[FreeNX-kNX] Problems With FreeNX and PAM-SecurID/RSA Authentication
Paul E. Virgo
Paul.E.Virgo at nasa.gov
Fri Apr 6 13:32:24 UTC 2012
On 04/06/2012 07:20 AM, chris at ccburton.com wrote:
>
> "Paul E. Virgo" <Paul.E.Virgo at nasa.gov> wrote on 05/04/2012 16:07:18:
>
> > Chris,
> >
> > That suggestion worked. I also added in a longer 'sleep' because of
> > the time it takes a user to type in their PIN, then look at the
> > SecurID RSA token.
>
> Isn't the Token entered before you click connect on
> the nxclient ??
>
Yes, it is...but for testing purposes with nxnode--login, I set it for
longer, because it takes time to a.) type in the PIN then b.) grap the
RSA token generator and read the numbers, ensuring the countdown timer
isn't near the end before the next generated number appears.
>
> FYI ICIH
>
> The sleep 0.3 is to tell expect to wait a quarter
> second, before sending the password TO SSH
I've reset it back to a quarter. I'd taken it to a half a second for my
command line testing purposes.
>
>
> Often, password "reads" clear their buffers after
> out-putting the prompt, so as not to try logging-in
> with "stray" keypresses, so a delay to allow this
> to complete is helpful.
>
>
> If you want to test nxnode-login as it is deployed
> from nxserver, you need to try : -
>
>
> sudo su -l -s /bin/bash nx
>
> # then at the (nx user) prompt ( and all on one line if it wrapped )
>
> echo my-password|/usr/bin/nxnode-login ssh my-username 22
> /usr/bin/nxnode --check
Yeah, I can try that next time.
>
>
> You can see than the password is already there, before
> the launch of nxlogin-helper by nxserver
>
> and the
>
> expect_user -re "(.*)\n"
> set password $expect_out(1,string)
>
> which reads from stdin,
> where
> you got that error first time
> is
> the script reading the password
> not
> ssh which isn't spawned till later.
That's what I thought. I knew the SSH connection had already properly
completed, and when I saw the expect output, I began to wonder if there
was some sort of special string that needed to be added for expect to
look for. Your reply yesterday pretty much confirmed it.
>
>
> > Thanks, again, for the suggestion.
> >
> > PEV
>
> I don't know how long it takes a user to work one of
> those ID things (2 mins?? (pin? pin? oh!what was it??))
> but
> if you set that sleep to too long
> thinking to
> "allow" one of your slow-coach seniors to work it out,
> you may well
> start getting timeouts "further down the line",
> so
> if I was you I'd leave it as 0.3
Yeah, I've set it back to 0.3 since the successful test.
>
>
> > Paul E Virgo
> > Sr. System Administrator
> > Code 610
> > SESDA II - DAAC/DISC
> > Goddard Space Flight Ctr
>
> Nice place to work.
It is. Seems everybody gets excited about me working there but me. I
enjoy the atmosphere. Maybe I don't truly appreciate the things we do
around here.
>
> Who's heard of Goddard these days ??
> but I notice von Braun knew all
> about him.
>
> Shame he died and missed out on doing
> Saturn 5 etc.
>
> > Greenbelt, MD 20771
> > (301) 614-5751
--
Paul E Virgo
Sr. System Administrator
Code 610
SESDA II - DAAC/DISC
Goddard Space Flight Ctr
Greenbelt, MD 20771
(301) 614-5751
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20120406/ef2b6728/attachment.html>
More information about the FreeNX-kNX
mailing list