[FreeNX-kNX] connection to freeNX server with dsa keys ?

Gian Filippo Pinzari pinzari at nomachine.com
Tue Mar 15 15:36:27 UTC 2005 

Fabian Franz wrote:
> You still need a password for "su - username". Its just that you no longer use 
> SSH to login the user with a password, but su.

I thought it was something more elaborated, like for example by
using a PAM module. Using su - + the password provided by the user
has been experimented by NoMachine in the past but we went for
using a DSA key for accessing the node because:

- The DSA key allows both local and remote nodes with exactly
   the same mechanism.

- The DSA key forces the user to execute nxnode, instead of
   arbitrary commands.

- As you are using the password provided by the user, the server
   can't login to the node without a user requesting some sort of
   operation. This prevents nxserver from performing maintenance
   tasks (unless nxserver stores the password, that I don't think
   it's the case).

- Some OSes don't allow 'su -' when not from a TTY.

- It may require that the system administrator puts the nx user
   in groups that are a bit dangerous from the security point of
   view.

That said, I agree that offering this as an option can be a good
idea. Just su-ing to a different user is surely straightforward.
Anyway using the system passwords is inherently insecure as it
makes very, very difficult to implement a layer of separation bet-
ween system accounts and NX accounts, something you need if you
are going to "rent" your server.

The way NX should work is by separating completely the virtual
NX environment from the host system, including authentication. A
better way to handle this would be a PAM module that integrates
with NX and allows the nx user to become users that are in a NX
DB, a possibility that we'll have to investigate in future. This
is not simple to implement, as the nx user (or the user managing
access to the node) should have restricted access to such a DB.
The DSA key is our friend again, as it not only allows nxserver
to login without that the real password would have to travel bet-
ween the components, but also simply marks "a NX user" as an user
having enabled access to the private part of the node keypair.

/Gian Filippo.

More information about the FreeNX-kNX mailing list