[FreeNX-kNX] Release: FreeNX 0.7.3 'Priscilla One Year Edition'
Durk Strooisma
durk at kern.nl
Tue Sep 2 08:22:06 UTC 2008
Thanks for your great work! This release seems awesome.
Durk
> Hi All,
>
> it is done. it is released.
>
> FreeNX 0.7.3 is released and I am proud to present lots of nice new
> features and especially I hunted the bug list down (BerliOS Project
> Page) and got them all.
>
> Including the dreaded "Resume fails with Negotiating Link Parameters
> and nxssh.exe still running.".
>
> Perhaps the two biggest new features are full shadow support and the
> overhaul of the usermode.
>
> I am grateful to Amin Shehata here for his work and motivation on the
> shadow mode and Mr. N. Bartos, who did present me with a complete
> changeset for the usermode.
>
> I also made the VNC shadowing behave the exact same as the normal
> shadow mode.
>
> SHADOWING VIA NX AND VNC Resume
> ========================
>
> Shadowing (also other users) works in three steps:
>
> 1. Saving the shadow cookie (obviously not needed for same user)
>
> First, when a session is started or resumed nxshadowacl is asked, if
> this user should be allowed to be shadowed.
>
> This way in nxshadowacl there could be a line like:
>
> # Deny admin and boss to be shadowed
> [ "$1" = "admin" -o "$1" = "boss" ] && exit 1
>
> # Allow all others to be shadowed
> exit 0
>
> I did use this approach as the nxserver is storing the shadowcookie in
> the session file if nxshadowacl allows shadowing.
>
> This is a possible security issue, so its not enabled by default.
>
> To enable shadowing other users beside the own user copy
> nxshadowacl.sample to $PATH_BIN/nxshadowacl and add your rules here.
>
> 2. Selecting which sessions are shadowable
>
> So now shadowacl.sample gets another argument. That one of the user,
> which is trying to shadow the session.
>
> Let me give you another example:
>
> # Deny admin and boss to be shadowed
> [ "$1" = "admin" -o "$1" = "boss" ] && exit 1
>
> # Don't let boss shadow the auditors
> [ "$1" = "auditor" -a "$2" = "boss" ] && exit 1
>
> # Allow all others to be shadowed
> exit 0
>
> I think you can come up with countless possibilities yourself. Speaking
> of that, has anyone made any great nxacl scripts, yet?
>
> If so: Please share.
>
> 3. Asking the user for permission and setting the view mode
>
> This is for now controlled by the global variables that are known from
> !M NX Server.
>
> If ENABLE_SESSION_SHADOWING_AUTHORIZATION is set to "1", the user is
> asked before the cookie is transmitted, if he wants his session to be
> shared. After a timeout of 60 (AGENT_STARTUP_TIMEOUT) the dialog is
> closed again and the operation deemed a failure.
>
> The ENABLE_INTERACTIVE_SESSION_SHADOWING is directly given as -viewonly
> or -shadowmode to x11vnc / nxagent -S.
>
> However if you find this too restrictive for admin to not be able to
> help others without their confirmation and only view what is
> happening, you can use a custom admin.node.conf configuration file
> with custom shadow mode settings.
>
> Usermode and SUID Wrapper
> ==================
>
> We are now very close to login directly with users and I also heard of
> a C program, which can be seamlessly put between nxclient and nxssh.
> So with client support we now have three alternatives:
>
> 1. Login as user via ssh and connect to server with ssh command on
> server again. 2. Login as user and use usermode to save all sessions
> locally for each user. 3. Use a SUID nx (not root!) wrapper to startup
> a new "trusted" session.
>
> One is error prone, two is good, but looses the central structure,
> three is best of both worlds and with being suid nx also has the most
> advantages, however not the dreaded public key problems.
>
> _Yes_, this means if you use the suid wrapper, you still need the nx
> user, but you can remove the public keys and it'll still work.
>
> The SUID wrapper is a part from the work of the redesign and thanks
> goes to Alistair Riddoch from Google here.
>
> So how do I enable it on a new installation?
>
> - sudo make install
> - nxsetup # note: No setup nomachine key here!
> - # Uncomment the suid_install line in Makefile
> - sudo make install
> - # Done.
>
> Now you just need one of the wrapper functions from SVN (nxssh) and
> nbartos also said he had a nice C program, so I hope he publishes it.
>
> The wrapper is doing the first part of the authentication, logging the
> user in via ssh, then the following command is started:
> $PATH_BIN/nxserver-suid
>
> And voila the user is logged in!
>
> The same goes for usermode, to enable the usermode with a central
> installation is now much easier:
>
> - Login
> - Run $PATH_BIN/nxserver-usermode
>
> Also each user can track his own sessions this way:
>
> - $PATH_BIN/nxserver-usermode --list
>
> So this features enable you to finally remove the dreaded public key
> setup part (using a warpper of course) and all problems that come with
> it.
>
> Whatever way you choose ...
>
> And as that is still quite some work, I have prepared and uploaded a
> ready made tarball for you!
>
> It is available from:
>
> http://download.berlios.de/freenx/NX4U.tar.gz
>
> And I even made it so that this can be unpacked whereever you want and
> it'll automatically find all binaries.
>
> And this is not limited to user mode, but all normal FreeNX features
> are supported.
>
> So for example unpack in /opt/NX4U/, run /opt/NX4U/nxsetup --install
> --setup-nomachine-key and you are ready to go.
>
> However if you use the usermode, not even that is needed!
>
> Okay, I said you need a wrapper? You are extremely lucky, I now wrote
> one in C, which I also already cross-compiled for you for Windows!
>
> == NX Client Wrapper ==
>
> The wrapper is very very powerfull and all options can be choosen in NX
> Client.
>
> How to use it?
>
> Download:
>
> http://download.berlios.de/freenx/nxssh
>
> or
>
> http://download.berlios.de/freenx/nxssh.exe
>
> Rename nxssh(.exe) from !M NX Client to mxssh(.exe).
>
> Put new nxssh(.exe) into place.
>
> Make it executable if you are on linux. (chmod a+x nxssh)
>
> Done.
>
> Now you can either wrap all connections by exporting the environment
> variable NXWRAP=1 before starting nxclient.
>
> Or you can instead of hostname use:
>
> @hostname and set "Enable SSL Encryption" to "yes".
>
> Now its wrapped and the password put into the nxclient dialog is
> _automatically_ used for authentication of the user.
>
> So, you (on linux) want to use your public key setup instead?
>
> No problem, just use as username:
>
> @username
>
> So, I want to connect with my private key to host big-machine, I would
> then put into NX Client:
>
> Host: @big-machine
> User: @ff
>
> And your normal ssh options + ssh-askpass are used.
>
> Note: By default SSH_ASKPASS environment variable is set to
> /usr/bin/ssh-askpass. If you have something different, you need to
> export that _before_ starting nxclient.
>
> There is also nxssh-wrapper available in SVN (from which nxssh-4US was
> converted) if you prefer to edit a shell script.
>
(http://svn.berlios.de/svnroot/repos/freenx/trunk/freenx-utils/nxpublickey/nxssh-wrapper)>
> Sooo!
>
> But now you want to use usermode and not suid mode or you have
> installed NX4U in a non-standard location.
>
> The wrapper knows it all.
>
> It searches first for a suitable nxserver-suid program, then for
> nxserver-usermode and lastly fails.
>
> And it searches in a long PATH ...
>
>
~/bin:~/NX4U/:/usr/NX/bin:/opt/NX/bin:/opt/NX4U/bin/:/usr/NX4U/bin:/usr/local/NX4U/bin:/usr/lib/nx/bi> n
>
> If however you want to user usermode and not suid mode or vice versa
> you can use the following syntax:
>
> user at U for usermode (or @user at U)
>
> or:
>
> user at S for suid mode (or @user at S)
>
> And you can even specify a compeltely different binary path with a ':'
>
> So:
>
> [@]user[@<S|U>[:path-to-command]]
>
> is the full syntax!
>
> Example for installation in /tmp/NX4U/ with public key usage.
>
> @ff at U:/tmp/NX4U/bin/nxserver-usermode
>
> And it all works!
>
> So, now NX installation really is as simple as untaring, changing
> client to use wrapper and BAM! running!
>
> Okay, after this much features and me working since days on the RL
> announcement ( I _had_ to make that wrapper!) lets take a small look
> at the other changes!
>
> - Failed login attempts are now logged to syslog(3).
>
> - nxagent has -nolisten tcp by default set as EXTRA_OPTIONS_X:
>
> Note in a load balancing + shadow mode case it might be wanted that
> nxagent is callable via remote.
>
> - Bash is used for all tasks as sh is dash on ubuntu.
>
> - mv was not working for failed or terminated sessions due to a typo.
> (YEAH! Finally found the bug!)
>
> - I found a very old patch (2005), which enables connection from 32 bit
> to 24 bit and vice-versa. Ooops, I forgot that one, I think ...
>
> - 3.2.0 support!
>
> - The Makefile now actually stops on errors. Thanks goes to: Hai Zaar
> <haizaar at gmail.com>
>
> - I disabled the PASSDB auth mode as always people find old tutorials
> and think its necessary, while its not. I also added a nice notice. If
> you had used it before and want to continue using it, be sure to
> reenable it in nxloadconfig / node.conf.
>
> - Lots of rdekstop fixes by the Community were included including that
> run application now actually works!
>
> - I added the ConsoleKit application by Ubuntu team, though I think I
> might still be missing something for full integration. This someone
> needs to explain to me ;-).
>
> - The slave mode now actually is the default as I got no reports that
> it did not work and it did work for me always since last release, so
> tiem to give it to a wider audience. (Also its needed for
> nxserver-suid).
>
> If you have any problems with it, disable it in node.conf.
>
> And here is the full changelog!
>
> 18.08.2008 FreeNX 0.7.3 "Priscilla One Year Edition"
> * Opened the 0.7.3 development.
> * Added logging of failed authentication attempts
> to auth.log via syslog (3). This can be disabled by
> setting ENABLE_LOG_FAILED_LOGINS="0".
> (fabianx at bat.berlios.de)
> * Added -nolisten tcp to nxagent invocation.
> (fabianx at bat.berlios.de, idea by pappy- (Gentoo))
> * Used bash for all tasks as 'sh' might be not what we want
> on standard ubuntu.
> (fabianx at bat.berlios.de, thx to tan (IRC))
> * Finally fixed mv not working for failed or terminated
> sessions.
> (fabianx at bat.berlios.de, Terje Andersen
> <terander at guard.zapto.org>)
> * Added patch from 2005 to enable reconnect to 24-bit display
> via
> 32-bit or vice versa. Oops :)
> (Sunil <funtoos at yahoo.com> )
> * Added 3.2.0 as a backend version for nxloadconfig.
> (fabianx at bat.berlios.de)
> * Added configuration key ENABLE_SOURCE_BASH_PROFILE for
> toggling of
> sourcing ~/.bash_profile.
> (fabianx at bat.berlios.de)
> * Added /usr/bin/xauth as default key and used
> /usr/X11R6/bin/xauth as
> fallback.
> (fabianx at bat.berlios.de)
> * Fixed Makefile to stop on all errors.
> (Idea by Hai Zaar <haizaar at gmail.com>, fabianx at bat.berlios.de)
> * Changed the default for ENABLE_PASSDB_AUTHENTICATION. If you
> had
> added a user with different password via --adduser consider
> re-activating this option in node.conf.
> (fabianx at bat.berlios.de)
> * Added constraints for passdb based commands. They are only
> available
> when ENABLE_PASSDB_AUTHENTICATION="1" else a friendly error
> message is shown. This should help with users using old
> tutorials. (fabianx at bat.berlios.de)
> * Added unix-console patch. Added default handler as
> unix-default with
> a fallback to xterm,
> (Idea by Jens Hatlak <jh at junetz.de>, fabianx at bat.berlios.de)
> * Fixed external rdesktop keyboards: A "$" was missing.
> (Bug by Phil Stricker <stril at gmx.de>, fabianx at bat.berlios.de)
> * Added workaround for "ch" keyboard layout to nxdesktop_helper,
> which NXClient 3.2.0 means as de-ch.
> (Bug by Phil Stricker <stril at gmx.de>, fabianx at bat.berlios.de)
> * Added clean target to Makefile.
> (Based on patch by Ubuntu FreeNX-Team, fabianx at bat.berlios.de)
> * Use :0.0 if mirrorhost is 127.0.0.1 and add -localhost for
> enhanced security. Also increase sleep timeout for slow
> machines. (Based on Patch by Jeremy Wilkins <wjeremy at shaw.ca>,
> fabianx at bat.berlios.de)
> * Allow RDP "Run application" sessions to work correctly.
> (David Corral < davefury at gmail.com > & the Silice Telecom
> staff,
> fabianx at bat.berlios.de)
> * Merge Xresources on startup of session.
> (Jeremy Wilkins <wjeremy at shaw.ca>)
> * Added nx-session-launcher from Ubuntu FreeNX-Team to use
> FreeNX with
> ConsoleKit.
> (marceloshima at gmail.com, fabianx at bat.berlios.de)
> * Moved logging functions to a more appropriate place.
> (fabianx at bat.berlios.de)
> * Finally fixed the bug when NX Client was stopped on
> "Negotiating
> link parameters" and failed session after first session
> suspend. (fabianx at bat.berlios.de)
> * Fixed missing "fi" statement. In fact it was a missing ";;".
> (fabianx at bat.berlios.de)
> * Used source instead of "." for Makefile. (Closes: #13954)
> (fabianx at bat.berlios.de)
> * Allow passwords with '\' by changing read -s to read -r -s.
> (Closes: #10699)
> (Patch by rpfuller at bat.berlios.de, fabianx at bat.berlios.de)
> * Allow passwords with special chars by using new url_decode on
> agent_password. (Closes: #10248)
> (fabianx at bat.berlios.de)
> * Fixed start/stop exit codes.
> (Patch by Gentoo Portage, fabianx at bat.berlios.de)
> * Finally checked for all service ports. (cups, media, samba)
> and also checked it on the host where the load balancing
> actually leads to.
> (fabianx at bat.berlios.de)
> * Fixed broken fallback logic if SSH_CLIENT variables cannot be
> read
> correctly.
> (fabianx at bat.berlios.de)
> * Overhauled the usermode:
> * There are now two modes of operation.
> - One statically setting the
> ENABLE_USERMODE_AUTHENTICATION key
> in node.conf. (old behavior)
> - Or using nxserver-usermode as startup
> binary, which directly goes into the 103 stage.
> * Fixed using commandline parameters like --cleanup
> for static usermode.
> * Enabled the root commandline parameters in usermode. *
> Fixed usage of "nx" user as normal user in usermode. *
> Disabled slave mode and load balancing for usermode. *
> Fixed creation of the logfile directory.
> * Fixed nxnode usage of SSH_CLIENT using fallback
> mechanism.
> (Patch by nbartos at bat.berlios.de, fabianx at bat.berlios.de)
> * Added disabled nxserver-suid wrapper with help from Google. To
> enable it uncomment the suid_install target in Makefile. (
> Alistair Riddoch <alriddoch at google.com>,
> fabianx at bat.berlios.de)
> * Automatically disabled slave mode, when load balancing is
> activated.
> (fabianx at bat.berlios.de)
> * Made ENABLE_SLAVE_MODE="1" the new default as its faster
> and more reliable. If you encounter any problems with it,
> disable it in node.conf.
> (fabianx at bat.berlios.de)
> * Changed type for external agents to windows-helper or
> vnc-helper
> so that those sessions can be mirrored / shadowed as well.
> (fabianx at bat.berlios.de)
> * Added nxshadowacl.sample component to be able to shadow
> foreign sessions.
> (fabianx at bat.berlios.de)
> * Prepared shadowing foreign users for VNC-shadowing.
> (fabianx at bat.berlios.de)
> * Added shadow support to --listsession command.
> (fabianx at bat.berlios.de)
> * Added shadow mode as nxagent target.
> (fabianx at bat.berlios.de)
> * Fixed shadow mode and made it usable.
> (Patch by Amin Shehata <amino7 at yahoo dot com>,
> fabianx at bat.berlios.de)
>
> It was a great time with you community, I loved and integrated all
> patches that I could find, I have now finally taken the step to do not
> only a source release, but a binary release as well!
>
> With the new wrappers I think its possible to finally circumvent the
> whole things of public key problems and tune to what is really needed.
>
> The "nx" user is stiill needed for the suid case, however an
> installation not using ssh public key auth via nx user could look
> like:
>
> # cd ~
> # wget http://download.berlios.de/freenx/NX4U.tar.gz
> # cd /opt
> # tar xzf ~/NX4U.tar.gz
> # /opt/NX4U/bin/nxsetup --install
> # /opt/NX4U/bin/nxserver --stop # remove public key
> # chown nx /opt/NX4U/bin/nxserver-suid
> # chmod u+s /opt/NX4U/bin/nxserver-suid
>
> I also have started to integrate things like the suid wrapper from the
> freenx-redesign branch.
>
> Enjoy the release and grab it from:
>
> http://download.berlios.de/freenx/freenx-server-0.7.3.tar.gz
>
> Best Wishes and May the Sun shine on You,
>
> Fabian
>
> PS:
>
> Addendum for manual installation of NX Usermode:
>
> If you want to run from $HOME, you can change nxloadconfig to have:
>
> - patch -p0 < gentoo-nomachine.diff
> - # edit nxloadconfig and set NX_DIR=$HOME/NX4U/
> - perl -pi -e 's,NX_DIR=.*,NX_DIR=\$HOME/NX4U/,' nxloadconfig
> - # edit nxloadconfig and set CUPS_BACKEND="$HOME/NX4U/cups/" so
> Makefile does - # not complain
> - perl -pi -e
> 's,CUPS_BACKEND=.*,CUPS_BACKEND="\$HOME/NX4U/cups/backend/",'
> nxloadconfig - # in place fix Makefile
> - perl -pi -e 's,NX_VERSION,NX_VERSION NX_ETC_DIR,' Makefile
> - # install it!
> - make && make install
>
> - Now either compile and install the binaries for yourself or copy only
> nxagent and the libs from !M tarball.
> ________________________________________________________________
> Were you helped on this list with your FreeNX problem?
> Then please write up the solution in the FreeNX Wiki/FAQ:
>
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
>
> Don't forget to check the NX Knowledge Base:
> http://www.nomachine.com/kb/
>
> ________________________________________________________________
> FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
More information about the FreeNX-kNX
mailing list