[FreeNX-kNX] PAM authentication doesn't work

Jon Severinsson jon at severinsson.net
Wed Jul 13 20:23:07 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Honermeyer skrev:
> Jon Severinsson wrote:
>> Martin Honermeyer skrev:
>>> Hello,
>>>
>>> I've been trying different configurations and settings, but i've been
>>> unable to get people to authenticate with PAM (/etc/passwd) so far. They
>>> have to be added to the passdb with
>>>
>>> nxserver --adduser user
>>> nxserver --password user
>>>
>>> in order to be able to login.
>>>
>>> I've tried the following (in node.conf):
>>>
>>> ENABLE_PASSDB_AUTHENTICATION="0"
>>> ENABLE_SSH_AUTHENTICATION="1" (alternatively
>>> ENABLE_SU_AUTHENTICATION="1")
>>> ENABLE_USER_DB="0"
>>>
>>> I also enabled PasswordAuthentication in /etc/ssh/sshd_config and added
>>> the nx user to the wheel group. Same problem every time
>>> (from /var/log/nxserver.log, with log level set to 7):
>>>
>>> -- NX SERVER START:
>>> HELLO NXSERVER - Version 1.4.0-04-CVS OS (GPL)
>>> NX> 105 hello NXCLIENT - Version 1.4.0
>>> NX> 134 Accepted protocol: 1.4.0
>>> NX> 105 SET SHELL_MODE SHELL
>>> NX> 105 SET AUTH_MODE PASSWORD
>>> NX> 105 login
>>> NX> 101 User: martin
>>> NX> 102 Password:
>>> Info: Auth method: ssh su
>>> NX> 404 ERROR: wrong password or login
>>> NX> 999 Bye
>>>
>>> I am using FreeNX from _CVS_ and the third 1.5.0 NoMachine source
>>> snapshot, I think.
>>>
>>> So what's the right way to get this going?
>>>
>>>
>>> Greetz,
>>> Martin
>>>
>>
>> Hi Martin
>>
>> Your nice log tells me you have configured freeNX correctly. The telling
>> line is "Info: Auth method: ssh su " which tells me it tried ssh, failed,
>> and tried su. The next line tells me that all tried logins failed. That
>> is, freenx successfully caled the login process (both ssh and su) and both
>> told nx the login was invalid. It does not have to be wrong password, but
>> by some reason pam failed to log in the user. Can you do a manual ssh login
>> with the "martin" user, replace the variables ($...) below with their
>> values on your system (SSHD_PORT should be 22, and $PATH_BIN should be either
>> /usr/bin or /usr/NX/bin):
>>
>> > ssh -2 -x -l "martin" "127.0.0.1" -o "NumberOfPasswordPrompts 1" -p
>> "$SSHD_PORT" "$PATH_BIN/nxnode" --check"
> 
> 
> $ ssh -2 -x -l "martin" "127.0.0.1" -o "NumberOfPasswordPrompts 1" -p "22"
> "/usr/NX/bin/nxnode --check"
> Password:
> NX> 1000 NXNODE - Version 1.4.0-04-CVS OS (GPL)
> NX> 716 finished
> NX> 1001 Bye.

This seems quite OK. It is in fact exactly the same as I get on my 1.4.0 & 0.4.1
system (using "jon" instead of "martin").

>> If that doesn't work, you have a problem either in ssh or in pam.
>> If a manual login does work, the problem migh be in nxnode. A printout of
>> the manual login process would help. I would also like to see the printout
>> if you revert to the 1.4.0 OSS components, to make sure there is no vital
>> difrence.
> 
> This is difficult, as this machine is already used by some people.. I'll try
> it later.

You realy shouldn't use snapshots and CVS versions for production use, but as
the 1.5 printout looks identical with my 1.4 printout, that should not be the
problem in this case.

> Greetz,
> Martin

To check that the problem is not in nxnode-login, please run it manually,
replacing all the variables acordingly:
$ echo "$PASS" | $PATH_BIN/nxnode-login -- ssh "$USER" "$SSHD_PORT"
"$PATH_BIN/nxnode" --check 2>&1 >/dev/null
and
$ echo "$PASS" | $PATH_BIN/nxnode-login -- su "$USER" "$SSHD_PORT"
"$PATH_BIN/nxnode" --check 2>&1 >/dev/null

Each line should give a return code of 0 if login succedes (check by doing "echo
$?" immediatly after each line above). If this works, I could only gues that you
are having some odd pam restrictions applying to a live connection, but not a
manual check. Do some digging in /etc/pam.d/sshd and /etc/pam.d/su and see if
commenting out all odd lines (basicly everyone but "unix.so" lines, or whatever
user database you use). If this works, please re-enables the lines one-by one to
se what causes the problem. If that wont do, I'm out of ideas. Please check with
stable versions of the !M nx OSS components and freenx.
And, just to rule out some other misconfiguration, please run "nxloadconfig
- --check" to see if it produces any errors.

Best Regards
- - Jonno
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC1XgqOOpxqcksWu4RAu5VAKCcal3rNMXwKUa43jOF2n1GVLwlpACbBjBV
u9ydq+M9ZCd6HuJZ2VnJsGs=
=nbL6
-----END PGP SIGNATURE-----

More information about the FreeNX-kNX mailing list