[FreeNX-kNX] [TUTORIAL] FreeNX and public key authentication
Fabian Franz
FabianFranz at gmx.de
Tue Jul 5 00:47:19 UTC 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I just got FreeNX and public key authentication working.
Perfect world:
- ----------------------
Basically it did just always work, but I knew too less about SSH to use this
feature efficiently.
Three steps are needed to use an already setup key-management with NX:
- - NXServer: Remove no-agent-forwarding from $NXHOME/.ssh/authorized_keys2
- - Startup ssh-agent (if its not running already) and ssh-add
<secret-key-file-for-remote-host>
- - Add the following to your .ssh/config:
Host <remote nx server>
ForwardAgent yes
Startup nxclient and use "a" or something other inherently insecure as
password and do save it in confirmation dialog.
Just connect and connection will be done through the ssh-agent.
BUT: nxssh does neither accept our config nor can it forward ssh-agent
connections when run with SSL encryption, so you'll need to use a work-around
(see below).
- -------------------------------------------------------------------------------------------------------------------------
WARNING:
Of course the normal security measures regarding agent-forwarding should be
taken into considerment.
This means that if you are using ssh-agent for your normal work, you should
start a seperate instance of ssh-agent for the nxserver to avoid giving away
access credentials to a malicious person, which compromised the NX server.
Unfortunately ssh-agent cannot be restricted in _what_ is forwarded.
- ------------------------------------------------------------------------------------------------------------------------
One solution for this problem (UNIX only for now sorry win users) is to
replace nxssh of the commercial client with a wrapper script for the original
nxssh.orig and have keys ready named by hosts (possibly via symlinks).
$ cd /usr/NX/bin
$ mv nxssh nxssh.orig
$ wget
http://svn.berlios.de/viewcvs/*checkout*/freenx/nx-utils/nxpublickey/nxssh?rev=72
- -O nxssh
$ chmod a+x nxssh
$ cd ~/.ssh
$ mkdir nx
$ cd nx
$ ln -s <secret_key_for_host_Bluemoon> Bluemoon
With this solution one could also solve the keys for several hosts needed
problem, but you'd need two keys that are forwarded to the server.
Easily solved:
$ rm -f Bluemoon
$ ln -s <secret_key_for_host_Bluemoon> Bluemoon/user1
$ ln -s <secret_key_for_host_Bluemoon_for_nx_user> Bluemoon/nx
You should get the idea ... (the script handles this nice and transparently)
Another advantage is that you have "levels of trust". You could have your keys
for important machines seperated from the untrusted ones. This of course is
just a hack, this functionality should be directly added in ssh-agent. (I
wonder why no-one else has requested this, yet. Its so obvious ...)
The neat thing about agent forwarding is that you should be able to quite
easily enhance the script for say smartcard support handled through
agent-forwarding ...
Now you might say:
- - Well, I do not want to give in my pass-phrase a 100times I connect to my
sessions.
The script also handles this, the agent is just started once and connected to
~/.ssh/nx/Bluemoon.sock (or whatever your hostname is).
Once the agent dies this file is automatically removed and if not (e.g. a
power outage), it doesn't hurt as the script looks if there is a functioning
agent behind the socket prior to startup.
I also provide a two-liner patch against 1.4.0 nxssh, which is needed for this
wrapper to work with nxssh and SSL encryption.
NoMachine did also check the AGENT input channel for a switch command and kept
some bytes in buffer, which lead to a complete "freeze":
- ---------------------------------------
- --- channels.c.old 2005-07-05 02:22:18.000000000 +0200
+++ channels.c 2005-07-05 02:14:06.000000000 +0200
@@ -3098,6 +3098,10 @@
int nx_check_channel_input(Channel *channel, char *data, int *length, int
limit)
{
+ if (strcmp(channel->ctype,"authentication agent connection")==0)
+ return 0;
+
+
debug("NX> 285 Going to check input for descriptor: %d",
channel->rfd);
/*
- ---------------------------
Well, it should be fairly obvious what needs to be fixed ...
I hope you enjoyed my litte tutorial. It took some time to write (especially
finding the nxssh bug was nerving), but was quite fun.
Ah, btw. I just today bought the O'Reilly book about SSH to get an idea how to
get public keys working. Well the 13 EUR I spent for it were worth it :-)).
@Oliver: Could you add this article somewhere to the website as it was one of
the most "voted" features in the past.
cu
Fabian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFCydiaI0lSH7CXz7MRAtisAJwJn37OQPFPiZAUwjqfbAgblteR2wCfUpQc
d5++b+2xNMsaXtPk7Hd7g20=
=tubb
-----END PGP SIGNATURE-----
More information about the FreeNX-kNX
mailing list