[FreeNX-kNX] Alioth projekt for FreeNX debian packages

Wed Jun 15 01:46:09 UTC 2005

On Wednesday 15 June 2005 00:03, Paul van der Vlis wrote:

> apt-get install nxserver nxagent
> nxsetup --setup-nomachine-key
> 
> This is not really secure, 

To be honest, this is a sentence of ... shall I say "pure rubbish"? 

A sentence created once by someone who understood little about the NX 
login concept, and repeated ever since by many, many people.

To set the record straight: this key (or the custom one you can create
yourself) doesnt let you or any user log in to the NX server, and it
doesnt give any normal shell access to anybody.

This key is used to establish an initial secure tunnel, over which in
the next stage the real login of the user, with his real (and hopefully
kept secret by him!) credentials happens. 

The "nomachine-key" (or any custom key you might use in its place) is 
only useful for the special "nx" user who builds the tunnel from the NX 
client to the NX server.

This user has for his "login shell" a something called "nxserver". All
"nx" can do with that shell, is conduct a sort of handshake, pass the
real user's credentials in a save way and start the executables needed
to establish the NX session. No more. And it is restricted to exactly
the commands the NX session initiation needs. And it is explicitely
prohibiting f.e. port forwarding.

So it is a gross missrepresentation to paint the "--setup-nomachine-key"
option as a "not really secure" one. It *IS* secure. 

Yes, it can slightly improve security to create a separate custom key 
for each NX server. I concede that..  But that "improvement" comes for 
a price: 

 * it will also greatly increase the inconvenience to your users and to 
   the NX server administrators, who will have to distribute the keys to 
   their users, and teach them how to switch keys when they switch servers.

Using the standard key for the nx user will allow anybody to get to the
login prompt for the real NX session. Big deal. I can get to the login
prompt of nearly every server or machine on the planet anyway, if it is 
connected at all to the Net.

Yes, it is a risk to have a machine on the Net that allows remote logins.
This is true for NX as well as non-NX services. If you want to avoid
that risk, disconnect the machine. 

Please stop repeating this mantra "'nxsetup --setup-nomachine-key' is not
really secure". Please start explaining what the the real deal is 
(improving good security to whatever degree of even better security for
the price of whatever increased work and inconvenience). Then it is a
fair deal.

If "security expert" people really cared about security of GUI programs, 
they would start an audit of the old, old, old, never-touched-again X 
code (originating from old age XFree86 times), and make sure that f.e.
it does not happen that every single X server known to mankind and 
derived from that common root, with the excepting of the NoMachine-modified
one, will fall back to a "xhost +localhost" behaviour when it cannot read
its Xauthority file.

> because it uses the default nomachine SSH key 
> without password, but it's really easy. All users can login with the
> normal password. 

Not true. You *can* set it up so that all users can login with their
normal password. You can also set it up that *some* users can login
(via NX), and others can not. And you can set it up for users to use
a different NX password from their normal password.

> Take a look at /home/.nx and in /etc/passwd at the user 
> "nx".

Yes, do it! What does it tell you?

Cheers,
Kurt