[FreeNX-kNX] Re: got: "cannot create directory `/home/.nx'"

Kurt Pfeifle k1pfeifle at gmx.net
Tue Oct 19 17:31:53 UTC 2004 

On Tuesday 19 October 2004 18:59, Kurt Pfeifle wrote:
> On Tuesday 19 October 2004 17:49, Rick Stout wrote:
> 
> > > - run the setup:
> > >     nxsetup --setup-nomachine-key
> > > 
> > 
> > Just a thought. I don't think its a good idea to use or recommend the 
> > --setup-nomachine-key option.
> 
> I beg to differ here.
> 
> The thing is: it should be *explained* what that setting does, and it
> should be explained well and clear.

Maybe I should add this:

I have the intention to contribut with as much help and documentation
to (Free)NX/kNX as I can. Just like I did with CUPS, Samba printing,
KDEPrint... It is just that I seriously lacked time in recent months
and still do lack it.

The current state of FreeNX documentation sucks, and sucks badly.
Any help here is welcome, now and in future.

Hopefully this will turn to the better, once we have moved to a CVS
or SVN repository on FreeDesktop.org with an associated website,
which could provide much more focus to the currently scattered
various resources. The move to FD.o should be happening sometime
soon now that most of the administrativa have been looked into
and solved....

Cheers,
Kurt


> How about s.th. like this for 
> a start (comments welcome):
> 
> -------------- snip --------------------------------------------------
> 
>  * you can use "--setup-nomachine-key" to allow secure login with
>    no extra configuration from all NX client programms (currently
>    "kNX" from KDE and the NoMachine NX Client). Contrary to popular
>    belief and some mis-information, this option will *still* use an 
>    SSH-encrypted login with the private username/password for each
>    user. What this option does, is to create the initial connection
>    to the NX server with the credentials of the "nx" special user
>    (comparable to Apache's often used "wwwrun" or "nobody" users),
>    which runs the very limited "nxserver" shell to open the connection
>    for the real user's login. The "nomachine-key" is a key that is
>    include with each NX client. It means that a connection attempt
>    can be made from every NX client, but is rejected if the correct
>    username and password aren't given.
> 
>  * if you use "nxsetup" without that option, a unique SSH key pair
>    is auto-created for your FreeNX server. You need to make sure
>    to transfer and correctly store your server's unique (semi-)public 
>    SSH key on each NX client prior to its first login attempt. This 
>    means, that without the correct SSH key the login fails already at 
>    the initial connection stage (before any chance to use the username
>    + password) and from any NX Client that doesn't know the NX Server's
>    key.
> 
> A considerable number of people think that the "--setup-nomachine-key"
> makes their NX server a tad bit less secure. OTOH, it also makes its
> use a bit more comfortable. Security and comfort are here, as always,
> two goals that are not easy to meet at the same time. It is up to you
> to decide what you want to do. The FreeNX default is to not use the 
> "--setup-nomachine-key" automatically, but only if you request it by
> explicitely typing it in.
> 
> -------------- snap --------------------------------------------------
> 
> > Its never a good idea to use default  
> > security settings, and a dsa key that gives you access to a server is 
> > definetly not a good idea.
> 
> Please!! This isn't giving you access to a "server". That's how FUD 
> is originating (even if you don't intend it, Rick!)-- It gives you 
> access to a *login prompt* (where you still have to know the username
> and password to get in).
> 
> > I realize its not the default, but maybe we  
> > should remove the nomachine key setup option,
> 
> By any means: NO!! You have my veto on this one.
> 
> > and leave the key in the  
> > README for anyone that NEEDS to use it. 
> 
> Hehe.... reminds me of the "Security by Obscurity" mantra...  ;-)
> 
> > That will make it much more  
> > difficult to use,
> 
> We should make it not more difficult to use. What we should do,
> is *explain* what the various options mean, and what implications
> they have.
> 
> In any case, it is a very good idea to write a README (or other 
> documentation) about the key setup options as well as about "(Free)NX
> server security") which goes even more into detail than what is my 
> humble attempt above.
> 
> You've written some great documents about (Free)NX already, Rick.
> Maybe you could be teased to go for another one?
> 
> > but not impossible for anyone who would absolutely  
> > need to use it.
> > 
> > Anyone have any thoughts on this?
> 
> ;-)
> 
> > Rick
> 
> Cheers,
> Kurt
> _______________________________________________
> FreeNX-kNX mailing list
> FreeNX-kNX at kde.org
> https://mail.kde.org/mailman/listinfo/freenx-knx
> 
>

More information about the FreeNX-kNX mailing list