since more than 3 years! Stop shipping NX!
> </sarcasm>

Obviously you understand then, so why go on?

>
> Honest, would you please give me a step by step HOWTO (because
> I'm not such a clueful user you talked about), so that I am
> able to use su from user "nx" to acquire my boss' account
> privileges? I have succeeded to do this:
>
> 1. I type: "nxssh -nx -i /usr/NX/share/client.id_dsa.key nx at my_bosses_box"

and .ssh/authorized_keys2 contains
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/usr/NX/bin/nxserver"

which does correctly prevent the user from running a shell prompt and
running su -- all input must go through nxserver

>
> 2. I get a response: "NX> 105"
>
> 3. I type: "su root", "su - root", "su - my_boss", "su my_boss", "su kurt"
>
> But all I get is that the stupid thing keeps echo-ing what I type.
>
> I've the feeling I must be *that* close to be a blackhat cracker.... Can
> you please help me understand what clever trick I am missing in my 3rd
> step? Puh-leeease?

Just run nxclient?  Type in your boss's userid and password and xterm
with the shell of your choice in unix custom?  I fail to see much
distinction between typing "su..." at a prompt and having nxserver run
it for me, if I control the input.

I was just trying to point out to someone with sysadmin aspirations
that having remote sessions via password (using NX) defeats the
purpose of "PasswordAuthentication no" in sshd-config.

Basically, allowing a connection to the nx user provides a "switch
user" capability.  I thought that was the whole point of nxserver and
nxnode-login.

I believe this requirement for either ssh or su password
authentication to get NX password login is categorized as:
"by design"
"won't fix"
and
"primary purpose of nxserver"

If you are willing to give up the password-login and the NoMachine
client, then you can ENABLE_USERMODE_AUTHENTICATION="1" and use keys.

If you want to have password-login but not allow the world to brute
force your box, then don't use the nomachine key.

To reiterate, if you are afraid of having your box accessed remotely,
what possessed you to run NX, which has no purpose other than
(interactive) remote access?