[FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'"
Kurt Pfeifle
k1pfeifle at gmx.net
Tue Oct 19 16:59:17 UTC 2004
On Tuesday 19 October 2004 17:49, Rick Stout wrote:
> > - run the setup:
> > nxsetup --setup-nomachine-key
> >
>
> Just a thought. I don't think its a good idea to use or recommend the
> --setup-nomachine-key option.
I beg to differ here.
The thing is: it should be *explained* what that setting does, and it
should be explained well and clear. How about s.th. like this for
a start (comments welcome):
-------------- snip --------------------------------------------------
* you can use "--setup-nomachine-key" to allow secure login with
no extra configuration from all NX client programms (currently
"kNX" from KDE and the NoMachine NX Client). Contrary to popular
belief and some mis-information, this option will *still* use an
SSH-encrypted login with the private username/password for each
user. What this option does, is to create the initial connection
to the NX server with the credentials of the "nx" special user
(comparable to Apache's often used "wwwrun" or "nobody" users),
which runs the very limited "nxserver" shell to open the connection
for the real user's login. The "nomachine-key" is a key that is
include with each NX client. It means that a connection attempt
can be made from every NX client, but is rejected if the correct
username and password aren't given.
* if you use "nxsetup" without that option, a unique SSH key pair
is auto-created for your FreeNX server. You need to make sure
to transfer and correctly store your server's unique (semi-)public
SSH key on each NX client prior to its first login attempt. This
means, that without the correct SSH key the login fails already at
the initial connection stage (before any chance to use the username
+ password) and from any NX Client that doesn't know the NX Server's
key.
A considerable number of people think that the "--setup-nomachine-key"
makes their NX server a tad bit less secure. OTOH, it also makes its
use a bit more comfortable. Security and comfort are here, as always,
two goals that are not easy to meet at the same time. It is up to you
to decide what you want to do. The FreeNX default is to not use the
"--setup-nomachine-key" automatically, but only if you request it by
explicitely typing it in.
-------------- snap --------------------------------------------------
> Its never a good idea to use default
> security settings, and a dsa key that gives you access to a server is
> definetly not a good idea.
Please!! This isn't giving you access to a "server". That's how FUD
is originating (even if you don't intend it, Rick!)-- It gives you
access to a *login prompt* (where you still have to know the username
and password to get in).
> I realize its not the default, but maybe we
> should remove the nomachine key setup option,
By any means: NO!! You have my veto on this one.
> and leave the key in the
> README for anyone that NEEDS to use it.
Hehe.... reminds me of the "Security by Obscurity" mantra... ;-)
> That will make it much more
> difficult to use,
We should make it not more difficult to use. What we should do,
is *explain* what the various options mean, and what implications
they have.
In any case, it is a very good idea to write a README (or other
documentation) about the key setup options as well as about "(Free)NX
server security") which goes even more into detail than what is my
humble attempt above.
You've written some great documents about (Free)NX already, Rick.
Maybe you could be teased to go for another one?
> but not impossible for anyone who would absolutely
> need to use it.
>
> Anyone have any thoughts on this?
;-)
> Rick
Cheers,
Kurt
More information about the FreeNX-kNX
mailing list