<br>
<br><tt><font size=2>Jeremy Wilkins <wjeremy@shaw.ca> wrote on 26/09/2009
17:56:23:<br>
<br>
> <br>
> I don't know if this is relevant, but I am curious if there may be
a<br>
> difference from using the ip:<br>
> ssh -v -p 443 dion@127.0.0.1<br>
> or the host name:<br>
> ssh -v -p 443 dion@localhost<br>
> on your machine? Sometimes the ip and host names are treated
differently. <br>
> I have run into this on more than one occasion. Sometimes it
can be<br>
> firewall rules related.<br>
> </font></tt>
<br>
<br><tt><font size=2>In this instance the destination, "localhost"
would be resolved to an IP address before connection is attempted, though
the name of the originating machine will be included in the connection.</font></tt>
<br>
<br><tt><font size=2>"Normally" this would involve looking first
in /etc/hosts then whatever you have configured next, typically DNS.</font></tt>
<br>
<br><tt><font size=2>The connection would be made to the resolved IP address
which should be 127.0.0.1 for localhost.</font></tt>
<br>
<br><tt><font size=2>If you are using other methods of connectivity, the
name might be passed over too and if you have allowed conectivity from
localhost not 127.0.0.1, authentication might fail.</font></tt>
<br>
<br><tt><font size=2>MySQL uses some such system for example.</font></tt>
<br>
<br><tt><font size=2>Any firewall will see a connection from one IP address
and numerical source port to another IP address and numerical destination
port, though you may be able to configure them using names not numbers.</font></tt>
<br>
<br><tt><font size=2>Open sshd can be told only to listen on 127.0.0.1
not any external IP adresses.</font></tt>
<br>
<br><tt><font size=2>It can also be configured to check that the name given
by the connecting host ( in this case itself ) maches the reverse lookup
of the originating IP address.</font></tt>
<br>
<br><tt><font size=2>You can run into difficulties if you do not stick
to the rules regarding /etc/hosts or have all your ptr records covered
in your DNS and have reverse lookups configured.</font></tt>
<br><tt><font size=2><br>
> <br>
> Bugzilla from dion@thinkmoult.com wrote:<br>
> > <br>
> > It asks for my passphrase. So I rename id_dsa to something else
and try<br>
> > again <br>
> > and you are right it asks for my password. I can log in fine.<br>
> > <br>
> > Trying again with NXClient with the moved id_dsa still fails
with the same <br>
> > error as before.<br>
> > <br>
> > On Saturday 26 September 2009 17:44:20 ChrisB wrote:<br>
> >> Dion Moult <dion@thinkmoult.com> wrote on 26/09/2009
03:01:22:<br>
> >> > Tried changing that, restarting sshd and nxserver, but
it still<br>
> >> > gives the same<br>
> >> > error:<br>
> >> ><br>
> >> > sshd[23560]: Connection from 127.0.0.1 port 38026<br>
> >> > sshd[23560]: Failed none for nx from 127.0.0.1 port
38026 ssh2<br>
> >> > sshd[23560]: Found matching DSA key: blahblahblahetcetc<br>
> >> > sshd[23560]: Accepted publickey for nx from 127.0.0.1
port 38026 ssh2<br>
> >> > sshd[23560]: pam_unix(sshd:session): session opened
for user nx by<br>
> >> <br>
> >> (uid=0)<br>
> >> <br>
> >> > sshd[23560]: User child is on pid 23562<br>
> >> > nxserver[23692]: (nx) Failed login for user=dion from
IP=127.0.0.1<br>
> >> > sshd[23562]: Connection closed by 127.0.0.1<br>
> >> > sshd[23562]: Transferred: sent 2848, received 1968 bytes<br>
> >> > sshd[23562]: Closing connection to 127.0.0.1 port 38026<br>
> >> > sshd[23560]: pam_unix(sshd:session): session closed
for user nx<br>
> >> <br>
> >> Sounds like password or account issues with user dion<br>
> >> <br>
> >> On the server, try<br>
> >> <br>
> >> ssh
-v -p 443 -l dion localhost<br>
> >> <br>
> >> The -v will tell you what it is trying and what fails.<br>
> >> <br>
> >> It should ask for a password. If user dion has an id_dsa
or id_rsa key in<br>
> >> $HOME/.ssh then you need to temporarily rename it id_dsa.000
or some<br>
> >> such.<br>
> >> <br>
> >> If you can't log in as user dion locally using a password
then it won't<br>
> >> work over nx, so you need to prove this works/fix it next
. . . .<br>
> >> <br>
> >> > On Saturday 26 September 2009 09:55:03 you wrote:<br>
> >> > > ---------- Forwarded Message ----------<br>
> >> > ><br>
> >> > > Subject: Re: [FreeNX-kNX] NXClient fails to connect
with<br>
> >> <br>
> >> authentication<br>
> >> <br>
> >> > > failed for user.<br>
> >> > > Date: Friday 25 September 2009<br>
> >> > > From: "ChrisB" <chris@ccburton.com><br>
> >> > > To: User Support for FreeNX Server and kNX Client<br>
> >> <freenx-knx@kde.org><br>
> >> > ><br>
> >> > > Dion Moult <dion@thinkmoult.com> wrote on
25/09/2009 18:09:17:<br>
> >> > ><br>
> >> > ><br>
> >> > > SNIP<br>
> >> > ><br>
> >> > > > sshd[13479]: Connection from 127.0.0.1 port
40791<br>
> >> > > > sshd[13479]: Found matching DSA key: blahblahblahblah<br>
> >> > > > sshd[13479]: Accepted publickey for nx from
127.0.0.1 port 40791<br>
> >> <br>
> >> ssh2<br>
> >> <br>
> >> > > > sshd[13479]: pam_unix(sshd:session): session
opened for user nx by<br>
> >> > ><br>
> >> > > (uid=0)<br>
> >> > ><br>
> >> > > > sshd[13479]: User child is on pid 13481<br>
> >> > > > nxserver[13611]: (nx) Failed login for user=dion
from IP=127.0.0.1<br>
> >> > ><br>
> >> > > Yup<br>
> >> > ><br>
> >> > > > I have checked that the public key is in /home/dion/.<br>
> >> > > > ssh/authorized_keys. If I<br>
> >> > > > do ssh -p 443 localhost on the computer with
the account dion it<br>
> >> <br>
> >> asks<br>
> >> <br>
> >> > > for my<br>
> >> > ><br>
> >> > > > passphrase of my private keypair (not the
NX one) and I can log in<br>
> >> <br>
> >> and<br>
> >> <br>
> >> > > SSH in<br>
> >> > ><br>
> >> > > You need to use password authentication for the
local user after<br>
> >> > > connecting via ssh as user nx.<br>
> >> > ><br>
> >> > > Some distros disable this by default because it
allows brute force<br>
> >> <br>
> >> attacks<br>
> >> <br>
> >> > > . . . .<br>
> >> > ><br>
> >> > > > remotely fine without problems. I'm not sure
whether it helps but<br>
> >> <br>
> >> when I<br>
> >> <br>
> >> > > try<br>
> >> > ><br>
> >> > > > ssh -p 443 nx@localhost it asks for a Password,
of which nothing I<br>
> >> > > > try can log<br>
> >> > > > it in.<br>
> >> > > ><br>
> >> > > > This is my sshd_config:<br>
> >> > > > Port 443<br>
> >> > > > Protocol 2<br>
> >> > > > SyslogFacility AUTH<br>
> >> > > > PermitRootLogin no<br>
> >> > > > RSAAuthentication yes<br>
> >> > > > PubkeyAuthentication yes<br>
> >> > > > PasswordAuthentication no<br>
> >> > ><br>
> >> > > Here<br>
> >> > ><br>
> >> > > Just change to PasswordAuthentication yes<br>
> >> > ><br>
> >> > > > PermitEmptyPasswords no<br>
> >> > > > UsePAM yes<br>
> >> > > > Compression yes<br>
> >> > > > KeepAlive yes<br>
> >> > > > ClientAliveInterval 30<br>
> >> > > > ClientAliveCountMax 4<br>
> >> > > > AuthorizedKeysFile .ssh/authorized_keys<br>
> >> > > > LogLevel VERBOSE<br>
> >> > > ><br>
> >> > > > (Note: I run SSH on port 443 on purpose, not
by accident)<br>
> >> > > ><br>
> >> > > > Summary: When trying to connect using username
and password for the<br>
> >> > ><br>
> >> > > account<br>
> >> > ><br>
> >> > > > "dion" which exists on the box running
freenx it says<br>
> >> Authentication<br>
> >> > ><br>
> >> > > failed<br>
> >> > ><br>
> >> > > > for user dion.<br>
> >> > > ><br>
> >> > > > Any ideas? Much appreciated.<br>
> >> > ><br>
> >> > > <br>
> > ________________________________________________________________<br>
> >> > ><br>
> >> > > > Were you helped on this
list with your FreeNX problem?<br>
> >> > > > Then please write up the solution
in the FreeNX Wiki/FAQ:<br>
> >> <br>
> >> </font></tt><a href="http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ"><tt><font size=2>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ</font></tt></a><tt><font size=2><br>
> >> <br>
> >> > > > Don't forget
to check the NX Knowledge Base:<br>
> >> > > >
</font></tt><a href=http://www.nomachine.com/kb/><tt><font size=2>http://www.nomachine.com/kb/</font></tt></a><tt><font size=2><br>
> >> > > ><br>
> >> > > > <br>
> > ________________________________________________________________<br>
> >> > > > FreeNX-kNX mailing
list --- FreeNX-kNX@kde.org<br>
> >> > > > </font></tt><a href="https://mail.kde.org/mailman/listinfo/freenx-knx"><tt><font size=2>https://mail.kde.org/mailman/listinfo/freenx-knx</font></tt></a><tt><font size=2><br>
> >> > > > <br>
> > ________________________________________________________________<br>
> >> > ><br>
> >> > > -------------------------------------------------------<br>
> >> <br>
> >> ________________________________________________________________<br>
> >> <br>
> >> > Were you helped on this list with
your FreeNX problem?<br>
> >> > Then please write up the solution in the
FreeNX Wiki/FAQ:<br>
> >> <br>
> >> </font></tt><a href="http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ"><tt><font size=2>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ</font></tt></a><tt><font size=2><br>
> >> <br>
> >> > Don't forget to check
the NX Knowledge Base:<br>
> >> >
</font></tt><a href=http://www.nomachine.com/kb/><tt><font size=2>http://www.nomachine.com/kb/</font></tt></a><tt><font size=2><br>
> >> ><br>
> >> > ________________________________________________________________<br>
> >> > FreeNX-kNX mailing list ---
FreeNX-kNX@kde.org<br>
> >> > </font></tt><a href="https://mail.kde.org/mailman/listinfo/freenx-knx"><tt><font size=2>https://mail.kde.org/mailman/listinfo/freenx-knx</font></tt></a><tt><font size=2><br>
> >> > ________________________________________________________________<br>
> >> <br>
> > -- <br>
> > Dion Moult :-)<br>
> > <br>
> > <br>
> > ________________________________________________________________<br>
> > Were you helped on this list with your FreeNX
problem?<br>
> > Then please write up the solution in the FreeNX
Wiki/FAQ:<br>
> > <br>
> > </font></tt><a href="http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ"><tt><font size=2>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ</font></tt></a><tt><font size=2><br>
> > <br>
> > Don't forget to check the NX
Knowledge Base:<br>
> > </font></tt><a href=http://www.nomachine.com/kb/><tt><font size=2>http://www.nomachine.com/kb/</font></tt></a><tt><font size=2>
<br>
> > <br>
> > ________________________________________________________________<br>
> > FreeNX-kNX mailing list --- FreeNX-kNX@kde.org<br>
> > </font></tt><a href="https://mail.kde.org/mailman/listinfo/freenx-knx"><tt><font size=2>https://mail.kde.org/mailman/listinfo/freenx-knx</font></tt></a><tt><font size=2><br>
> > ________________________________________________________________<br>
> > <br>
> <br>
> -- <br>
> View this message in context: </font></tt><a href="http://www.nabble.com/Re%3A-Fwd%3A-Re%"><tt><font size=2>http://www.nabble.com/Re%3A-Fwd%3A-Re%</font></tt></a><tt><font size=2><br>
> 3A--NXClient-fails-to-connect-with-authentication-failed%09for-user.<br>
> -tp25621598p25626974.html<br>
> Sent from the freenx-knx mailing list archive at Nabble.com.<br>
> <br>
> ________________________________________________________________<br>
> Were you helped on this list with your FreeNX
problem?<br>
> Then please write up the solution in the FreeNX Wiki/FAQ:<br>
> <br>
> </font></tt><a href="http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ"><tt><font size=2>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ</font></tt></a><tt><font size=2><br>
> <br>
> Don't forget to check the NX Knowledge
Base:<br>
> </font></tt><a href=http://www.nomachine.com/kb/><tt><font size=2>http://www.nomachine.com/kb/</font></tt></a><tt><font size=2>
<br>
> <br>
> ________________________________________________________________<br>
> FreeNX-kNX mailing list --- FreeNX-kNX@kde.org<br>
> </font></tt><a href="https://mail.kde.org/mailman/listinfo/freenx-knx"><tt><font size=2>https://mail.kde.org/mailman/listinfo/freenx-knx</font></tt></a><tt><font size=2><br>
> ________________________________________________________________<br>
</font></tt>