[FreeNX-kNX] freenx ssh key question on CENTOS 5.8
chris at ccburton.com
chris at ccburton.com
Wed May 9 13:53:17 UTC 2012
freenx-knx-bounces at kde.org wrote on 09/05/2012 13:24:18:
Still not got all of it.
> To replace just the PASSDB "ssh to localhost key"
> if it gets compromised :-
>
> as user nx
> export $(grep ^NX_ETC_DIR /usr/bin/nxloadconfig)
>
> /usr/bin/ssh-keygen -f $NX_ETC_DIR/users.id_dsa -t dsa -N ""
> chown nx:root $NX_ETC_DIR/users.id_dsa $NX_ETC_DIR/local.id_dsa.pub
>
> This will save you having to update all your nxclients.
OK, that replaces the PASSDB keys
but to actually change the PASSDB keys in use
you then have to run
nxserver --adduser
again on ALL your PASSDB users because
adduser ADDS the
local.id_dsa.pub
key to all the user's
~/.ssh/authorized_keys2
files.
passdb_add_user()
{
[SNIP]
su - $PASSDB_CHUSER -c "$PATH_BIN/nxnode --setkey"
--setkey)
[SNIP]
cat $NX_ETC_DIR/users.id_dsa.pub >>
$HOME/.ssh/$SSH_AUTHORIZED_KEYS
HOME being the user's home diresctory
BUT
there is no automated way of removing them
so
if you think you have a compromised
$NX_ETC_DIR/users.id_dsa
file,
which will
allow an intruder to "ssh -i keyfile" in to your server
as
any user set up for PASSD with local.id_dsa.pub in their
~/.ssh/authorized_keys2
you then have to remove the old key manually from all
their authorized_keys2 files.
None of this messy stuff appears in the documentation.
I don't like the sound of PASSDB at all
and
the fact that centos (no nxsetup) won't overwrite the
user nx key files without them being deleted sounds
a bit of an issue too . . .
I wonder how many people have re-installed thinking
that they then have a nice new setup . . .
nxsetup --install just overwrites the nx user key files
but
even that won't replace users.id_dsa without a --purge
I think I'll stick with ssh + ssh password
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20120509/26cf8029/attachment.html>
More information about the FreeNX-kNX
mailing list