<br>
<br><tt><font size=2>Dion Moult <dion@thinkmoult.com> wrote on 26/09/2009
18:12:42:<br>
<br>
> After some tweaking I find that I need passwordauthentication to be
<br>
> set to yes <br>
> in sshd_config. I wonder if it's possible to use NX with both NX's
key and my <br>
> own encrypted-with-passphrase key for my user account (as opposed
to system <br>
> user+pass)?<br>
> <br>
> (and correct me if I'm wrong, but this applies only to NX - as long
as I have <br>
> an id_dsa in my .ssh/ folder whenever I try to ssh in directly to
my user it <br>
> would ask for my passphrase?)</font></tt>
<br>
<br>
<br><tt><font size=2>The connection made by the user, after the ssh tunnel
is set up by the nx username, doesn't have access to your $HOME directory
on your ( remote fro the FreeNX server ) workstation, nor does it have
access to your $HOME directory on the FreeNX server, because you are looking
down a text session tunnel and are not logged in to the FreeNX server (
yet ).</font></tt>
<br>
<br><tt><font size=2>This means in other words that the ssh client on the
server, being used to log in the user has no access to your id_rsa ( or
id_dsa ) key files, so it has to log you in using passwords.</font></tt>
<br>
<br><tt><font size=2>The checking of your authorized_keys file, if you
connect normally using ssh, is done by the sshd running as root, looking
up your $HOME directory based on your supplied username. It can hardly
use both files for you.</font></tt>
<br>
<br><tt><font size=2>If you don't like the idea of having password authentication
set to yes on an sshd visible from "outside " ( neither do I
), please start another thread ( so the thread title matches the issue
) and I'll explain a way round it.</font></tt>
<br>
<br><tt><font size=2><br>
> <br>
> On Saturday 26 September 2009 18:14:38 ChrisB wrote:<br>
> > Dion Moult <dion@thinkmoult.com> wrote on 26/09/2009 10:56:10:<br>
> > > It asks for my passphrase. So I rename id_dsa to something
else and try<br>
> > <br>
> > again<br>
> > <br>
> > > and you are right it asks for my password. I can log in
fine.<br>
> > ><br>
> > > Trying again with NXClient with the moved id_dsa still fails
with the<br>
> > <br>
> > same<br>
> > <br>
> > > error as before.<br>
> > <br>
> > If it is still giving failed login with user dion after you have
got user<br>
> > dion logging in and working then in the absence of any other
information,<br>
> > I would suspect that you haven't changed the entry in<br>
> > /etc/nxxserver/node.conf to tell FreeNX that the sshd is listening
on 443<br>
> > instead of 22.<br>
> > <br>
> > Do you have any other users which can log in OK ?? If so
it is an issue<br>
> > with account dion. If not then check the above next.<br>
> > <br>
> > > On Saturday 26 September 2009 17:44:20 ChrisB wrote:<br>
> > > > Dion Moult <dion@thinkmoult.com> wrote on 26/09/2009
03:01:22:<br>
> > > > > Tried changing that, restarting sshd and nxserver,
but it still<br>
> > > > > gives the same<br>
> > > > > error:<br>
> > > > ><br>
> > > > > sshd[23560]: Connection from 127.0.0.1 port 38026<br>
> > > > > sshd[23560]: Failed none for nx from 127.0.0.1
port 38026 ssh2<br>
> > > > > sshd[23560]: Found matching DSA key: blahblahblahetcetc<br>
> > > > > sshd[23560]: Accepted publickey for nx from 127.0.0.1
port 38026<br>
> > <br>
> > ssh2<br>
> > <br>
> > > > > sshd[23560]: pam_unix(sshd:session): session opened
for user nx by<br>
> > > ><br>
> > > > (uid=0)<br>
> > > ><br>
> > > > > sshd[23560]: User child is on pid 23562<br>
> > > > > nxserver[23692]: (nx) Failed login for user=dion
from IP=127.0.0.1<br>
> > > > > sshd[23562]: Connection closed by 127.0.0.1<br>
> > > > > sshd[23562]: Transferred: sent 2848, received
1968 bytes<br>
> > > > > sshd[23562]: Closing connection to 127.0.0.1 port
38026<br>
> > > > > sshd[23560]: pam_unix(sshd:session): session closed
for user nx<br>
> > > ><br>
> > > > Sounds like password or account issues with user dion<br>
> > > ><br>
> > > > On the server, try<br>
> > > ><br>
> > > >
ssh -v -p 443 -l dion localhost<br>
> > > ><br>
> > > > The -v will tell you what it is trying and what fails.<br>
> > > ><br>
> > > > It should ask for a password. If user dion has an id_dsa
or id_rsa key<br>
> > <br>
> > in<br>
> > <br>
> > > > $HOME/.ssh then you need to temporarily rename it id_dsa.000
or some<br>
> > <br>
> > such.<br>
> > <br>
> > > > If you can't log in as user dion locally using a password
then it<br>
> > <br>
> > won't<br>
> > <br>
> > > > work over nx, so you need to prove this works/fix it
next . . . .<br>
> > > ><br>
> > > > > On Saturday 26 September 2009 09:55:03 you wrote:<br>
> > > > > > ---------- Forwarded Message ----------<br>
> > > > > ><br>
> > > > > > Subject: Re: [FreeNX-kNX] NXClient fails
to connect with<br>
> > > ><br>
> > > > authentication<br>
> > > ><br>
> > > > > > failed for user.<br>
> > > > > > Date: Friday 25 September 2009<br>
> > > > > > From: "ChrisB" <chris@ccburton.com><br>
> > > > > > To: User Support for FreeNX Server and kNX
Client<br>
> > <br>
> > <freenx-knx@kde.org><br>
> > <br>
> > > > > > Dion Moult <dion@thinkmoult.com> wrote
on 25/09/2009 18:09:17:<br>
> > > > > ><br>
> > > > > ><br>
> > > > > > SNIP<br>
> > > > > ><br>
> > > > > > > sshd[13479]: Connection from 127.0.0.1
port 40791<br>
> > > > > > > sshd[13479]: Found matching DSA key:
blahblahblahblah<br>
> > > > > > > sshd[13479]: Accepted publickey for
nx from 127.0.0.1 port 40791<br>
> > > ><br>
> > > > ssh2<br>
> > > ><br>
> > > > > > > sshd[13479]: pam_unix(sshd:session):
session opened for user nx<br>
> > <br>
> > by<br>
> > <br>
> > > > > > (uid=0)<br>
> > > > > ><br>
> > > > > > > sshd[13479]: User child is on pid 13481<br>
> > > > > > > nxserver[13611]: (nx) Failed login for
user=dion from<br>
> > <br>
> > IP=127.0.0.1<br>
> > <br>
> > > > > > Yup<br>
> > > > > ><br>
> > > > > > > I have checked that the public key is
in /home/dion/.<br>
> > > > > > > ssh/authorized_keys. If I<br>
> > > > > > > do ssh -p 443 localhost on the computer
with the account dion it<br>
> > > ><br>
> > > > asks<br>
> > > ><br>
> > > > > > for my<br>
> > > > > ><br>
> > > > > > > passphrase of my private keypair (not
the NX one) and I can log<br>
> > <br>
> > in<br>
> > <br>
> > > > and<br>
> > > ><br>
> > > > > > SSH in<br>
> > > > > ><br>
> > > > > > You need to use password authentication for
the local user after<br>
> > > > > > connecting via ssh as user nx.<br>
> > > > > ><br>
> > > > > > Some distros disable this by default because
it allows brute force<br>
> > > ><br>
> > > > attacks<br>
> > > ><br>
> > > > > > . . . .<br>
> > > > > ><br>
> > > > > > > remotely fine without problems. I'm
not sure whether it helps<br>
> > <br>
> > but<br>
> > <br>
> > > > when I<br>
> > > ><br>
> > > > > > try<br>
> > > > > ><br>
> > > > > > > ssh -p 443 nx@localhost it asks for
a Password, of which nothing<br>
> > <br>
> > I<br>
> > <br>
> > > > > > > try can log<br>
> > > > > > > it in.<br>
> > > > > > ><br>
> > > > > > > This is my sshd_config:<br>
> > > > > > > Port 443<br>
> > > > > > > Protocol 2<br>
> > > > > > > SyslogFacility AUTH<br>
> > > > > > > PermitRootLogin no<br>
> > > > > > > RSAAuthentication yes<br>
> > > > > > > PubkeyAuthentication yes<br>
> > > > > > > PasswordAuthentication no<br>
> > > > > ><br>
> > > > > > Here<br>
> > > > > ><br>
> > > > > > Just change to PasswordAuthentication yes<br>
> > > > > ><br>
> > > > > > > PermitEmptyPasswords no<br>
> > > > > > > UsePAM yes<br>
> > > > > > > Compression yes<br>
> > > > > > > KeepAlive yes<br>
> > > > > > > ClientAliveInterval 30<br>
> > > > > > > ClientAliveCountMax 4<br>
> > > > > > > AuthorizedKeysFile .ssh/authorized_keys<br>
> > > > > > > LogLevel VERBOSE<br>
> > > > > > ><br>
> > > > > > > (Note: I run SSH on port 443 on purpose,
not by accident)<br>
> > > > > > ><br>
> > > > > > > Summary: When trying to connect using
username and password for<br>
> > <br>
> > the<br>
> > <br>
> > > > > > account<br>
> > > > > ><br>
> > > > > > > "dion" which exists on the
box running freenx it says<br>
> > <br>
> > Authentication<br>
> > <br>
> > > > > > failed<br>
> > > > > ><br>
> > > > > > > for user dion.<br>
> > > > > > ><br>
> > > > > > > Any ideas? Much appreciated.<br>
> > ><br>
> > > ________________________________________________________________<br>
> > ><br>
> > > > > > > Were you helped
on this list with your FreeNX problem?<br>
> > > > > > > Then please write up the
solution in the FreeNX Wiki/FAQ:<br>
> > <br>
> > </font></tt><a href="http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ"><tt><font size=2>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ</font></tt></a><tt><font size=2><br>
> > <br>
> > > > > > > Don't
forget to check the NX Knowledge Base:<br>
> > > > > > >
</font></tt><a href=http://www.nomachine.com/kb/><tt><font size=2>http://www.nomachine.com/kb/</font></tt></a><tt><font size=2><br>
> > ><br>
> > > ________________________________________________________________<br>
> > ><br>
> > > > > > > FreeNX-kNX
mailing list --- FreeNX-kNX@kde.org<br>
> > > > > > > </font></tt><a href="https://mail.kde.org/mailman/listinfo/freenx-knx"><tt><font size=2>https://mail.kde.org/mailman/listinfo/freenx-knx</font></tt></a><tt><font size=2><br>
> > ><br>
> > > ________________________________________________________________<br>
> > ><br>
> > > > > > -------------------------------------------------------<br>
> > > ><br>
> > > > <br>
> ________________________________________________________________<br>
> > > ><br>
> > > > > Were you helped on this list
with your FreeNX problem?<br>
> > > > > Then please write up the solution
in the FreeNX Wiki/FAQ:<br>
> > <br>
> > </font></tt><a href="http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ"><tt><font size=2>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ</font></tt></a><tt><font size=2><br>
> > <br>
> > > > > Don't forget
to check the NX Knowledge Base:<br>
> > > > >
</font></tt><a href=http://www.nomachine.com/kb/><tt><font size=2>http://www.nomachine.com/kb/</font></tt></a><tt><font size=2><br>
> > > > ><br>
> > > > > <br>
> ________________________________________________________________<br>
> > > > > FreeNX-kNX mailing
list --- FreeNX-kNX@kde.org<br>
> > > > > </font></tt><a href="https://mail.kde.org/mailman/listinfo/freenx-knx"><tt><font size=2>https://mail.kde.org/mailman/listinfo/freenx-knx</font></tt></a><tt><font size=2><br>
> > > > > <br>
> ________________________________________________________________<br>
> > <br>
> > ________________________________________________________________<br>
> > <br>
> > > Were you helped on this list with your
FreeNX problem?<br>
> > > Then please write up the solution in the FreeNX
Wiki/FAQ:<br>
> > <br>
> > </font></tt><a href="http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ"><tt><font size=2>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ</font></tt></a><tt><font size=2><br>
> > <br>
> > > Don't forget to check
the NX Knowledge Base:<br>
> > >
</font></tt><a href=http://www.nomachine.com/kb/><tt><font size=2>http://www.nomachine.com/kb/</font></tt></a><tt><font size=2><br>
> > ><br>
> > > ________________________________________________________________<br>
> > > FreeNX-kNX mailing list --- FreeNX-kNX@kde.org<br>
> > > </font></tt><a href="https://mail.kde.org/mailman/listinfo/freenx-knx"><tt><font size=2>https://mail.kde.org/mailman/listinfo/freenx-knx</font></tt></a><tt><font size=2><br>
> > > ________________________________________________________________<br>
> > <br>
> -- <br>
> Dion Moult :-)<br>
> [attachment "signature.asc" deleted by chris burton/solar-<br>
> system/local] ________________________________________________________________<br>
> Were you helped on this list with your FreeNX
problem?<br>
> Then please write up the solution in the FreeNX Wiki/FAQ:<br>
> <br>
> </font></tt><a href="http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ"><tt><font size=2>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ</font></tt></a><tt><font size=2><br>
> <br>
> Don't forget to check the NX Knowledge
Base:<br>
> </font></tt><a href=http://www.nomachine.com/kb/><tt><font size=2>http://www.nomachine.com/kb/</font></tt></a><tt><font size=2>
<br>
> <br>
> ________________________________________________________________<br>
> FreeNX-kNX mailing list --- FreeNX-kNX@kde.org<br>
> </font></tt><a href="https://mail.kde.org/mailman/listinfo/freenx-knx"><tt><font size=2>https://mail.kde.org/mailman/listinfo/freenx-knx</font></tt></a><tt><font size=2><br>
> ________________________________________________________________</font></tt>