[FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'"

Rick Stout zipsonic at gmail.com
Tue Oct 19 17:18:04 UTC 2004 

Kurt Pfeifle wrote:
> On Tuesday 19 October 2004 17:49, Rick Stout wrote:
> 
> 
>>>- run the setup:
>>>    nxsetup --setup-nomachine-key
>>>
>>
>>Just a thought. I don't think its a good idea to use or recommend the 
>>--setup-nomachine-key option.
> 
> 
> I beg to differ here.
> 
> The thing is: it should be *explained* what that setting does, and it
> should be explained well and clear. How about s.th. like this for
> a start (comments welcome):
> 
> -------------- snip --------------------------------------------------
> 
>  * you can use "--setup-nomachine-key" to allow secure login with
>    no extra configuration from all NX client programms (currently
>    "kNX" from KDE and the NoMachine NX Client). Contrary to popular
>    belief and some mis-information, this option will *still* use an 
>    SSH-encrypted login with the private username/password for each
>    user. What this option does, is to create the initial connection
>    to the NX server with the credentials of the "nx" special user
>    (comparable to Apache's often used "wwwrun" or "nobody" users),
>    which runs the very limited "nxserver" shell to open the connection
>    for the real user's login. The "nomachine-key" is a key that is
>    include with each NX client. It means that a connection attempt
>    can be made from every NX client, but is rejected if the correct
>    username and password aren't given.
> 
>  * if you use "nxsetup" without that option, a unique SSH key pair
>    is auto-created for your FreeNX server. You need to make sure
>    to transfer and correctly store your server's unique (semi-)public 
>    SSH key on each NX client prior to its first login attempt. This 
>    means, that without the correct SSH key the login fails already at 
>    the initial connection stage (before any chance to use the username
>    + password) and from any NX Client that doesn't know the NX Server's
>    key.
> 
> A considerable number of people think that the "--setup-nomachine-key"
> makes their NX server a tad bit less secure. OTOH, it also makes its
> use a bit more comfortable. Security and comfort are here, as always,
> two goals that are not easy to meet at the same time. It is up to you
> to decide what you want to do. The FreeNX default is to not use the 
> "--setup-nomachine-key" automatically, but only if you request it by
> explicitely typing it in.
> 
> -------------- snap --------------------------------------------------
> 
> 
>>Its never a good idea to use default  
>>security settings, and a dsa key that gives you access to a server is 
>>definetly not a good idea.
> 
> 
> Please!! This isn't giving you access to a "server". That's how FUD 
> is originating (even if you don't intend it, Rick!)-- It gives you 
> access to a *login prompt* (where you still have to know the username
> and password to get in).
> 
> 
My thinking is this: (No FUD intended, Darl isn't around...)

Exploit found (whether it be in (free)NX or SSH). Allows anyone to 
connect to a machine running (free)NX as long as they have the key. That 
would basically mean any computer with the nomachine key is compromised. 
Forcing users to create a key would help with that.

Not likely, but definitely not far from a possibility...

>>I realize its not the default, but maybe we  
>>should remove the nomachine key setup option,
> 
> 
> By any means: NO!! You have my veto on this one.
> 
> 
>>and leave the key in the  
>>README for anyone that NEEDS to use it. 
> 
> 
> Hehe.... reminds me of the "Security by Obscurity" mantra...  ;-)
> 
> 
>>That will make it much more  
>>difficult to use,
> 
> 
> We should make it not more difficult to use. What we should do,
> is *explain* what the various options mean, and what implications
> they have.
> 
> In any case, it is a very good idea to write a README (or other 
> documentation) about the key setup options as well as about "(Free)NX
> server security") which goes even more into detail than what is my 
> humble attempt above.
> 
> You've written some great documents about (Free)NX already, Rick.
> Maybe you could be teased to go for another one?
> 

Let me see what I can come up with. "Rick's Master guide to NX, SSH and 
the key's that bind them"... hehehehe

> 
>>but not impossible for anyone who would absolutely  
>>need to use it.
>>
>>Anyone have any thoughts on this?
> 
> 
> ;-)
> 
> 
>>Rick
> 
> 
> Cheers,
> Kurt
> _______________________________________________
> FreeNX-kNX mailing list
> FreeNX-kNX at kde.org
> https://mail.kde.org/mailman/listinfo/freenx-knx
> 
> 
>

More information about the FreeNX-kNX mailing list