[FreeNX-kNX] freenx ssh key question

chris at ccburton.com chris at ccburton.com
Tue May 8 15:26:52 UTC 2012 

freenx-knx-bounces at kde.org wrote on 08/05/2012 14:32:09:

> 
> Hello all.
> 
> This may be a dumb question, but does freenx generate a new ssh key 
> at install time

Depends what you mean by "Install Time" . . . .

You have to run nxkeygen to generate the key pair but this
is usually run from

         nxsetup --install

which you need to run after installing the rpm deb etc
to set up the directories, log file,service etc.
Note ubuntu may be different, but you don't tell us your distro


The ssh keys which are used to allow the nxclient to connect
with the nx user and set up the ssh "tunnel" are located
under the nx user's home directory, i.e.

        /var/lib/nxserver/home/.ssh/client.id_dsa.key      
/var/lib/nxserver/home/.ssh/server.id_dsa.pub.key 

This key you mention :-

> (/etc/nxserver/client.id_dsa.key) or is this a 

is a mix up between old and new.


/etc/nxserver will contain a key pair:-

        /etc/nxserver/users.id_dsa.pub
        /etc/nxserver/users.id_dsa


 . . . still generated by nxsetup tho no longer used
and
used to be the (unique) one you used for NX sessions
(after running nxnode --setkey to copy the users_id.pub.key to

        /var/lib/nxserver/home/.ssh/server.id_dsa.pub.key

)

but
now you run


         nxsetup --install


which defaults to generating a UNIQUE ssh key pair for
your use, you then have to manually COPY

        /var/lib/nxserver/home/.ssh/client.id_dsa.key

to
all your nxclients

or it also allows you if you run



        nxsetup --install --setup-nomachine-key



which doesn't generate a NEW key pair but instead allows you
to have a copy of the the

/var/lib/nxserver/home/.ssh/server.id_dsa.pub.key

coresponding to the dsa.key ALREADY SUPPLIED within
the Nomachine client, meaning that you are slightly less secure
but
don't have to manually copy the

        /var/lib/nxserver/home/.ssh/client.id_dsa.key

to
all your nxclients.


> default key that needs to be replaced right away because it is the 
> same everywhere?

It doesn't NEED to be replaced, but it does stop people connecting
and trying user/password combinations in an attempt to break in.

> 
> Thanks,
> Dave
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20120508/6843f03a/attachment.html>

More information about the FreeNX-kNX mailing list