[FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'"

Jean-Eric Cuendet jec at rptec.ch
Tue Oct 19 17:15:38 UTC 2004


Thanks Kurt,
I share your thoughts entirely.
-jec

Kurt Pfeifle wrote:
> On Tuesday 19 October 2004 17:49, Rick Stout wrote:
> 
> 
>>>- run the setup:
>>>    nxsetup --setup-nomachine-key
>>>
>>
>>Just a thought. I don't think its a good idea to use or recommend the 
>>--setup-nomachine-key option.
> 
> 
> I beg to differ here.
> 
> The thing is: it should be *explained* what that setting does, and it
> should be explained well and clear. How about s.th. like this for
> a start (comments welcome):
> 
> -------------- snip --------------------------------------------------
> 
>  * you can use "--setup-nomachine-key" to allow secure login with
>    no extra configuration from all NX client programms (currently
>    "kNX" from KDE and the NoMachine NX Client). Contrary to popular
>    belief and some mis-information, this option will *still* use an 
>    SSH-encrypted login with the private username/password for each
>    user. What this option does, is to create the initial connection
>    to the NX server with the credentials of the "nx" special user
>    (comparable to Apache's often used "wwwrun" or "nobody" users),
>    which runs the very limited "nxserver" shell to open the connection
>    for the real user's login. The "nomachine-key" is a key that is
>    include with each NX client. It means that a connection attempt
>    can be made from every NX client, but is rejected if the correct
>    username and password aren't given.
> 
>  * if you use "nxsetup" without that option, a unique SSH key pair
>    is auto-created for your FreeNX server. You need to make sure
>    to transfer and correctly store your server's unique (semi-)public 
>    SSH key on each NX client prior to its first login attempt. This 
>    means, that without the correct SSH key the login fails already at 
>    the initial connection stage (before any chance to use the username
>    + password) and from any NX Client that doesn't know the NX Server's
>    key.
> 
> A considerable number of people think that the "--setup-nomachine-key"
> makes their NX server a tad bit less secure. OTOH, it also makes its
> use a bit more comfortable. Security and comfort are here, as always,
> two goals that are not easy to meet at the same time. It is up to you
> to decide what you want to do. The FreeNX default is to not use the 
> "--setup-nomachine-key" automatically, but only if you request it by
> explicitely typing it in.
> 
> -------------- snap --------------------------------------------------
> 
> 
>>Its never a good idea to use default  
>>security settings, and a dsa key that gives you access to a server is 
>>definetly not a good idea.
> 
> 
> Please!! This isn't giving you access to a "server". That's how FUD 
> is originating (even if you don't intend it, Rick!)-- It gives you 
> access to a *login prompt* (where you still have to know the username
> and password to get in).
> 
> 
>>I realize its not the default, but maybe we  
>>should remove the nomachine key setup option,
> 
> 
> By any means: NO!! You have my veto on this one.
> 
> 
>>and leave the key in the  
>>README for anyone that NEEDS to use it. 
> 
> 
> Hehe.... reminds me of the "Security by Obscurity" mantra...  ;-)
> 
> 
>>That will make it much more  
>>difficult to use,
> 
> 
> We should make it not more difficult to use. What we should do,
> is *explain* what the various options mean, and what implications
> they have.
> 
> In any case, it is a very good idea to write a README (or other 
> documentation) about the key setup options as well as about "(Free)NX
> server security") which goes even more into detail than what is my 
> humble attempt above.
> 
> You've written some great documents about (Free)NX already, Rick.
> Maybe you could be teased to go for another one?
> 
> 
>>but not impossible for anyone who would absolutely  
>>need to use it.
>>
>>Anyone have any thoughts on this?
> 
> 
> ;-)
> 
> 
>>Rick
> 
> 
> Cheers,
> Kurt
> _______________________________________________
> FreeNX-kNX mailing list
> FreeNX-kNX at kde.org
> https://mail.kde.org/mailman/listinfo/freenx-knx

-- 
Jean-Eric Cuendet
Riskpro Technologies SA
Av du 14 avril 1b, 1020 Renens Switzerland
Principal: +41 21 637 0110  Fax: +41 21 637 01 11
Direct: +41 21 637 0123
E-mail: jean-eric.cuendet at rptec.ch
http://www.rptec.ch
--------------------------------------------------------



More information about the FreeNX-kNX mailing list