[FreeNX-kNX] Public-Key Authentication
YoJoe
yojoe at schneebrett.com
Thu Sep 21 20:02:30 UTC 2006
Hi,
I just played a bit with FreeNX-knx on SUSE 10.1. Now I have some questions I
couldn't find answers to:
1. SSH ist just used for authentication? Or is all communication between the
client and the server secured over SSH?
1.1. The user 'nx' has a SSH Public/Private-Key pair. Is this just used to
authenticate the client? What data is sent over this SSH connection?
1.2. I only allow PubkeyAuthentication on my SSH-Server (and I don't want to
change that), therefore I disabled PAM-Authentication and SSH-Authentication
in the FreeNX-Server config file (/etc/nxserver/node.conf). Now I have to add
all users, which are allowed by to login via NX, by
calling 'nxserver --adduser' and 'nxserver --passwd', which automatically
adds a Public-Key to {$userhome}/.ssh/authorized_keys2. What is this
Public-Key used for? And where is the corresponding Private-Key?
2. It seems like all NX-clients use the same Public/Private-Key pair for
simplicity by default, right? If I have a look at /etc/nxserver/users.id_dsa
it is the same as the default NoMachine-Client key. I get many
brute-force-SSH attacs on my machine, that's why I only allow
PubkeyAuthentication. I think it's just a matter of time until these
ssh-burte-force-scripts will also try user 'nx' and the default NoMachine
Private-Key to gain access to systems. Well, if user 'nx' and its
~/.ssh/authorized_keys2 file are correctly configured, they'll only get
access to the '/usr/bin/nxserver'-Shell. But who knows if it hasn't any
security issues which can be exploited? The only solution is to generate your
own key pair for user 'nx' and carry the private key with you or distribute
it to the client machines!
2.1. If SSH is already used for Authentication, why don't support
SSH-PubkeyAuthentication for User-Authentication, too? The kNX-Client just
needs an option to choose PubkeyAuthentication instead of
PasswordAuthentication. If the user doesn't explicitly supplys a Private-Key
file then ~/.ssh/id_dsa is used by default.
2.2 If it was possible to authenticate users via PubkeyAuthentication, you
have to carry two keys with you: one for user 'nx' and one for your account.
Wouldn't it be sufficient to have just one key (your SSH key) and disable
user 'nx'. This way the Administrator would only have to tell the
FreeNX-Server which accounts are allowed to use NX and doesn't have to set an
additional password for every user. The kNX client could use the username and
Private-Key supplied by the user to connect to the FreeNX-Server, instead of
using username 'nx' and /usr/share/knx/client.id_dsa.key. (By the
way: /usr/share/knx/client.id_dsa.key is a very strange location for a KDE
program... why not use ~/.kde/share/apps/knx/client.id_dsa.key?)
Regards,
Jörg
More information about the FreeNX-kNX
mailing list