[FreeNX-kNX] Release: FreeNX 0.7.3 "Priscilla One Year Edition"
Joe Baker
joebaker at dcresearch.com
Mon Aug 25 07:05:11 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Thanks Fabian!
These new features sound like great additions to FreeNX!
I am running for the US Congress. Hopefully I can convince more use of
open source software and less use of proprietary software in US Government.
Remember when you asked someone to beg you to move forward with FreeNX!
~ I'm the guy who begged you.
I'm not presently employed as a Systems Admin (been out of work since
November but I'm looking forward to dabbeling with the new version of
FreeNX-server soon!
I'm running in the 1st Congressional District of Wisconsin in the USA.
Sept 9th is the primary election.
Joe Baker
Candidate for US House of Representatives - WI #1
http://www.JosephWilliamBaker.org
Fabian Franz wrote:
| Hi All,
|
| it is done. it is released.
|
| FreeNX 0.7.3 is released and I am proud to present lots of nice new
features and especially I
| hunted the bug list down (BerliOS Project Page) and got them all.
|
| Including the dreaded "Resume fails with Negotiating Link Parameters
and nxssh.exe still
| running.".
|
| Perhaps the two biggest new features are full shadow support and the
overhaul of the usermode.
|
| I am grateful to Amin Shehata here for his work and motivation on the
shadow mode and Mr. N.
| Bartos, who did present me with a complete changeset for the usermode.
|
| I also made the VNC shadowing behave the exact same as the normal
shadow mode.
|
| SHADOWING VIA NX AND VNC Resume
| ========================
|
| Shadowing (also other users) works in three steps:
|
| 1. Saving the shadow cookie (obviously not needed for same user)
|
| First, when a session is started or resumed nxshadowacl is asked, if
this user should be allowed to
| be shadowed.
|
| This way in nxshadowacl there could be a line like:
|
| # Deny admin and boss to be shadowed
| [ "$1" = "admin" -o "$1" = "boss" ] && exit 1
|
| # Allow all others to be shadowed
| exit 0
|
| I did use this approach as the nxserver is storing the shadowcookie in
the session file if
| nxshadowacl allows shadowing.
|
| This is a possible security issue, so its not enabled by default.
|
| To enable shadowing other users beside the own user copy
nxshadowacl.sample to
| $PATH_BIN/nxshadowacl and add your rules here.
|
| 2. Selecting which sessions are shadowable
|
| So now shadowacl.sample gets another argument. That one of the user,
which is trying to shadow
| the session.
|
| Let me give you another example:
|
| # Deny admin and boss to be shadowed
| [ "$1" = "admin" -o "$1" = "boss" ] && exit 1
|
| # Don't let boss shadow the auditors
| [ "$1" = "auditor" -a "$2" = "boss" ] && exit 1
|
| # Allow all others to be shadowed
| exit 0
|
| I think you can come up with countless possibilities yourself.
Speaking of that, has anyone made
| any great nxacl scripts, yet?
|
| If so: Please share.
|
| 3. Asking the user for permission and setting the view mode
|
| This is for now controlled by the global variables that are known from
!M NX Server.
|
| If ENABLE_SESSION_SHADOWING_AUTHORIZATION is set to "1", the user is
asked before the
| cookie is transmitted, if he wants his session to be shared. After a
timeout of 60
| (AGENT_STARTUP_TIMEOUT) the dialog is closed again and the operation
deemed a failure.
|
| The ENABLE_INTERACTIVE_SESSION_SHADOWING is directly given as
- -viewonly or -shadowmode
| to x11vnc / nxagent -S.
|
| However if you find this too restrictive for admin to not be able to
help others without their
| confirmation and only view what is happening, you can use a custom
admin.node.conf
| configuration file with custom shadow mode settings.
|
| Usermode and SUID Wrapper
| ==================
|
| We are now very close to login directly with users and I also heard of
a C program, which can be
| seamlessly put between nxclient and nxssh. So with client support we
now have three
| alternatives:
|
| 1. Login as user via ssh and connect to server with ssh command on
server again.
| 2. Login as user and use usermode to save all sessions locally for
each user.
| 3. Use a SUID nx (not root!) wrapper to startup a new "trusted" session.
|
| One is error prone, two is good, but looses the central structure,
three is best of both worlds and
| with being suid nx also has the most advantages, however not the
dreaded public key problems.
|
| _Yes_, this means if you use the suid wrapper, you still need the nx
user, but you can remove the
| public keys and it'll still work.
|
| The SUID wrapper is a part from the work of the redesign and thanks
goes to Alistair Riddoch from
| Google here.
|
| So how do I enable it on a new installation?
|
| - sudo make install
| - nxsetup # note: No setup nomachine key here!
| - # Uncomment the suid_install line in Makefile
| - sudo make install
| - # Done.
|
| Now you just need one of the wrapper functions from SVN (nxssh) and
nbartos also said he had a
| nice C program, so I hope he publishes it.
|
| The wrapper is doing the first part of the authentication, logging the
user in via ssh, then the
| following command is started: $PATH_BIN/nxserver-suid
|
| And voila the user is logged in!
|
| The same goes for usermode, to enable the usermode with a central
installation is now much
| easier:
|
| - Login
| - Run $PATH_BIN/nxserver-usermode
|
| Also each user can track his own sessions this way:
|
| - $PATH_BIN/nxserver-usermode --list
|
| So this features enable you to finally remove the dreaded public key
setup part (using a warpper of
| course) and all problems that come with it.
|
| Whatever way you choose ...
|
| And as that is still quite some work, I have prepared and uploaded a
ready made tarball for you!
|
| It is available from:
|
| http://download.berlios.de/freenx/NX4U.tar.gz
|
| And I even made it so that this can be unpacked whereever you want and
it'll automatically find all
| binaries.
|
| And this is not limited to user mode, but all normal FreeNX features
are supported.
|
| So for example unpack in /opt/NX4U/, run /opt/NX4U/nxsetup --install
- --setup-nomachine-key
| and you are ready to go.
|
| However if you use the usermode, not even that is needed!
|
| Okay, I said you need a wrapper? You are extremely lucky, I now wrote
one in C, which I also already cross-compiled for you for Windows!
|
| == NX Client Wrapper ==
|
| The wrapper is very very powerfull and all options can be choosen in
NX Client.
|
| How to use it?
|
| Download:
|
| http://download.berlios.de/freenx/nxssh
|
| or
|
| http://download.berlios.de/freenx/nxssh.exe
|
| Rename nxssh(.exe) from !M NX Client to mxssh(.exe).
|
| Put new nxssh(.exe) into place.
|
| Make it executable if you are on linux. (chmod a+x nxssh)
|
| Done.
|
| Now you can either wrap all connections by exporting the environment
variable NXWRAP=1 before
| starting nxclient.
|
| Or you can instead of hostname use:
|
| @hostname and set "Enable SSL Encryption" to "yes".
|
| Now its wrapped and the password put into the nxclient dialog is
_automatically_ used for
| authentication of the user.
|
| So, you (on linux) want to use your public key setup instead?
|
| No problem, just use as username:
|
| @username
|
| So, I want to connect with my private key to host big-machine, I would
then put into NX Client:
|
| Host: @big-machine
| User: @ff
|
| And your normal ssh options + ssh-askpass are used.
|
| Note: By default SSH_ASKPASS environment variable is set to
/usr/bin/ssh-askpass. If you have
| something different, you need to export that _before_ starting nxclient.
|
| There is also nxssh-wrapper available in SVN (from which nxssh-4US was
converted) if you prefer
| to edit a shell script.
|
(http://svn.berlios.de/svnroot/repos/freenx/trunk/freenx-utils/nxpublickey/nxssh-wrapper)
|
| Sooo!
|
| But now you want to use usermode and not suid mode or you have
installed NX4U in a
| non-standard location.
|
| The wrapper knows it all.
|
| It searches first for a suitable nxserver-suid program, then for
nxserver-usermode and lastly fails.
|
| And it searches in a long PATH ...
|
|
~/bin:~/NX4U/:/usr/NX/bin:/opt/NX/bin:/opt/NX4U/bin/:/usr/NX4U/bin:/usr/local/NX4U/bin:/usr/lib/nx/bi
| n
|
| If however you want to user usermode and not suid mode or vice versa
you can use the following
| syntax:
|
| user at U for usermode (or @user at U)
|
| or:
|
| user at S for suid mode (or @user at S)
|
| And you can even specify a compeltely different binary path with a ':'
|
| So:
|
| [@]user[@<S|U>[:path-to-command]]
|
| is the full syntax!
|
| Example for installation in /tmp/NX4U/ with public key usage.
|
| @ff at U:/tmp/NX4U/bin/nxserver-usermode
|
| And it all works!
|
| So, now NX installation really is as simple as untaring, changing
client to use wrapper and BAM!
| running!
|
| Okay, after this much features and me working since days on the RL
announcement ( I _had_ to
| make that wrapper!) lets take a small look at the other changes!
|
| - Failed login attempts are now logged to syslog(3).
|
| - nxagent has -nolisten tcp by default set as EXTRA_OPTIONS_X:
|
| Note in a load balancing + shadow mode case it might be wanted that
nxagent is callable via
| remote.
|
| - Bash is used for all tasks as sh is dash on ubuntu.
|
| - mv was not working for failed or terminated sessions due to a typo.
(YEAH! Finally found the
| bug!)
|
| - I found a very old patch (2005), which enables connection from 32
bit to 24 bit and vice-versa.
| Ooops, I forgot that one, I think ...
|
| - 3.2.0 support!
|
| - The Makefile now actually stops on errors. Thanks goes to: Hai Zaar
<haizaar at gmail.com>
|
| - I disabled the PASSDB auth mode as always people find old tutorials
and think its necessary,
| while its not. I also added a nice notice. If you had used it before
and want to continue using it, be
| sure to reenable it in nxloadconfig / node.conf.
|
| - Lots of rdekstop fixes by the Community were included including that
run application now
| actually works!
|
| - I added the ConsoleKit application by Ubuntu team, though I think I
might still be missing
| something for full integration. This someone needs to explain to me ;-).
|
| - The slave mode now actually is the default as I got no reports that
it did not work and it did work
| for me always since last release, so tiem to give it to a wider
audience. (Also its needed for
| nxserver-suid).
|
| If you have any problems with it, disable it in node.conf.
|
| And here is the full changelog!
|
| 18.08.2008 FreeNX 0.7.3 "Priscilla One Year Edition"
| * Opened the 0.7.3 development.
| * Added logging of failed authentication attempts
| to auth.log via syslog (3). This can be disabled by
| setting ENABLE_LOG_FAILED_LOGINS="0".
| (fabianx at bat.berlios.de)
| * Added -nolisten tcp to nxagent invocation.
| (fabianx at bat.berlios.de, idea by pappy- (Gentoo))
| * Used bash for all tasks as 'sh' might be not what we want
| on standard ubuntu.
| (fabianx at bat.berlios.de, thx to tan (IRC))
| * Finally fixed mv not working for failed or terminated
| sessions.
| (fabianx at bat.berlios.de, Terje Andersen
<terander at guard.zapto.org>)
| * Added patch from 2005 to enable reconnect to 24-bit display via
| 32-bit or vice versa. Oops :)
| (Sunil <funtoos at yahoo.com> )
| * Added 3.2.0 as a backend version for nxloadconfig.
| (fabianx at bat.berlios.de)
| * Added configuration key ENABLE_SOURCE_BASH_PROFILE for
toggling of
| sourcing ~/.bash_profile.
| (fabianx at bat.berlios.de)
| * Added /usr/bin/xauth as default key and used
/usr/X11R6/bin/xauth as
| fallback.
| (fabianx at bat.berlios.de)
| * Fixed Makefile to stop on all errors.
| (Idea by Hai Zaar <haizaar at gmail.com>, fabianx at bat.berlios.de)
| * Changed the default for ENABLE_PASSDB_AUTHENTICATION. If you had
| added a user with different password via --adduser consider
| re-activating this option in node.conf.
| (fabianx at bat.berlios.de)
| * Added constraints for passdb based commands. They are only
available
| when ENABLE_PASSDB_AUTHENTICATION="1" else a friendly error
message
| is shown. This should help with users using old tutorials.
| (fabianx at bat.berlios.de)
| * Added unix-console patch. Added default handler as
unix-default with
| a fallback to xterm,
| (Idea by Jens Hatlak <jh at junetz.de>, fabianx at bat.berlios.de)
| * Fixed external rdesktop keyboards: A "$" was missing.
| (Bug by Phil Stricker <stril at gmx.de>, fabianx at bat.berlios.de)
| * Added workaround for "ch" keyboard layout to nxdesktop_helper,
| which NXClient 3.2.0 means as de-ch.
| (Bug by Phil Stricker <stril at gmx.de>, fabianx at bat.berlios.de)
| * Added clean target to Makefile.
| (Based on patch by Ubuntu FreeNX-Team, fabianx at bat.berlios.de)
| * Use :0.0 if mirrorhost is 127.0.0.1 and add -localhost for
| enhanced security. Also increase sleep timeout for slow
machines.
| (Based on Patch by Jeremy Wilkins <wjeremy at shaw.ca>,
fabianx at bat.berlios.de)
| * Allow RDP "Run application" sessions to work correctly.
| (David Corral < davefury at gmail.com > & the Silice Telecom staff,
| fabianx at bat.berlios.de)
| * Merge Xresources on startup of session.
| (Jeremy Wilkins <wjeremy at shaw.ca>)
| * Added nx-session-launcher from Ubuntu FreeNX-Team to use
FreeNX with
| ConsoleKit.
| (marceloshima at gmail.com, fabianx at bat.berlios.de)
| * Moved logging functions to a more appropriate place.
| (fabianx at bat.berlios.de)
| * Finally fixed the bug when NX Client was stopped on "Negotiating
| link parameters" and failed session after first session suspend.
| (fabianx at bat.berlios.de)
| * Fixed missing "fi" statement. In fact it was a missing ";;".
| (fabianx at bat.berlios.de)
| * Used source instead of "." for Makefile. (Closes: #13954)
| (fabianx at bat.berlios.de)
| * Allow passwords with '\' by changing read -s to read -r -s.
| (Closes: #10699)
| (Patch by rpfuller at bat.berlios.de, fabianx at bat.berlios.de)
| * Allow passwords with special chars by using new url_decode on
| agent_password. (Closes: #10248)
| (fabianx at bat.berlios.de)
| * Fixed start/stop exit codes.
| (Patch by Gentoo Portage, fabianx at bat.berlios.de)
| * Finally checked for all service ports. (cups, media, samba)
| and also checked it on the host where the load balancing
actually
| leads to.
| (fabianx at bat.berlios.de)
| * Fixed broken fallback logic if SSH_CLIENT variables cannot
be read
| correctly.
| (fabianx at bat.berlios.de)
| * Overhauled the usermode:
| * There are now two modes of operation.
| - One statically setting the
| ENABLE_USERMODE_AUTHENTICATION key
| in node.conf. (old behavior)
| - Or using nxserver-usermode as startup
| binary, which directly goes into the 103 stage.
| * Fixed using commandline parameters like --cleanup
| for static usermode.
| * Enabled the root commandline parameters in usermode.
| * Fixed usage of "nx" user as normal user in usermode.
| * Disabled slave mode and load balancing for usermode.
| * Fixed creation of the logfile directory.
| * Fixed nxnode usage of SSH_CLIENT using fallback
mechanism.
| (Patch by nbartos at bat.berlios.de, fabianx at bat.berlios.de)
| * Added disabled nxserver-suid wrapper with help from Google. To
| enable it uncomment the suid_install target in Makefile.
| ( Alistair Riddoch <alriddoch at google.com>,
fabianx at bat.berlios.de)
| * Automatically disabled slave mode, when load balancing is
activated.
| (fabianx at bat.berlios.de)
| * Made ENABLE_SLAVE_MODE="1" the new default as its faster
| and more reliable. If you encounter any problems with it,
| disable it in node.conf.
| (fabianx at bat.berlios.de)
| * Changed type for external agents to windows-helper or vnc-helper
| so that those sessions can be mirrored / shadowed as well.
| (fabianx at bat.berlios.de)
| * Added nxshadowacl.sample component to be able to shadow
| foreign sessions.
| (fabianx at bat.berlios.de)
| * Prepared shadowing foreign users for VNC-shadowing.
| (fabianx at bat.berlios.de)
| * Added shadow support to --listsession command.
| (fabianx at bat.berlios.de)
| * Added shadow mode as nxagent target.
| (fabianx at bat.berlios.de)
| * Fixed shadow mode and made it usable.
| (Patch by Amin Shehata <amino7 at yahoo dot com>,
fabianx at bat.berlios.de)
|
| It was a great time with you community, I loved and integrated all
patches that I could find, I have
| now finally taken the step to do not only a source release, but a
binary release as well!
|
| With the new wrappers I think its possible to finally circumvent the
whole things of public key
| problems and tune to what is really needed.
|
| The "nx" user is stiill needed for the suid case, however an
installation not using ssh public key
| auth via nx user could look like:
|
| # cd ~
| # wget http://download.berlios.de/freenx/NX4U.tar.gz
| # cd /opt
| # tar xzf ~/NX4U.tar.gz
| # /opt/NX4U/bin/nxsetup --install
| # /opt/NX4U/bin/nxserver --stop # remove public key
| # chown nx /opt/NX4U/bin/nxserver-suid
| # chmod u+s /opt/NX4U/bin/nxserver-suid
|
| I also have started to integrate things like the suid wrapper from the
freenx-redesign branch.
|
| Enjoy the release and grab it from:
|
| http://download.berlios.de/freenx/freenx-server-0.7.3.tar.gz
|
| Best Wishes and May the Sun shine on You,
|
| Fabian
|
| PS:
|
| Addendum for manual installation of NX Usermode:
|
| If you want to run from $HOME, you can change nxloadconfig to have:
|
| - patch -p0 < gentoo-nomachine.diff
| - # edit nxloadconfig and set NX_DIR=$HOME/NX4U/
| - perl -pi -e 's,NX_DIR=.*,NX_DIR=\$HOME/NX4U/,' nxloadconfig
| - # edit nxloadconfig and set CUPS_BACKEND="$HOME/NX4U/cups/" so
Makefile does
| - # not complain
| - perl -pi -e
's,CUPS_BACKEND=.*,CUPS_BACKEND="\$HOME/NX4U/cups/backend/",' nxloadconfig
| - # in place fix Makefile
| - perl -pi -e 's,NX_VERSION,NX_VERSION NX_ETC_DIR,' Makefile
| - # install it!
| - make && make install
|
| - Now either compile and install the binaries for yourself or copy
only nxagent and the libs from !M
| tarball.
| ________________________________________________________________
| Were you helped on this list with your FreeNX problem?
| Then please write up the solution in the FreeNX Wiki/FAQ:
|
| http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
|
| Don't forget to check the NX Knowledge Base:
| http://www.nomachine.com/kb/
|
| ________________________________________________________________
| FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
| https://mail.kde.org/mailman/listinfo/freenx-knx
| ________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFIslml7J1dPd3sAmARAiB9AKCSwzGh8eoXNFP/GHO4QQUFdoPRHgCfQ9CT
kcNiCfrxOxcmkHzaCm0j+fg=
=rrZy
-----END PGP SIGNATURE-----
More information about the FreeNX-kNX
mailing list