[FreeNX-kNX] Re: moznx - NX mozilla plugin

Lawrence Roufail lroufail at nc.rr.com
Sun Nov 28 22:59:51 UTC 2004 

This is the basic idea (but see my comments below).  I think it is more
secure if the web server generates the authentication information
because then the user never has to know what the NX password (or account
password) is.

Incidently, I should mention that only the traditional NX authentication
method is supported, and not the pam-based authentication methods.

On Wed, 2004-11-24 at 17:28, Gian Filippo Pinzari wrote:
> Hi John ;-)
> 
> John Nicholls wrote:
> >>Yes, if you do not have a password in the config file it will
> >>prompt for one in the console.  This is a leftover from nxrun
> >>that was useful in development.  I will probably remove it and
> >>print error message instead.
> > 
> > I think most users would like to have a password, otherwise hackers will
> > have a field day. Is there some way of prompting for it in the browser
> > instead of in the terminal?
> 
> Of course there is, but it would require changes to the
> client code. There is a simpler solution. Create the session
> file on the server and put the password in it. Then download
> the config file along with the plug-in. Be sure you only
> enable SSL connections to the HTTP server and... Voila'. You
> have application publishing the way Citrix does with Presen-
> tation Server.

Actually, the plugin has a url it uses to get the configuration file
from the server.  In the demo, it points to a physical file, but a
better implementation would generate the file on the fly using the web
user's authentication credentials (I am working on a php-based
implementation).

>  Obviously you should be able to let nxproxy
> inherit the SSL connection established in the browser. This
> way you would have removed the need for a SSH daemon on the
> NX server.
> 
> A note about the password. Your Web application may create the
> NX password on the fly and void it once the user has finished
> with the session. Obviously even the user can be created on the
> fly. The user would not have any system password, so he could
> not connect outside NX. Why do you think NX is designed to not
> rely on the system passwords to do the job?
> 

Exactly.  If your web server and NX server can communicate, they can
negotiate passwords and accounts on the fly, and the users will never
know the passwords.  These mechanisms could probably be more secure than
allowing a user to have direct SSH access.

> Next step: let NX start a UML instance (or a Bochs VM with
> Windows) when the user connects and give him the administrator
> password. You have taken virtualization to the next level :-).
> 
> /Gian Filippo.
> 
>

More information about the FreeNX-kNX mailing list