[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.

Marco Passerini marco.passerini at csc.fi
Thu Aug 1 13:14:39 UTC 2013 

Hi, 

Maybe I found a better way, at least for my case. I edited /etc/ssh/sshd_config with these fields: 



PermitRootLogin without-password 

PasswordAuthentication no 

Match Address 127.0.0.1 
PasswordAuthentication yes 




In this way I allow password-authentication only from localhost (so from the nx shell), and key-based authentication from the outside. 

I'm providing to the users a very limited Fluxbox-based graphical interface and I'm not going to give them access to the local shell. In this way they aren't going to be able to copy their ssh keys locally. 



----- Original Message -----

From: "Chris" <chris at ccburton.com> 
To: "User Support for FreeNX Server and kNX Client" <freenx-knx at kde.org> 
Sent: Thursday, 1 August, 2013 12:41:19 PM 
Subject: Re: [FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions. 


freenx-knx-bounces at kde.org wrote on 01/08/2013 10:12:30: 

> Hi, 
> 
> Replying to an old post.. 
> If you're using Freenx you can set up the following: 
> ENABLE_SU_AUTHENTICATION="1" 
> 
> Then you should edit /etc/ssh/sshd_config and add the following 
> string: AllowGroups sshadm 
> sshadm:x:90:root,nx 
> 
> This means that users can use the shared key to log into the server 
> as the "nx" users, and then NX will "su" to their user. 
> Users will however not be able to ssh into the server with their account. 
> They can still log into the server as the "nx" user via ssh, but 
> they would not get a usable shell (only the internal nx shell). 
> 
> Unfortunately I'm right now in the situation where we bought a 
> licence for the commercial Nomachine NX server, and it seems that 
> the "su authentication" feature is not enabled there, so I don't 
> know how to prevent user logins to the server via ssh. 

You can use TWO instances of sshd. 

1/ external, eg on port 2222,users nx/admins only, key pair only 
update the nxclient configuration 
2/ internal,(listen on 127.0.0.1 only) port 22 (with passwordauthentication) 

http://www.nomachine.com/ar/view.php?ar_id=AR06E00470 
( they explain it the other way round, but you are better moving your 
external sshd to a different port ) 

________________________________________________________________ 
Were you helped on this list with your FreeNX problem? 
Then please write up the solution in the FreeNX Wiki/FAQ: 

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ 

Don't forget to check the NX Knowledge Base: 
http://www.nomachine.com/kb/ 

________________________________________________________________ 
FreeNX-kNX mailing list --- FreeNX-kNX at kde.org 
https://mail.kde.org/mailman/listinfo/freenx-knx 
________________________________________________________________ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130801/766ca6fa/attachment.html>

More information about the FreeNX-kNX mailing list