[FreeNX-kNX] [TUTORIAL] FreeNX and public key authentication

Fabian Franz FabianFranz at gmx.de
Tue Jul 5 00:47:19 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I just got FreeNX and public key authentication working.

Perfect world:
- ----------------------

Basically it did just always work, but I knew too less about SSH to use this 
feature efficiently.

Three steps are needed to use an already setup key-management with NX:

- - NXServer: Remove no-agent-forwarding from $NXHOME/.ssh/authorized_keys2
- - Startup ssh-agent (if its not running already) and ssh-add 
<secret-key-file-for-remote-host>
- - Add the following to your .ssh/config:

Host <remote nx server>
	ForwardAgent yes

Startup nxclient and use "a" or something other inherently insecure as 
password and do save it in confirmation dialog.

Just connect and connection will be done through the ssh-agent.

BUT: nxssh does neither accept our config nor can it forward ssh-agent 
connections when run with SSL encryption, so you'll need to use a work-around 
(see below).

- -------------------------------------------------------------------------------------------------------------------------
WARNING:

Of course the normal security measures regarding agent-forwarding should be 
taken into considerment.

This means that if you are using ssh-agent for your normal work, you should 
start a seperate instance of ssh-agent for the nxserver to avoid giving away 
access credentials to a malicious person, which compromised the NX server.

Unfortunately ssh-agent cannot be restricted in _what_ is forwarded.
- ------------------------------------------------------------------------------------------------------------------------

One solution for this problem (UNIX only for now sorry win users) is to 
replace nxssh of the commercial client with a wrapper script for the original 
nxssh.orig and have keys ready named by hosts (possibly via symlinks).

$ cd /usr/NX/bin
$ mv nxssh nxssh.orig

$ wget 
http://svn.berlios.de/viewcvs/*checkout*/freenx/nx-utils/nxpublickey/nxssh?rev=72 
- -O nxssh

$ chmod a+x nxssh

$ cd ~/.ssh
$ mkdir nx
$ cd nx
$ ln -s <secret_key_for_host_Bluemoon> Bluemoon

With this solution one could also solve the keys for several hosts needed 
problem, but you'd need two keys that are forwarded to the server.

Easily solved:

$ rm -f Bluemoon
$ ln -s <secret_key_for_host_Bluemoon> Bluemoon/user1
$ ln -s <secret_key_for_host_Bluemoon_for_nx_user> Bluemoon/nx

You should get the idea ... (the script handles this nice and transparently)

Another advantage is that you have "levels of trust". You could have your keys 
for important machines seperated from the untrusted ones. This of course is 
just a hack, this functionality should be directly added in ssh-agent. (I 
wonder why no-one else has requested this, yet. Its so obvious ...)

The neat thing about agent forwarding is that you should be able to quite 
easily enhance the script for say smartcard support handled through 
agent-forwarding ...

Now you might say:

- - Well, I do not want to give in my pass-phrase a 100times I connect to my 
sessions.

The script also handles this, the agent is just started once and connected to 
~/.ssh/nx/Bluemoon.sock (or whatever your hostname is).

Once the agent dies this file is automatically removed and if not (e.g. a 
power outage), it doesn't hurt as the script looks if there is a functioning 
agent behind the socket prior to startup.

I also provide a two-liner patch against 1.4.0 nxssh, which is needed for this 
wrapper to work with nxssh and SSL encryption.

NoMachine did also check the AGENT input channel for a switch command and kept 
some bytes in buffer, which lead to a complete "freeze":

- ---------------------------------------
- --- channels.c.old	2005-07-05 02:22:18.000000000 +0200
+++ channels.c	2005-07-05 02:14:06.000000000 +0200
@@ -3098,6 +3098,10 @@
 
 int nx_check_channel_input(Channel *channel, char *data, int *length, int 
limit)
 {
+	if (strcmp(channel->ctype,"authentication agent connection")==0)
+		return 0;
+		
+	
         debug("NX> 285 Going to check input for descriptor: %d", 
channel->rfd);
 
         /*
- ---------------------------

Well, it should be fairly obvious what needs to be fixed ...

I hope you enjoyed my litte tutorial. It took some time to write (especially 
finding the nxssh bug was nerving), but was quite fun.

Ah, btw. I just today bought the O'Reilly book about SSH to get an idea how to 
get public keys working. Well the 13 EUR I spent for it were worth it :-)).

@Oliver: Could you add this article somewhere to the website as it was one of 
the most "voted" features in the past.

cu

Fabian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFCydiaI0lSH7CXz7MRAtisAJwJn37OQPFPiZAUwjqfbAgblteR2wCfUpQc
d5++b+2xNMsaXtPk7Hd7g20=
=tubb
-----END PGP SIGNATURE-----

More information about the FreeNX-kNX mailing list