[FreeNX-kNX] Fwd: Re: NXClient fails to connect with authentication failed for user.

ChrisB chris at ccburton.com
Sat Sep 26 19:35:53 UTC 2009 

Dion Moult <dion at thinkmoult.com> wrote on 26/09/2009 18:12:42:

> After some tweaking I find that I need passwordauthentication to be 
> set to yes 
> in sshd_config. I wonder if it's possible to use NX with both NX's key 
and my 
> own encrypted-with-passphrase key for my user account (as opposed to 
system 
> user+pass)?
> 
> (and correct me if I'm wrong, but this applies only to NX - as long as I 
have 
> an id_dsa in my .ssh/ folder whenever I try to ssh in directly to my 
user it 
> would ask for my passphrase?)


The connection made by the user, after the ssh tunnel is set up by the nx 
username, doesn't have access to your $HOME directory on your ( remote fro 
the FreeNX server ) workstation, nor does it have access to your $HOME 
directory on the FreeNX server, because you are looking down a text 
session tunnel and are not logged in to the FreeNX server ( yet ).

This means in other words that the ssh client on the server, being used to 
log in the user has no access to your id_rsa ( or id_dsa ) key files, so 
it has to log you in using passwords.

The checking of your authorized_keys file, if you connect normally using 
ssh, is done by the sshd running as root, looking up your $HOME directory 
based on your supplied username. It can hardly use both files for you.

If you don't like the idea of having password authentication set to yes on 
an sshd visible from "outside " ( neither do I ), please start another 
thread ( so the thread title matches the issue ) and I'll explain a way 
round it.


> 
> On Saturday 26 September 2009 18:14:38 ChrisB wrote:
> > Dion Moult <dion at thinkmoult.com> wrote on 26/09/2009 10:56:10:
> > > It asks for my passphrase. So I rename id_dsa to something else and 
try
> > 
> > again
> > 
> > > and you are right it asks for my password. I can log in fine.
> > >
> > > Trying again with NXClient with the moved id_dsa still fails with 
the
> > 
> > same
> > 
> > > error as before.
> > 
> > If it is still giving failed login with user dion after you have got 
user
> > dion logging in and working then in the absence of any other 
information,
> > I would suspect that you haven't changed the entry in
> > /etc/nxxserver/node.conf to tell FreeNX that the sshd is listening on 
443
> > instead of 22.
> > 
> > Do you have any other users which can log in OK ??  If so it is an 
issue
> > with account dion. If not then check the above next.
> > 
> > > On Saturday 26 September 2009 17:44:20 ChrisB wrote:
> > > > Dion Moult <dion at thinkmoult.com> wrote on 26/09/2009 03:01:22:
> > > > > Tried changing that, restarting sshd and nxserver, but it still
> > > > > gives the same
> > > > > error:
> > > > >
> > > > > sshd[23560]: Connection from 127.0.0.1 port 38026
> > > > > sshd[23560]: Failed none for nx from 127.0.0.1 port 38026 ssh2
> > > > > sshd[23560]: Found matching DSA key: blahblahblahetcetc
> > > > > sshd[23560]: Accepted publickey for nx from 127.0.0.1 port 38026
> > 
> > ssh2
> > 
> > > > > sshd[23560]: pam_unix(sshd:session): session opened for user nx 
by
> > > >
> > > > (uid=0)
> > > >
> > > > > sshd[23560]: User child is on pid 23562
> > > > > nxserver[23692]: (nx) Failed login for user=dion from 
IP=127.0.0.1
> > > > > sshd[23562]: Connection closed by 127.0.0.1
> > > > > sshd[23562]: Transferred: sent 2848, received 1968 bytes
> > > > > sshd[23562]: Closing connection to 127.0.0.1 port 38026
> > > > > sshd[23560]: pam_unix(sshd:session): session closed for user nx
> > > >
> > > > Sounds like password or account issues with user dion
> > > >
> > > > On the server, try
> > > >
> > > >                 ssh -v -p 443 -l dion localhost
> > > >
> > > > The -v will tell you what it is trying and what fails.
> > > >
> > > > It should ask for a password. If user dion has an id_dsa or id_rsa 
key
> > 
> > in
> > 
> > > > $HOME/.ssh then you need to temporarily rename it id_dsa.000 or 
some
> > 
> > such.
> > 
> > > > If you can't log in as user dion locally using a password then it
> > 
> > won't
> > 
> > > > work over nx, so you need to prove this works/fix it next . . . .
> > > >
> > > > > On Saturday 26 September 2009 09:55:03 you wrote:
> > > > > > ----------  Forwarded Message  ----------
> > > > > >
> > > > > > Subject: Re: [FreeNX-kNX] NXClient fails to connect with
> > > >
> > > > authentication
> > > >
> > > > > >  failed for user.
> > > > > > Date: Friday 25 September 2009
> > > > > > From: "ChrisB" <chris at ccburton.com>
> > > > > > To: User Support for FreeNX Server and kNX Client
> > 
> > <freenx-knx at kde.org>
> > 
> > > > > > Dion Moult <dion at thinkmoult.com> wrote on 25/09/2009 18:09:17:
> > > > > >
> > > > > >
> > > > > > SNIP
> > > > > >
> > > > > > > sshd[13479]: Connection from 127.0.0.1 port 40791
> > > > > > > sshd[13479]: Found matching DSA key: blahblahblahblah
> > > > > > > sshd[13479]: Accepted publickey for nx from 127.0.0.1 port 
40791
> > > >
> > > > ssh2
> > > >
> > > > > > > sshd[13479]: pam_unix(sshd:session): session opened for user 
nx
> > 
> > by
> > 
> > > > > > (uid=0)
> > > > > >
> > > > > > > sshd[13479]: User child is on pid 13481
> > > > > > > nxserver[13611]: (nx) Failed login for user=dion from
> > 
> > IP=127.0.0.1
> > 
> > > > > > Yup
> > > > > >
> > > > > > > I have checked that the public key is in /home/dion/.
> > > > > > > ssh/authorized_keys. If I
> > > > > > > do ssh -p 443 localhost on the computer with the account 
dion it
> > > >
> > > > asks
> > > >
> > > > > > for my
> > > > > >
> > > > > > > passphrase of my private keypair (not the NX one) and I can 
log
> > 
> > in
> > 
> > > > and
> > > >
> > > > > > SSH in
> > > > > >
> > > > > > You need to use password authentication for the local user 
after
> > > > > > connecting via ssh as user nx.
> > > > > >
> > > > > > Some distros disable this by default because it allows brute 
force
> > > >
> > > > attacks
> > > >
> > > > > > . . . .
> > > > > >
> > > > > > > remotely fine without problems. I'm not sure whether it 
helps
> > 
> > but
> > 
> > > > when I
> > > >
> > > > > > try
> > > > > >
> > > > > > > ssh -p 443 nx at localhost it asks for a Password, of which 
nothing
> > 
> > I
> > 
> > > > > > > try can log
> > > > > > > it in.
> > > > > > >
> > > > > > > This is my sshd_config:
> > > > > > > Port 443
> > > > > > > Protocol 2
> > > > > > > SyslogFacility AUTH
> > > > > > > PermitRootLogin no
> > > > > > > RSAAuthentication yes
> > > > > > > PubkeyAuthentication yes
> > > > > > > PasswordAuthentication no
> > > > > >
> > > > > > Here
> > > > > >
> > > > > > Just change to PasswordAuthentication  yes
> > > > > >
> > > > > > > PermitEmptyPasswords no
> > > > > > > UsePAM yes
> > > > > > > Compression yes
> > > > > > > KeepAlive yes
> > > > > > > ClientAliveInterval 30
> > > > > > > ClientAliveCountMax 4
> > > > > > > AuthorizedKeysFile      .ssh/authorized_keys
> > > > > > > LogLevel VERBOSE
> > > > > > >
> > > > > > > (Note: I run SSH on port 443 on purpose, not by accident)
> > > > > > >
> > > > > > > Summary: When trying to connect using username and password 
for
> > 
> > the
> > 
> > > > > > account
> > > > > >
> > > > > > > "dion" which exists on the box running freenx it says
> > 
> > Authentication
> > 
> > > > > > failed
> > > > > >
> > > > > > > for user dion.
> > > > > > >
> > > > > > > Any ideas? Much appreciated.
> > >
> > > ________________________________________________________________
> > >
> > > > > > >      Were you helped on this list with your FreeNX problem?
> > > > > > >     Then please write up the solution in the FreeNX 
Wiki/FAQ:
> > 
> > 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> > 
> > > > > > >          Don't forget to check the NX Knowledge Base:
> > > > > > >                  http://www.nomachine.com/kb/
> > >
> > > ________________________________________________________________
> > >
> > > > > > >        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> > > > > > >       https://mail.kde.org/mailman/listinfo/freenx-knx
> > >
> > > ________________________________________________________________
> > >
> > > > > > -------------------------------------------------------
> > > >
> > > > 
> ________________________________________________________________
> > > >
> > > > >      Were you helped on this list with your FreeNX problem?
> > > > >     Then please write up the solution in the FreeNX Wiki/FAQ:
> > 
> > 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> > 
> > > > >          Don't forget to check the NX Knowledge Base:
> > > > >                  http://www.nomachine.com/kb/
> > > > >
> > > > > 
> ________________________________________________________________
> > > > >        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> > > > >       https://mail.kde.org/mailman/listinfo/freenx-knx
> > > > > 
> ________________________________________________________________
> > 
> > ________________________________________________________________
> > 
> > >      Were you helped on this list with your FreeNX problem?
> > >     Then please write up the solution in the FreeNX Wiki/FAQ:
> > 
> > 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> > 
> > >          Don't forget to check the NX Knowledge Base:
> > >                  http://www.nomachine.com/kb/
> > >
> > > ________________________________________________________________
> > >        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> > >       https://mail.kde.org/mailman/listinfo/freenx-knx
> > > ________________________________________________________________
> > 
> -- 
> Dion Moult :-)
> [attachment "signature.asc" deleted by chris burton/solar-
> system/local] 
________________________________________________________________
>      Were you helped on this list with your FreeNX problem?
>     Then please write up the solution in the FreeNX Wiki/FAQ:
> 
> 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> 
>          Don't forget to check the NX Knowledge Base:
>                  http://www.nomachine.com/kb/ 
> 
> ________________________________________________________________
>        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
>       https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20090926/d91e9d8a/attachment.html>

More information about the FreeNX-kNX mailing list