[FreeNX-kNX] One-time password authentication question

Fabian Franz FabianFranz at gmx.de
Wed Mar 8 20:04:55 UTC 2006 

Am Mittwoch, 8. März 2006 15:45 schrieb Nick Owen:
> Interesting suggestions.  I'm not familiar with the -M option.  Have to
> google it up ;).  I got FreeNX working with one-time passcodes thanks to
> a script from Felix Shumacher.  Here's his post:
>
> http://lists.kde.org/?l=freenx-knx&m=113766147904995&w=2

Yeah, thank you.

>
> and here is a how-to on our open source site:
>
> http://www.wikidsystems.net/howtos/2_factor_vnc

Yes, I've read it.

>
> This script would be a great addition to the code, IMHO.

I need to disagree:

The patch unfortunately has some problems:

It means that any user can login as any user and at least see which sessions 
are running. This is a privacy problem.

I.e. I could check if my colleague is really connected during his work time or 
not...

While I cannot suspend or resume any sessions of course, I could do the 
commands and have the entries deleted from the session database 
(there is a FIXME to check for successful execution in the code, but it was 
never needed, so not yet fixed

Easy fix: put the two lines onto one line combined with &&.
).

Also everything in the client like "terminating a session one wants not to 
resume"  leads of course to the usage of the one-time-password and such to 
the not-successful-start of session afterwards.

Google for "ControlMaster" to find a great blog post about the ssh -M 
functionality.

Though having such a UNIX-Domain socket of course would give other nx 
processes the possibility to use the ControlMaster too if there was a 
security leak in that part of the code.

Making nxserver control nxnode is possible and not that difficult either, 
_but_ in each case (ControlMaster or nxnode-persistent-connection) you have a 
problem to _ever_ implement loadbalancing.

( The same applies to directly logging a user in. )

cu

Fabian

-- 
      *** Consulting - Training - Workshops - Troubleshooting ***
   @@@ LiveCDs (Knoppix), Debian, Remote Desktop Access (FreeNX) @@@

--- Fabian Franz --- www.fabian-franz.de --- consulting at fabian-franz.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20060308/01194246/attachment.sig>

More information about the FreeNX-kNX mailing list