[FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'"

Kurt Pfeifle k1pfeifle at gmx.net
Tue Oct 19 16:59:17 UTC 2004 

On Tuesday 19 October 2004 17:49, Rick Stout wrote:

> > - run the setup:
> >     nxsetup --setup-nomachine-key
> > 
> 
> Just a thought. I don't think its a good idea to use or recommend the 
> --setup-nomachine-key option.

I beg to differ here.

The thing is: it should be *explained* what that setting does, and it
should be explained well and clear. How about s.th. like this for
a start (comments welcome):

-------------- snip --------------------------------------------------

 * you can use "--setup-nomachine-key" to allow secure login with
   no extra configuration from all NX client programms (currently
   "kNX" from KDE and the NoMachine NX Client). Contrary to popular
   belief and some mis-information, this option will *still* use an 
   SSH-encrypted login with the private username/password for each
   user. What this option does, is to create the initial connection
   to the NX server with the credentials of the "nx" special user
   (comparable to Apache's often used "wwwrun" or "nobody" users),
   which runs the very limited "nxserver" shell to open the connection
   for the real user's login. The "nomachine-key" is a key that is
   include with each NX client. It means that a connection attempt
   can be made from every NX client, but is rejected if the correct
   username and password aren't given.

 * if you use "nxsetup" without that option, a unique SSH key pair
   is auto-created for your FreeNX server. You need to make sure
   to transfer and correctly store your server's unique (semi-)public 
   SSH key on each NX client prior to its first login attempt. This 
   means, that without the correct SSH key the login fails already at 
   the initial connection stage (before any chance to use the username
   + password) and from any NX Client that doesn't know the NX Server's
   key.

A considerable number of people think that the "--setup-nomachine-key"
makes their NX server a tad bit less secure. OTOH, it also makes its
use a bit more comfortable. Security and comfort are here, as always,
two goals that are not easy to meet at the same time. It is up to you
to decide what you want to do. The FreeNX default is to not use the 
"--setup-nomachine-key" automatically, but only if you request it by
explicitely typing it in.

-------------- snap --------------------------------------------------

> Its never a good idea to use default  
> security settings, and a dsa key that gives you access to a server is 
> definetly not a good idea.

Please!! This isn't giving you access to a "server". That's how FUD 
is originating (even if you don't intend it, Rick!)-- It gives you 
access to a *login prompt* (where you still have to know the username
and password to get in).

> I realize its not the default, but maybe we  
> should remove the nomachine key setup option,

By any means: NO!! You have my veto on this one.

> and leave the key in the  
> README for anyone that NEEDS to use it. 

Hehe.... reminds me of the "Security by Obscurity" mantra...  ;-)

> That will make it much more  
> difficult to use,

We should make it not more difficult to use. What we should do,
is *explain* what the various options mean, and what implications
they have.

In any case, it is a very good idea to write a README (or other 
documentation) about the key setup options as well as about "(Free)NX
server security") which goes even more into detail than what is my 
humble attempt above.

You've written some great documents about (Free)NX already, Rick.
Maybe you could be teased to go for another one?

> but not impossible for anyone who would absolutely  
> need to use it.
> 
> Anyone have any thoughts on this?

;-)

> Rick

Cheers,
Kurt

More information about the FreeNX-kNX mailing list