[FreeNX-kNX] Public-Key Authentication

YoJoe yojoe at schneebrett.com
Thu Sep 21 20:02:30 UTC 2006


Hi,
I just played a bit with FreeNX-knx on SUSE 10.1. Now I have some questions I 
couldn't find answers to:

1. SSH ist just used for authentication? Or is all communication between the 
client and the server secured over SSH?
1.1. The user 'nx' has a SSH Public/Private-Key pair. Is this just used to 
authenticate the client? What data is sent over this SSH connection?
1.2. I only allow PubkeyAuthentication on my SSH-Server (and I don't want to 
change that), therefore I disabled PAM-Authentication and SSH-Authentication 
in the FreeNX-Server config file (/etc/nxserver/node.conf). Now I have to add 
all users, which are allowed by to login via NX, by 
calling 'nxserver --adduser' and 'nxserver --passwd', which automatically 
adds a Public-Key to {$userhome}/.ssh/authorized_keys2. What is this 
Public-Key used for? And where is the corresponding Private-Key?

2. It seems like all NX-clients use the same Public/Private-Key pair for 
simplicity by default, right? If I have a look at /etc/nxserver/users.id_dsa 
it is the same as the default NoMachine-Client key. I get many 
brute-force-SSH attacs on my machine, that's why I only allow 
PubkeyAuthentication. I think it's just a matter of time until these 
ssh-burte-force-scripts will also try user 'nx' and the default NoMachine 
Private-Key to gain access to systems. Well, if user 'nx' and its 
~/.ssh/authorized_keys2 file are correctly configured, they'll only get 
access to the '/usr/bin/nxserver'-Shell. But who knows if it hasn't any 
security issues which can be exploited? The only solution is to generate your 
own key pair for user 'nx' and carry the private key with you or distribute 
it to the client machines!
2.1. If SSH is already used for Authentication, why don't support 
SSH-PubkeyAuthentication for User-Authentication, too? The kNX-Client just 
needs an option to choose PubkeyAuthentication instead of 
PasswordAuthentication. If the user doesn't explicitly supplys a Private-Key 
file then ~/.ssh/id_dsa is used by default.
2.2 If it was possible to authenticate users via PubkeyAuthentication, you 
have to carry two keys with you: one for user 'nx' and one for your account. 
Wouldn't it be sufficient to have just one key (your SSH key) and disable 
user 'nx'. This way the Administrator would only have to tell the 
FreeNX-Server which accounts are allowed to use NX and doesn't have to set an 
additional password for every user. The kNX client could use the username and 
Private-Key supplied by the user to connect to the FreeNX-Server, instead of 
using username 'nx' and /usr/share/knx/client.id_dsa.key. (By the 
way: /usr/share/knx/client.id_dsa.key is a very strange location for a KDE 
program... why not use ~/.kde/share/apps/knx/client.id_dsa.key?)

Regards,
Jörg



More information about the FreeNX-kNX mailing list