<html><body><div style="font-family: times new roman, new york, times, serif; font-size: 10pt; color: #000000"><div>Hi,</div><div><br></div><div>Maybe I found a better way, at least for my case. I edited /etc/ssh/sshd_config with these fields:</div><div><br></div><div><p style="margin: 0px;" data-mce-style="margin: 0px;">PermitRootLogin without-password</p><p style="margin: 0px;" data-mce-style="margin: 0px;">PasswordAuthentication no</p><p style="margin: 0px;" data-mce-style="margin: 0px;">Match Address 127.0.0.1<br>     PasswordAuthentication yes</p><p style="margin: 0px;" data-mce-style="margin: 0px;"><br></p><p style="margin: 0px;" data-mce-style="margin: 0px;">In this way I allow password-authentication only from localhost (so from the nx shell), and key-based authentication from the outside.</p><p style="margin: 0px;" data-mce-style="margin: 0px;">I'm providing to the users a very limited Fluxbox-based graphical interface and I'm not going to give them access to the local shell. In this way they aren't going to be able to copy their ssh keys locally.</p><p style="margin: 0px;" data-mce-style="margin: 0px;"><br></p></div><div><br></div><hr id="zwchr"><div style="color:#000;font-weight:normal;font-style:normal;text-decoration:none;font-family:Helvetica,Arial,sans-serif;font-size:12pt;" data-mce-style="color: #000; font-weight: normal; font-style: normal; text-decoration: none; font-family: Helvetica,Arial,sans-serif; font-size: 12pt;"><b>From: </b>"Chris" <chris@ccburton.com><br><b>To: </b>"User Support for FreeNX Server and kNX Client" <freenx-knx@kde.org><br><b>Sent: </b>Thursday, 1 August, 2013 12:41:19 PM<br><b>Subject: </b>Re: [FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.<br><div><br></div><br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">freenx-knx-bounces@kde.org wrote on 01/08/2013 10:12:30:<br> <br> > Hi,</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> <br> > Replying to an old post..</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> If you're using Freenx you can set up the following:</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> ENABLE_SU_AUTHENTICATION="1"</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> <br> > Then you should edit /etc/ssh/sshd_config and add the following <br> > string: AllowGroups sshadm</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> sshadm:x:90:root,nx</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> <br> > This means that users can use the shared key to log into the server <br> > as the "nx" users, and then NX will "su" to their user.</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> Users will however not be able to ssh into the server with their account.</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> They can still log into the server as the "nx" user via ssh, but <br> > they would not get a usable shell (only the internal nx shell).</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">> <br> > Unfortunately I'm right now in the situation where we bought a <br> > licence for the commercial Nomachine NX server, and it seems that <br> > the "su authentication" feature is not enabled there, so I don't <br> > know how to prevent user logins to the server via ssh.</span></tt> <br> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">You can use TWO instances of sshd.</span></tt> <br> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">1/ external, eg on port 2222,users nx/admins only, key pair only</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">        update the nxclient configuration</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">2/ internal,(listen on 127.0.0.1 only) port 22 (with passwordauthentication)</span></tt> <br> <br><a href="http://www.nomachine.com/ar/view.php?ar_id=AR06E00470" target="_blank" data-mce-href="http://www.nomachine.com/ar/view.php?ar_id=AR06E00470"><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">http://www.nomachine.com/ar/view.php?ar_id=AR06E00470</span></tt></a> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">( they explain it the other way round, but you are better moving your</span></tt> <br><tt><span size="2" data-mce-style="font-size: small;" style="font-size: small;">external sshd to a different port )</span></tt> <br><div><br></div>________________________________________________________________<br>     Were you helped on this list with your FreeNX problem?<br>    Then please write up the solution in the FreeNX Wiki/FAQ:<br><div><br></div>http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ<br><div><br></div>         Don't forget to check the NX Knowledge Base:<br>                 http://www.nomachine.com/kb/<br><div><br></div>________________________________________________________________<br>       FreeNX-kNX mailing list --- FreeNX-kNX@kde.org<br>      https://mail.kde.org/mailman/listinfo/freenx-knx<br>________________________________________________________________</div><div><br></div></div></body></html>