[FreeNX-kNX] PAM authentication doesn't work

Thu Jul 14 09:40:55 UTC 2005

Thanks for your help, guys! I figured out I had to add the nx user to the
tty group. There were problems accessing pty's otherwise (from the FreeNX
0.4.0 log):

The system has no more ptys.  Ask your system administrator to create more.

Works, even with FreeNX CVS & NoMachine source snapshot 3!

I think I should have mentioned that this is a VServer, again. As you can
see from my previous posts, adding users to the tty group seems to be a
magic solution for all my NX problems .. Should have tried that first.
Stupid me ;-)

Martin

Martin Honermeyer wrote:

> Jon Severinsson wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>> 
>> Martin Honermeyer skrev:
>>> Jon Severinsson wrote:
>>>> Martin Honermeyer skrev:
>>>>> Hello,
>>>>>
>>>>> I've been trying different configurations and settings, but i've been
>>>>> unable to get people to authenticate with PAM (/etc/passwd) so far.
>>>>> They have to be added to the passdb with
>>>>>
>>>>> nxserver --adduser user
>>>>> nxserver --password user
>>>>>
>>>>> in order to be able to login.
>>>>>
>>>>> I've tried the following (in node.conf):
>>>>>
>>>>> ENABLE_PASSDB_AUTHENTICATION="0"
>>>>> ENABLE_SSH_AUTHENTICATION="1" (alternatively
>>>>> ENABLE_SU_AUTHENTICATION="1")
>>>>> ENABLE_USER_DB="0"
>>>>>
>>>>> I also enabled PasswordAuthentication in /etc/ssh/sshd_config and
>>>>> added the nx user to the wheel group. Same problem every time
>>>>> (from /var/log/nxserver.log, with log level set to 7):
>>>>>
>>>>> -- NX SERVER START:
>>>>> HELLO NXSERVER - Version 1.4.0-04-CVS OS (GPL)
>>>>> NX> 105 hello NXCLIENT - Version 1.4.0
>>>>> NX> 134 Accepted protocol: 1.4.0
>>>>> NX> 105 SET SHELL_MODE SHELL
>>>>> NX> 105 SET AUTH_MODE PASSWORD
>>>>> NX> 105 login
>>>>> NX> 101 User: martin
>>>>> NX> 102 Password:
>>>>> Info: Auth method: ssh su
>>>>> NX> 404 ERROR: wrong password or login
>>>>> NX> 999 Bye
>>>>>
>>>>> I am using FreeNX from _CVS_ and the third 1.5.0 NoMachine source
>>>>> snapshot, I think.
>>>>>
>>>>> So what's the right way to get this going?
>>>>>
>>>>>
>>>>> Greetz,
>>>>> Martin
>>>>>
>>>>
>>>> Hi Martin
>>>>
>>>> Your nice log tells me you have configured freeNX correctly. The
>>>> telling line is "Info: Auth method: ssh su " which tells me it tried
>>>> ssh, failed, and tried su. The next line tells me that all tried logins
>>>> failed. That is, freenx successfully caled the login process (both ssh
>>>> and su) and both told nx the login was invalid. It does not have to be
>>>> wrong password, but by some reason pam failed to log in the user. Can
>>>> you do a manual ssh login with the "martin" user, replace the variables
>>>> ($...) below with their values on your system (SSHD_PORT should be 22,
>>>> and $PATH_BIN should be either /usr/bin or /usr/NX/bin):
>>>>
>>>> > ssh -2 -x -l "martin" "127.0.0.1" -o "NumberOfPasswordPrompts 1" -p
>>>> "$SSHD_PORT" "$PATH_BIN/nxnode" --check"
>>> 
>>> 
>>> $ ssh -2 -x -l "martin" "127.0.0.1" -o "NumberOfPasswordPrompts 1" -p
>>> "22" "/usr/NX/bin/nxnode --check"
>>> Password:
>>> NX> 1000 NXNODE - Version 1.4.0-04-CVS OS (GPL)
>>> NX> 716 finished
>>> NX> 1001 Bye.
>> 
>> This seems quite OK. It is in fact exactly the same as I get on my 1.4.0
>> & 0.4.1 system (using "jon" instead of "martin").
>> 
>>>> If that doesn't work, you have a problem either in ssh or in pam.
>>>> If a manual login does work, the problem migh be in nxnode. A printout
>>>> of the manual login process would help. I would also like to see the
>>>> printout if you revert to the 1.4.0 OSS components, to make sure there
>>>> is no vital difrence.
>>> 
>>> This is difficult, as this machine is already used by some people.. I'll
>>> try it later.
>> 
>> You realy shouldn't use snapshots and CVS versions for production use,
>> but as the 1.5 printout looks identical with my 1.4 printout, that should
>> not be the problem in this case.
>> 
>>> Greetz,
>>> Martin
>> 
>> To check that the problem is not in nxnode-login, please run it manually,
>> replacing all the variables acordingly:
>> $ echo "$PASS" | $PATH_BIN/nxnode-login -- ssh "$USER" "$SSHD_PORT"
>> "$PATH_BIN/nxnode" --check 2>&1 >/dev/null
>> and
>> $ echo "$PASS" | $PATH_BIN/nxnode-login -- su "$USER" "$SSHD_PORT"
>> "$PATH_BIN/nxnode" --check 2>&1 >/dev/null
> 
> Tried it, everything okay.
> 
> 
>> 
>> Each line should give a return code of 0 if login succedes (check by
>> doing "echo $?" immediatly after each line above). If this works, I could
>> only gues that you are having some odd pam restrictions applying to a
>> live connection, but not a manual check. Do some digging in
>> /etc/pam.d/sshd and /etc/pam.d/su and see if commenting out all odd lines
>> (basicly everyone but "unix.so" lines, or whatever user database you
>> use). If this works, please re-enables the lines one-by one to se what
>> causes the problem. If that wont do, I'm out of ideas. Please check with
>> stable versions of the !M nx OSS components and freenx. And, just to rule
>> out some other misconfiguration, please run "nxloadconfig - --check" to
>> see if it produces any errors.
> 
> Thanks for your help. My PAM configuration is a standard Gentoo one.
> Commenting out modules didn't help. Config is okay. I am going to
> downgrade the NoMachine sources now..
> 
> 
> Greetz,
> Martin