[FreeNX-kNX] Release: FreeNX 0.7.3 "Priscilla One Year Edition"
Fabian Franz
FabianFranz at gmx.de
Mon Aug 25 01:57:11 UTC 2008
Hi All,
it is done. it is released.
FreeNX 0.7.3 is released and I am proud to present lots of nice new features and especially I
hunted the bug list down (BerliOS Project Page) and got them all.
Including the dreaded "Resume fails with Negotiating Link Parameters and nxssh.exe still
running.".
Perhaps the two biggest new features are full shadow support and the overhaul of the usermode.
I am grateful to Amin Shehata here for his work and motivation on the shadow mode and Mr. N.
Bartos, who did present me with a complete changeset for the usermode.
I also made the VNC shadowing behave the exact same as the normal shadow mode.
SHADOWING VIA NX AND VNC Resume
========================
Shadowing (also other users) works in three steps:
1. Saving the shadow cookie (obviously not needed for same user)
First, when a session is started or resumed nxshadowacl is asked, if this user should be allowed to
be shadowed.
This way in nxshadowacl there could be a line like:
# Deny admin and boss to be shadowed
[ "$1" = "admin" -o "$1" = "boss" ] && exit 1
# Allow all others to be shadowed
exit 0
I did use this approach as the nxserver is storing the shadowcookie in the session file if
nxshadowacl allows shadowing.
This is a possible security issue, so its not enabled by default.
To enable shadowing other users beside the own user copy nxshadowacl.sample to
$PATH_BIN/nxshadowacl and add your rules here.
2. Selecting which sessions are shadowable
So now shadowacl.sample gets another argument. That one of the user, which is trying to shadow
the session.
Let me give you another example:
# Deny admin and boss to be shadowed
[ "$1" = "admin" -o "$1" = "boss" ] && exit 1
# Don't let boss shadow the auditors
[ "$1" = "auditor" -a "$2" = "boss" ] && exit 1
# Allow all others to be shadowed
exit 0
I think you can come up with countless possibilities yourself. Speaking of that, has anyone made
any great nxacl scripts, yet?
If so: Please share.
3. Asking the user for permission and setting the view mode
This is for now controlled by the global variables that are known from !M NX Server.
If ENABLE_SESSION_SHADOWING_AUTHORIZATION is set to "1", the user is asked before the
cookie is transmitted, if he wants his session to be shared. After a timeout of 60
(AGENT_STARTUP_TIMEOUT) the dialog is closed again and the operation deemed a failure.
The ENABLE_INTERACTIVE_SESSION_SHADOWING is directly given as -viewonly or -shadowmode
to x11vnc / nxagent -S.
However if you find this too restrictive for admin to not be able to help others without their
confirmation and only view what is happening, you can use a custom admin.node.conf
configuration file with custom shadow mode settings.
Usermode and SUID Wrapper
==================
We are now very close to login directly with users and I also heard of a C program, which can be
seamlessly put between nxclient and nxssh. So with client support we now have three
alternatives:
1. Login as user via ssh and connect to server with ssh command on server again.
2. Login as user and use usermode to save all sessions locally for each user.
3. Use a SUID nx (not root!) wrapper to startup a new "trusted" session.
One is error prone, two is good, but looses the central structure, three is best of both worlds and
with being suid nx also has the most advantages, however not the dreaded public key problems.
_Yes_, this means if you use the suid wrapper, you still need the nx user, but you can remove the
public keys and it'll still work.
The SUID wrapper is a part from the work of the redesign and thanks goes to Alistair Riddoch from
Google here.
So how do I enable it on a new installation?
- sudo make install
- nxsetup # note: No setup nomachine key here!
- # Uncomment the suid_install line in Makefile
- sudo make install
- # Done.
Now you just need one of the wrapper functions from SVN (nxssh) and nbartos also said he had a
nice C program, so I hope he publishes it.
The wrapper is doing the first part of the authentication, logging the user in via ssh, then the
following command is started: $PATH_BIN/nxserver-suid
And voila the user is logged in!
The same goes for usermode, to enable the usermode with a central installation is now much
easier:
- Login
- Run $PATH_BIN/nxserver-usermode
Also each user can track his own sessions this way:
- $PATH_BIN/nxserver-usermode --list
So this features enable you to finally remove the dreaded public key setup part (using a warpper of
course) and all problems that come with it.
Whatever way you choose ...
And as that is still quite some work, I have prepared and uploaded a ready made tarball for you!
It is available from:
http://download.berlios.de/freenx/NX4U.tar.gz
And I even made it so that this can be unpacked whereever you want and it'll automatically find all
binaries.
And this is not limited to user mode, but all normal FreeNX features are supported.
So for example unpack in /opt/NX4U/, run /opt/NX4U/nxsetup --install --setup-nomachine-key
and you are ready to go.
However if you use the usermode, not even that is needed!
Okay, I said you need a wrapper? You are extremely lucky, I now wrote one in C, which I also already cross-compiled for you for Windows!
== NX Client Wrapper ==
The wrapper is very very powerfull and all options can be choosen in NX Client.
How to use it?
Download:
http://download.berlios.de/freenx/nxssh
or
http://download.berlios.de/freenx/nxssh.exe
Rename nxssh(.exe) from !M NX Client to mxssh(.exe).
Put new nxssh(.exe) into place.
Make it executable if you are on linux. (chmod a+x nxssh)
Done.
Now you can either wrap all connections by exporting the environment variable NXWRAP=1 before
starting nxclient.
Or you can instead of hostname use:
@hostname and set "Enable SSL Encryption" to "yes".
Now its wrapped and the password put into the nxclient dialog is _automatically_ used for
authentication of the user.
So, you (on linux) want to use your public key setup instead?
No problem, just use as username:
@username
So, I want to connect with my private key to host big-machine, I would then put into NX Client:
Host: @big-machine
User: @ff
And your normal ssh options + ssh-askpass are used.
Note: By default SSH_ASKPASS environment variable is set to /usr/bin/ssh-askpass. If you have
something different, you need to export that _before_ starting nxclient.
There is also nxssh-wrapper available in SVN (from which nxssh-4US was converted) if you prefer
to edit a shell script.
(http://svn.berlios.de/svnroot/repos/freenx/trunk/freenx-utils/nxpublickey/nxssh-wrapper)
Sooo!
But now you want to use usermode and not suid mode or you have installed NX4U in a
non-standard location.
The wrapper knows it all.
It searches first for a suitable nxserver-suid program, then for nxserver-usermode and lastly fails.
And it searches in a long PATH ...
~/bin:~/NX4U/:/usr/NX/bin:/opt/NX/bin:/opt/NX4U/bin/:/usr/NX4U/bin:/usr/local/NX4U/bin:/usr/lib/nx/bi
n
If however you want to user usermode and not suid mode or vice versa you can use the following
syntax:
user at U for usermode (or @user at U)
or:
user at S for suid mode (or @user at S)
And you can even specify a compeltely different binary path with a ':'
So:
[@]user[@<S|U>[:path-to-command]]
is the full syntax!
Example for installation in /tmp/NX4U/ with public key usage.
@ff at U:/tmp/NX4U/bin/nxserver-usermode
And it all works!
So, now NX installation really is as simple as untaring, changing client to use wrapper and BAM!
running!
Okay, after this much features and me working since days on the RL announcement ( I _had_ to
make that wrapper!) lets take a small look at the other changes!
- Failed login attempts are now logged to syslog(3).
- nxagent has -nolisten tcp by default set as EXTRA_OPTIONS_X:
Note in a load balancing + shadow mode case it might be wanted that nxagent is callable via
remote.
- Bash is used for all tasks as sh is dash on ubuntu.
- mv was not working for failed or terminated sessions due to a typo. (YEAH! Finally found the
bug!)
- I found a very old patch (2005), which enables connection from 32 bit to 24 bit and vice-versa.
Ooops, I forgot that one, I think ...
- 3.2.0 support!
- The Makefile now actually stops on errors. Thanks goes to: Hai Zaar <haizaar at gmail.com>
- I disabled the PASSDB auth mode as always people find old tutorials and think its necessary,
while its not. I also added a nice notice. If you had used it before and want to continue using it, be
sure to reenable it in nxloadconfig / node.conf.
- Lots of rdekstop fixes by the Community were included including that run application now
actually works!
- I added the ConsoleKit application by Ubuntu team, though I think I might still be missing
something for full integration. This someone needs to explain to me ;-).
- The slave mode now actually is the default as I got no reports that it did not work and it did work
for me always since last release, so tiem to give it to a wider audience. (Also its needed for
nxserver-suid).
If you have any problems with it, disable it in node.conf.
And here is the full changelog!
18.08.2008 FreeNX 0.7.3 "Priscilla One Year Edition"
* Opened the 0.7.3 development.
* Added logging of failed authentication attempts
to auth.log via syslog (3). This can be disabled by
setting ENABLE_LOG_FAILED_LOGINS="0".
(fabianx at bat.berlios.de)
* Added -nolisten tcp to nxagent invocation.
(fabianx at bat.berlios.de, idea by pappy- (Gentoo))
* Used bash for all tasks as 'sh' might be not what we want
on standard ubuntu.
(fabianx at bat.berlios.de, thx to tan (IRC))
* Finally fixed mv not working for failed or terminated
sessions.
(fabianx at bat.berlios.de, Terje Andersen <terander at guard.zapto.org>)
* Added patch from 2005 to enable reconnect to 24-bit display via
32-bit or vice versa. Oops :)
(Sunil <funtoos at yahoo.com> )
* Added 3.2.0 as a backend version for nxloadconfig.
(fabianx at bat.berlios.de)
* Added configuration key ENABLE_SOURCE_BASH_PROFILE for toggling of
sourcing ~/.bash_profile.
(fabianx at bat.berlios.de)
* Added /usr/bin/xauth as default key and used /usr/X11R6/bin/xauth as
fallback.
(fabianx at bat.berlios.de)
* Fixed Makefile to stop on all errors.
(Idea by Hai Zaar <haizaar at gmail.com>, fabianx at bat.berlios.de)
* Changed the default for ENABLE_PASSDB_AUTHENTICATION. If you had
added a user with different password via --adduser consider
re-activating this option in node.conf.
(fabianx at bat.berlios.de)
* Added constraints for passdb based commands. They are only available
when ENABLE_PASSDB_AUTHENTICATION="1" else a friendly error message
is shown. This should help with users using old tutorials.
(fabianx at bat.berlios.de)
* Added unix-console patch. Added default handler as unix-default with
a fallback to xterm,
(Idea by Jens Hatlak <jh at junetz.de>, fabianx at bat.berlios.de)
* Fixed external rdesktop keyboards: A "$" was missing.
(Bug by Phil Stricker <stril at gmx.de>, fabianx at bat.berlios.de)
* Added workaround for "ch" keyboard layout to nxdesktop_helper,
which NXClient 3.2.0 means as de-ch.
(Bug by Phil Stricker <stril at gmx.de>, fabianx at bat.berlios.de)
* Added clean target to Makefile.
(Based on patch by Ubuntu FreeNX-Team, fabianx at bat.berlios.de)
* Use :0.0 if mirrorhost is 127.0.0.1 and add -localhost for
enhanced security. Also increase sleep timeout for slow machines.
(Based on Patch by Jeremy Wilkins <wjeremy at shaw.ca>, fabianx at bat.berlios.de)
* Allow RDP "Run application" sessions to work correctly.
(David Corral < davefury at gmail.com > & the Silice Telecom staff,
fabianx at bat.berlios.de)
* Merge Xresources on startup of session.
(Jeremy Wilkins <wjeremy at shaw.ca>)
* Added nx-session-launcher from Ubuntu FreeNX-Team to use FreeNX with
ConsoleKit.
(marceloshima at gmail.com, fabianx at bat.berlios.de)
* Moved logging functions to a more appropriate place.
(fabianx at bat.berlios.de)
* Finally fixed the bug when NX Client was stopped on "Negotiating
link parameters" and failed session after first session suspend.
(fabianx at bat.berlios.de)
* Fixed missing "fi" statement. In fact it was a missing ";;".
(fabianx at bat.berlios.de)
* Used source instead of "." for Makefile. (Closes: #13954)
(fabianx at bat.berlios.de)
* Allow passwords with '\' by changing read -s to read -r -s.
(Closes: #10699)
(Patch by rpfuller at bat.berlios.de, fabianx at bat.berlios.de)
* Allow passwords with special chars by using new url_decode on
agent_password. (Closes: #10248)
(fabianx at bat.berlios.de)
* Fixed start/stop exit codes.
(Patch by Gentoo Portage, fabianx at bat.berlios.de)
* Finally checked for all service ports. (cups, media, samba)
and also checked it on the host where the load balancing actually
leads to.
(fabianx at bat.berlios.de)
* Fixed broken fallback logic if SSH_CLIENT variables cannot be read
correctly.
(fabianx at bat.berlios.de)
* Overhauled the usermode:
* There are now two modes of operation.
- One statically setting the
ENABLE_USERMODE_AUTHENTICATION key
in node.conf. (old behavior)
- Or using nxserver-usermode as startup
binary, which directly goes into the 103 stage.
* Fixed using commandline parameters like --cleanup
for static usermode.
* Enabled the root commandline parameters in usermode.
* Fixed usage of "nx" user as normal user in usermode.
* Disabled slave mode and load balancing for usermode.
* Fixed creation of the logfile directory.
* Fixed nxnode usage of SSH_CLIENT using fallback mechanism.
(Patch by nbartos at bat.berlios.de, fabianx at bat.berlios.de)
* Added disabled nxserver-suid wrapper with help from Google. To
enable it uncomment the suid_install target in Makefile.
( Alistair Riddoch <alriddoch at google.com>, fabianx at bat.berlios.de)
* Automatically disabled slave mode, when load balancing is activated.
(fabianx at bat.berlios.de)
* Made ENABLE_SLAVE_MODE="1" the new default as its faster
and more reliable. If you encounter any problems with it,
disable it in node.conf.
(fabianx at bat.berlios.de)
* Changed type for external agents to windows-helper or vnc-helper
so that those sessions can be mirrored / shadowed as well.
(fabianx at bat.berlios.de)
* Added nxshadowacl.sample component to be able to shadow
foreign sessions.
(fabianx at bat.berlios.de)
* Prepared shadowing foreign users for VNC-shadowing.
(fabianx at bat.berlios.de)
* Added shadow support to --listsession command.
(fabianx at bat.berlios.de)
* Added shadow mode as nxagent target.
(fabianx at bat.berlios.de)
* Fixed shadow mode and made it usable.
(Patch by Amin Shehata <amino7 at yahoo dot com>, fabianx at bat.berlios.de)
It was a great time with you community, I loved and integrated all patches that I could find, I have
now finally taken the step to do not only a source release, but a binary release as well!
With the new wrappers I think its possible to finally circumvent the whole things of public key
problems and tune to what is really needed.
The "nx" user is stiill needed for the suid case, however an installation not using ssh public key
auth via nx user could look like:
# cd ~
# wget http://download.berlios.de/freenx/NX4U.tar.gz
# cd /opt
# tar xzf ~/NX4U.tar.gz
# /opt/NX4U/bin/nxsetup --install
# /opt/NX4U/bin/nxserver --stop # remove public key
# chown nx /opt/NX4U/bin/nxserver-suid
# chmod u+s /opt/NX4U/bin/nxserver-suid
I also have started to integrate things like the suid wrapper from the freenx-redesign branch.
Enjoy the release and grab it from:
http://download.berlios.de/freenx/freenx-server-0.7.3.tar.gz
Best Wishes and May the Sun shine on You,
Fabian
PS:
Addendum for manual installation of NX Usermode:
If you want to run from $HOME, you can change nxloadconfig to have:
- patch -p0 < gentoo-nomachine.diff
- # edit nxloadconfig and set NX_DIR=$HOME/NX4U/
- perl -pi -e 's,NX_DIR=.*,NX_DIR=\$HOME/NX4U/,' nxloadconfig
- # edit nxloadconfig and set CUPS_BACKEND="$HOME/NX4U/cups/" so Makefile does
- # not complain
- perl -pi -e 's,CUPS_BACKEND=.*,CUPS_BACKEND="\$HOME/NX4U/cups/backend/",' nxloadconfig
- # in place fix Makefile
- perl -pi -e 's,NX_VERSION,NX_VERSION NX_ETC_DIR,' Makefile
- # install it!
- make && make install
- Now either compile and install the binaries for yourself or copy only nxagent and the libs from !M
tarball.
More information about the FreeNX-kNX
mailing list