[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.

Julie Ashworth ashworth at berkeley.edu
Mon Feb 4 19:25:41 UTC 2013 

hi Mark,
you can do this with a NX load-balancer and chrooted-home 
directories, where the chroot environment doesn't include the 
scp/rsync binaries.

So, on the NX load-balancer, configure something like...

sshd_config:
Match Group *,!devel,!root,!nx
    ChrootDirectory /srv/chroot
    X11Forwarding no
    AllowTcpForwarding no

auto.master:
+auto.master
/srv/chroot/home /etc/auto.home --timeout=180

nxserver/node.conf
LOAD_BALANCE_ALGORITHM="round-robin"
...

(my node.conf is complicated, because I define the list of 
available servers with another script).

If you want more details, please ask.
best,
Julie




On 01-02-2013 09.41 -0800, Mark Christian wrote:
> I was wondering if it is possible to configure sshd_config, possibly using the ForceCommand keyword, to prevent arbitrary command execution/data transfers on the same host which is providing the NX sessions.  For example I can configure sshd_config with:
> 
> ForceCommand /bin/bash
> 
> ..which subsequently prevents, scp, rsync over ssh, and even something like "ssh remoteHost 'cat /etc/passwd'", but still allows interactive ssh sessions with a bash shell.
> 
> Does anyone have any ideas on how I can provide NX sessions to a remoteHost, yet prevent any data transfers to/from that sameHost over ssh?  Using the example above can I ForceCommand the NX tunneling bits, and if so what are they?  Or can NX be configured not to use ssh?
> 
> Thank you for your time.
> 
> Mark Christian
> 
> Confidentiality Notice.
> This message may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution,  or copying  of this message, or any attachments, is strictly prohibited.  If you have received this message in error, please advise the sender by reply e-mail, and delete the message and any attachments.  Thank you.
> 
> ________________________________________________________________
>      Were you helped on this list with your FreeNX problem?
>     Then please write up the solution in the FreeNX Wiki/FAQ:
> 
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> 
>          Don't forget to check the NX Knowledge Base:
>                  http://www.nomachine.com/kb/
> 
> ________________________________________________________________
>        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
>       https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
---end quoted text---

More information about the FreeNX-kNX mailing list