[FreeNX-kNX] nxsetup to support private key

cedric briner work at infomaniak.ch
Mon Jul 6 09:18:17 UTC 2009


Hello the freenx community,

I've been wanting to setup some freenx machine with my own keys. But 
each times I do so, I lost some times to resolve stupid problem as, 
owner ship of file and permission, known_hosts which doesn't reflect the 
/etc/ssh/ssh_host_rsa_key.pub and so on.

So I modified nxkeygen and nxsetup as follow to achieve this:

nxkeyen
-------
I've added a parse_cmdline() function which add option as:
--generate-from-scratch
--generate-from-scratch                generate keys from random
--generate-from-private-key <priv_key> generate keys from the
                                        private key.
--help                                 Display this help message

and check that the file given is a valid key file.

I also modified slightly the main() procedure by moving the creation of 
keys (local.id and local.id_dsa) in respectively:
generate_key_from_scratch()
generate_key_from_private()

generate_key_from_private use ssh-keygen -y -f to generate the pub key 
from the priv key

when generate_key_from_scratch take back what was previously made.


nxsetup
-------
I've modified the parsecmdline() to give the ability to use a defined 
private key to configure freenx. So now to the choice:
--setup-nomachine-key
you get a new one:
--setup-with-private-key <priv_key>

and
I changed install_nx by adding a new case to manage this new option:
    if [ "$SETUP_NOMACHINE_KEY" = "yes" ]
    then
       ...
    elif [ -n "$PRIVATE_KEY" ]   # <<<< new CASE
    then
       # generate a new key, backup the old and copy it
       # to $SSH_AUTHORIZED_KEYS
       $PATH_BIN/nxkeygen --generate-from-private-key $PRIVATE_KEY
    else
       # generate a new key, backup the old and copy it
       # to $SSH_AUTHORIZED_KEYS
       $PATH_BIN/nxkeygen
    fi


-------

I based my work on :
dpkg -l freenx
ii  freenx 0.7.3+teambzr104-0freenxteam1~hardy1   .....

Because I do not know exactly how I should provide you my work (patches, 
files or others), I simply give you the 2 files modified. If you have 
questions or specific needs to include this modifications, let me know 
and I will help with pleasure.de you my work.

Sincerly and freely

cEd

-- 

Cédric BRINER
Geneva - Switzerland
-------------- next part --------------
#!/bin/bash
#
# /usr/NX/bin/nxkeygen
#		Create a new client/server key pair
#
#		Originally written for Gentoo Linux
#
# Author	Stuart Herbert
#		(stuart at gentoo.org)
#
# Modification  Cedric BRINER     3 july 2009
#               (briner at infomaniak.ch)
#		allow to use a private key to generate :
#               authorized_keys, client.id_dsa.key, server.id_dsa.pub.key
#
# Copyright	(c) 2004 Gentoo Foundation
#		Released under v2 of the GNU GPL
#
# SVN: $Id: nxkeygen 512 2008-03-10 23:01:03Z fabianx $
#
# ========================================================================

parse_cmdline()
{
	while [ "$1" ]
	do
		case "$1" in
			--help) HELP="yes"; shift ;;
			--generate-from-scratch) GENERATE_FROM_SCRATCH="yes"; shift ;;
			--generate-from-private-key) PRIVATE_KEY=$2; shift 2 ;;
			*) echo "Invalid flag $1" ; HELP="yes"; shift ; break ;;
		esac
	done

	#Check for invalid combinations:
	[ "$GENERATE" = "yes" -a -n "$PRIVATE_KEY" ] && HELP="yes"
	
	# Default configuration:
	[ -z "$PRIVATE_KEY" ] && GENERATE_FROM_SCRATCH="yes"


	#check PRIVATE_KEY
	if [ -n "$PRIVATE_KEY" ]
	then
		if [ ! -f "$PRIVATE_KEY" ]
		then
			echo "the private key \"$PRIVATE_KEY\" given with must be a file !"
			echo "usage :"
			HELP="yes"
		else
			TEST_PRIVATE_KEY=$(mktemp -p /tmp private.key.XX)
			cp $PRIVATE_KEY $TEST_PRIVATE_KEY
			chmod 600 $TEST_PRIVATE_KEY
			PUBLIC_KEY=$($COMMAND_SSH_KEYGEN  -y -f $TEST_PRIVATE_KEY  < /dev/null 2> /dev/null)
			if [ -z "$PUBLIC_KEY" ] ; then
				echo "the private key \"$PRIVATE_KEY\" given with --generate-from-private-key must be a valid key !"
				echo "usage :"
				HELP="yes"
			fi
			rm $TEST_PRIVATE_KEY
		fi
	fi

	# Display the help
	if [ "$HELP" = "yes" ]
	then
		echo "nxkeygen - Setup the FreeNX keys."
		echo "                 (authorized_keys, client.id_dsa.key, server.id_dsa.pub.key)"
		echo "Syntax: nxkeygen                                        same as --generate-from-scratch"
		echo "        nxkeygen --generate-from-scratch                generate keys from random"
		echo "        nxkeygen --generate-from-private-key <priv_key> generate keys from the private key."
		echo "        nxkeygen --help                                 Display this help message"
		exit
	fi
}

generate_key_from_scratch()
{
	# create a new key
	umask 177
	$COMMAND_SSH_KEYGEN -q -t dsa -N '' -f ${NX_KEY_DIR}/local.id_dsa
}
generate_key_from_private()
{
	# copy the private key and generate the public one
	umask 177

	echo $PRIVATE_KEY
	cp -f $PRIVATE_KEY ${NX_KEY_DIR}/local.id_dsa
	$COMMAND_SSH_KEYGEN -y -f  ${NX_KEY_DIR}/local.id_dsa > ${NX_KEY_DIR}/local.id_dsa.pub
}
main ()
{
	# backup the existing keys
	
	if [ -f "${NX_SERVER_KEY}" ]; then
		echo "Backing up existing server key to ${NX_SERVER_KEY}.${DATE}"
		mv -f "${NX_SERVER_KEY}" "${NX_SERVER_KEY}.${DATE}"
	fi

	if [ -f "${NX_CLIENT_KEY}" ]; then
		echo "Backing up existing client key to ${NX_CLIENT_KEY}.${DATE}"
		mv -f "${NX_CLIENT_KEY}" "${NX_CLIENT_KEY}.${DATE}"
	fi

	# put the new keys in place

	mv -f "${NX_KEY_DIR}/local.id_dsa" "${NX_CLIENT_KEY}"
	mv -f "${NX_KEY_DIR}/local.id_dsa.pub" "${NX_SERVER_KEY}"

	for x in ${NX_CLIENT_KEY} ${NX_SERVER_KEY} ; do
		chmod 600 $x
		chown nx:root $x
	done
	
	# copy the key to the authorized_keys2 file
	rm -f $NX_KEY_DIR/$SSH_AUTHORIZED_KEYS
	echo -n "no-port-forwarding,no-agent-forwarding,command=\"$PATH_BIN/nxserver\" " >$NX_KEY_DIR/$SSH_AUTHORIZED_KEYS
	cat ${NX_SERVER_KEY} >> $NX_KEY_DIR/$SSH_AUTHORIZED_KEYS

	# Fix ownership of $SSH_AUTHORIZED_KEYS, just in case nxkeygen is run without nxsetup.

	chown nx:root $NX_KEY_DIR/$SSH_AUTHORIZED_KEYS

	# now tell the user what to do

	echo "Unique key generated; your users must install"
	echo
	echo "    ${NX_CLIENT_KEY}"
	echo
	echo "on their computers."
}

# Read the config file
. $(PATH=$(cd $(dirname $0) && pwd):$PATH which nxloadconfig) --

[ -z "$NX_KEY_DIR" ] && NX_KEY_DIR="$NX_HOME_DIR/.ssh"
DATE="`date '+%Y%m%d-%H%M%S'`"
NX_CLIENT_KEY="${NX_KEY_DIR}/client.id_dsa.key"
NX_SERVER_KEY="${NX_KEY_DIR}/server.id_dsa.pub.key"

parse_cmdline "$@"

if [ -f "${NX_SERVER_KEY}" -a -f "${NX_CLIENT_KEY}" -a ! -z "$NX_DONT_OVERRIDE" ]; then
	echo "Not overriding the existing key"
	exit
fi

if [ "$GENERATE_FROM_SCRATCH" = "yes" ] ; then
	generate_key_from_scratch "$@"
elif [ -n "$PRIVATE_KEY" ] ; then
	generate_key_from_private "$@"
fi

main "$@"

-------------- next part --------------
#!/bin/bash

# Coypright (c) 2004-2005 by Fabian Franz <freenx at fabian-franz.de>.
#                    2005 by Jon Severinsson <jonno at users.berlios.de>.
#
# Modification  Cedric BRINER     3 july 2009
#               (briner at infomaniak.ch)
#		allow to use a private key to generate in conjunction with nxkeygen:
#               authorized_keys, client.id_dsa.key, server.id_dsa.pub.key
#
# License: GNU GPL, version 2
#
# SVN: $Id: nxsetup 512 2008-03-10 23:01:03Z fabianx $ 
#

HELP="no"
INSTALL="no"
SETUP_NOMACHINE_KEY="no"
SETUP_UID=""
SETUP_GID=""
LOCAL_USER_OPTION=""
# luseradd / luserdel are only available on RedHat
[ -f /etc/redhat-release ] && LOCAL_USER_OPTION="yes"
SETUP_LOCAL_USER="no"
CLEAN="no"
UNINSTALL="no"
PURGE="no"
SETUP_SSH2_KEY="no"
BUILD_KNOWN_HOSTS="yes"
AUTOMATIC="no"
IGNORE_ERRORS="no"

if [ $UID -ne 0 ]
then
	echo "You need to be root to use this program." 
	exit 1
fi

parse_cmdline()
{
	while [ "$1" ]
	do
		case "$1" in
			--help) HELP="yes"; shift ;;
			--install) INSTALL="yes"; shift ;;
			--ignore-errors) IGNORE_ERRORS="yes"; shift;;
			--setup-nomachine-key) SETUP_NOMACHINE_KEY="yes"; shift ;;
			--setup-with-private-key) PRIVATE_KEY=$2; shift 2 ;;
			--ssh2) SETUP_SSH2_KEY="yes"; shift;;
			--dont-build-known-hosts) BUILD_KNOWN_HOSTS="no"; shift;;
			--uid) SETUP_UID=$2; shift 2 ;;
			--gid) SETUP_GID=$2; shift 2 ;;
			--localuser) SETUP_LOCAL_USER="yes"; shift;;
			--clean) CLEAN="yes"; shift ;;
			--uninstall) UNINSTALL="yes"; shift ;;
			--purge) PURGE="yes"; shift ;;
			--auto) AUTOMATIC="yes"; shift ;;
			--test) TEST="yes"; shift ;;
			--) shift ; break ;;
			*) echo "Invalid flag $1" ; HELP="yes"; shift ; break ;;
		esac
	done

	[ "$TEST" = "yes" ] && return         # If we just test, we can return directly

	#Check for invalid combinations:
	[ "$SETUP_LOCAL_USER" = "yes" -a -z "$LOCAL_USER_OPTION" ] && HELP="yes"
	[ "$SETUP_NOMACHINE_KEY" = "yes" -a -n "$PRIVATE_KEY" ] && HELP="yes"
	[ "$INSTALL" = "yes" -a "$UNINSTALL" = "yes" ] && HELP="yes"
	[ "$INSTALL" = "yes" -a "$CLEAN" = "no" -a "$PURGE" = "yes" ] && HELP="yes"
	[ "$UNINSTALL" = "yes" ] && [ "$SETUP_NOMACHINE_KEY" = "yes" -o -n "$SETUP_UID" -o "$CLEAN" = "yes" ] && HELP="yes"
	[ "$UNINSTALL" = "yes" -a "$CLEAN" = "yes" ] && HELP="yes"
	[ "$SETUP_SSH2_KEY" = "yes" -a "$SETUP_NOMACHINE_KEY" = "no" ] && HELP="yes"
	

	if [ "$INSTALL" = "no" -a "$UNINSTALL" = "no" -a "$AUTOMATIC" = "no" -a "$HELP" = "no" ]
	then
		echo "------> You did select no action."
		echo "        FreeNX guesses that you want to _install_ the server."
		echo "        Type \"y\" to abort the installation at this point in time."
		echo "        \"N\" is the default and continues installation."
		echo "        Use \"${0} --help\" to get more detailed help hints."
		echo ""
		echo -n " Do you want to abort now? [y/N] "
		read -n 1 CHOICE
		echo
		[ "$CHOICE" = "y" ] || INSTALL="yes"
	fi

	[ "$INSTALL" = "no" -a "$UNINSTALL" = "no" ] && HELP="yes"

	if [ "$HELP" = "yes" ]
	then
		echo "nxsetup - Setup the FreeNX server."
		echo "Syntax: nxsetup --help"
		echo "        nxsetup --test [--ignore-errors]"
		echo "        nxsetup --install [--setup-nomachine-key] [--uid <nummber>] [--clean [--purge]]"
		echo "        nxsetup --uninstall [--purge]"
		echo
		echo "  --help                Display this help message."
		echo "  --test                Test the configuration and connection to localhost NX Server."
		echo "  --install             Install necessary files and add the special user \"nx\"."
		echo "  --ignore-errors       Check for false configuration, but don't complain."
		echo "  --setup-nomachine-key Allow login with the key shipped with the NoMachine"
		echo "                        client. This is fairly secure, and it simplifies the "
		echo "                        configuration of clients. (Using a custom key pair."
		echo "                        increases security even more, but complicates the"
		echo "                        configuration of clients.)"
		echo "                        Use this option at your own risk."
		echo "  --setup-with-private-key <priv_key>"
                echo "                        Allow login with the private key that you specify"
		echo "                        This is the way to not use the nomachine key and "
		echo "                        to configure your server more easily"
		echo "  --ssh2                Create additionally commercial pubkey-support; beware:"
		echo "                        own _commercial_ ssh2-key is not supported!"
		echo "  --uid <number>        Give the uid <number> to the user \"nx\"."
		echo "  --gid <number>        Give the gid <number> to the user \"nx\"."
		[ -n "$LOCAL_USER_OPTION" ] && \
		echo "  --localuser           The special user \"nx\" will be created locally using"\
		echo "                        \"luseradd\", for use in NIS and NISplus environments."
		echo "  --clean               Perform an uninstallation prior to installation."
		echo "  --uninstall           Remove log and session files, as well as the special"
		echo "                        user \"nx\"."
		echo "  --purge               Remove extra configuration files and ssh keys when"
		echo "                        performing a \"--uninstall\"."
		echo "                        Note that node.conf will always be saved."
		echo "  --auto                Perform automatic installation without testing or asking."
		exit 0
	fi
	#Undocumented
	#
	#    --dont-build-known-hosts		For system without /etc/ssh/ssh_host_key.rsa.pub and anyway
	#					expect should handle nx-users known-hosts keys so why borther
	#					in nxsetup?

	if [ "$INSTALL" = "yes" -a "$AUTOMATIC" = "no" -a "$SETUP_NOMACHINE_KEY" = "no" ]
	then
		echo "------> It is recommended that you use the NoMachine key for"
		echo "        easier setup. If you answer \"y\", FreeNX creates a custom"
		echo "        KeyPair and expects you to setup your clients manually. "
		echo "        \"N\" is default and uses the NoMachine key for installation."
		echo ""
		echo -n " Do you want to use your own custom KeyPair? [y/N] "
		read -n 1 CHOICE
		[ "$CHOICE" = "y" ] || SETUP_NOMACHINE_KEY="yes"
	fi
}

parse_cmdline "$@"

# Read the config file
. $(PATH=$(cd $(dirname $0) && pwd):$PATH which nxloadconfig) --

run_nscd()
{
	if [ -f /var/run/nscd/nscd.pid ]
	then
		nscd "$@" 2>/dev/null || true
	fi
}

nx_user_exists()
{
	if [ "$SETUP_LOCAL_USER" = "yes" ]
	then
		egrep "^nx:" /etc/passwd >/dev/null
	else
		getent passwd nx >/dev/null
	fi
}	
nx_group_exists()
{
	# useradd/adduser need a valid group to add the user to
	if [ "$SETUP_LOCAL_USER" = "yes" ]
	then
		egrep "^nx:" /etc/group >/dev/null
	else
		getent group nx >/dev/null
	fi
}	

# Tries to add a system user
useradd_nx()
{
	# In any case create the basedir of the HOME directory before, 
	# because useradd will fail to make more than one directory
	mkdir -p $(dirname "$NX_HOME_DIR")

	# Is it a debian?
	if [ -f /etc/debian_version -a -z "$SETUP_UID" ]
	then
		USERADD_OPTIONS="--ingroup nx --system --home $NX_HOME_DIR --shell $PATH_BIN/nxserver"
		[ -n "$SETUP_GID" ] && GROUPADD_OPTIONS="--gid $SETUP_GID"

		# adduser needs a valid group to add the user to
		! nx_group_exists && addgroup --system --quiet $GROUPADD_OPTIONS nx
		[ -f /etc/nscd.conf ] && { run_nscd --invalidate group; }

		adduser $USERADD_OPTIONS nx
		[ -f /etc/nscd.conf ] && { run_nscd --invalidate passwd; }
		
	# no, its a "normal" useradd
	else
		USERADD_OPTIONS="-g nx -d $NX_HOME_DIR -s $PATH_BIN/nxserver"
		[ -n "$SETUP_GID" ] && GROUPADD_OPTIONS="-g $SETUP_GID"

		# uid specified?
		if [ -n "$SETUP_UID" ]
		then
			USERADD_OPTIONS="-u $SETUP_UID $USERADD_OPTIONS"
		
		# Is it a SuSE?
		elif [ -f /etc/SuSE-release ]
		then
			USERADD_OPTIONS="-r $USERADD_OPTIONS"
		fi
		
		if [ "$SETUP_LOCAL_USER" = "yes" ]
		then
			! nx_group_exists && lgroupadd $GROUPADD_OPTIONS nx 
			[ -f /etc/nscd.conf ] && { run_nscd --invalidate group; }

			luseradd $USERADD_OPTIONS nx
			[ -f /etc/nscd.conf ] && { run_nscd --invalidate passwd; }
		else
			! nx_group_exists && groupadd $GROUPADD_OPTIONS nx
			[ -f /etc/nscd.conf ] && { run_nscd --invalidate group; }

			useradd $USERADD_OPTIONS nx
			[ -f /etc/nscd.conf ] && { run_nscd --invalidate passwd; }
		fi

		
	fi

	# the nx user account might be locked, so unlock it.
	passwd -u nx
}

install_nx()
{
	set -e
	
	if [ "$(pidof sshd 2>/dev/null)" = "" ]
	then 
		echo -n "Starting ssh service ..."
		# Generate Host keys if they are not available, yet
		[ -e /etc/ssh/ssh_host_rsa_key ] || $COMMAND_SSH_KEYGEN -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
		[ -e /etc/ssh/ssh_host_dsa_key ] || $COMMAND_SSH_KEYGEN -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N ''
		[ -x /etc/init.d/sshd ] && /etc/init.d/sshd start
		[ -x /etc/init.d/ssh ] && /etc/init.d/ssh start
		echo "done"
	fi
	
	echo -n "Setting up $NX_ETC_DIR ..."
	mkdir -p $NX_ETC_DIR
	touch $NX_ETC_DIR/passwords $NX_ETC_DIR/passwords.orig
	chmod 600 $NX_ETC_DIR/passwords $NX_ETC_DIR/passwords.orig
	echo "done"
	
	if [ ! -f $NX_ETC_DIR/users.id_dsa ]
	then
		$COMMAND_SSH_KEYGEN -f $NX_ETC_DIR/users.id_dsa -t dsa -N ""
	fi
	
	echo -n "Setting up $NX_SESS_DIR ..."
	mkdir -p $NX_SESS_DIR/closed $NX_SESS_DIR/running $NX_SESS_DIR/failed
	chmod 700 $NX_SESS_DIR/*
	echo "done"
	
	echo -n "Setting up $NX_LOGFILE ..."
	mkdir -p $(dirname "$NX_LOGFILE")
	touch "$NX_LOGFILE"
	chmod 600 "$NX_LOGFILE"
	echo "done"
	
	if ! nx_user_exists
	then
		echo -n "Setting up special user \"nx\" ..."
		useradd_nx
		echo "done"
	fi
	
	if [ "$ENABLE_USESSION" = "1" ]
	then
		echo -n "Adding user \"nx\" to group \"utmp\" ..."
		usermod -G utmp nx
		echo "done"
	fi
	
	if [ "$ENABLE_NOMACHINE_FORWARD_PORT" = "1" -a -x "$NOMACHINE_SERVER" ]
	then
		echo -n "Setting up NoMachine forwarding ..."
		usermod -s "$PATH_BIN/nxserver" -d "$NOMACHINE_NX_HOME_DIR" nx
		echo "done"
	fi
	
	echo -n "Setting up known_hosts and $SSH_AUTHORIZED_KEYS ..."
	
	SETUP_NX_KEY="no"
	
	mkdir -p $NX_HOME_DIR/.ssh
	chmod 700 $NX_HOME_DIR/ $NX_HOME_DIR/.ssh
	
	if [ ! -f $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS -o "$SETUP_NOMACHINE_KEY" = "yes" -o -n "$PRIVATE_KEY" ]
	then
		SETUP_NX_KEY="yes"
		if [ "$SETUP_NOMACHINE_KEY" = "yes" ]
		then
			cat << EOF >$NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS
no-port-forwarding,no-agent-forwarding,command="$PATH_BIN/nxserver" ssh-dss AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEaKWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8OSgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoMnGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8= root at nettuno
EOF
			chmod 600 $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS
			cat << EOF >$NX_HOME_DIR/.ssh/client.id_dsa.key
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQCXv9AzQXjxvXWC1qu3CdEqskX9YomTfyG865gb4D02ZwWuRU/9
C3I9/bEWLdaWgJYXIcFJsMCIkmWjjeSZyTmeoypI1iLifTHUxn3b7WNWi8AzKcVF
aBsBGiljsop9NiD1mEpA0G+nHHrhvTXz7pUvYrsrXcdMyM6rxqn77nbbnwIVALCi
xFdHZADw5KAVZI7r6QatEkqLAoGBAI4L1TQGFkq5xQ/nIIciW8setAAIyrcWdK/z
5/ZPeELdq70KDJxoLf81NL/8uIc4PoNyTRJjtT3R4f8Az1TsZWeh2+ReCEJxDWgG
fbk2YhRqoQTtXPFsI4qvzBWct42WonWqyyb1bPBHk+JmXFscJu5yFQ+JUVNsENpY
+Gkz3HqTAoGANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfa
QU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3
mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8CFDIm1xRf
8xAPsSKs6yZ6j1FNklfu
-----END DSA PRIVATE KEY-----
EOF
			chmod 600 $NX_HOME_DIR/.ssh/client.id_dsa.key
		elif [ -n "$PRIVATE_KEY" ]
		then
			# generate a new key, backup the old and copy it to $SSH_AUTHORIZED_KEYS
			$PATH_BIN/nxkeygen --generate-from-private-key $PRIVATE_KEY
		else

			# generate a new key, backup the old and copy it to $SSH_AUTHORIZED_KEYS
			$PATH_BIN/nxkeygen
		fi
	fi



	# commercial ssh2-server uses other authentification-files
	# as they are more or less static, I don't integrated these variable
	# in node.conf, you have to change them here, if you like
	SSH2_AUTHORIZATION="authorization"
	SSH2_PUBKEY="nx_user.id.pub"
	SSH2_HOME_DIR="$NX_HOME_DIR/.ssh2"
	if [ ! -f "${SSH2_HOME_DIR}/$SSH2_PUBKEY" -a "$SETUP_SSH2_KEY" = "yes" -a "$SETUP_NOMACHINE_KEY" = "yes" ]
	then
		mkdir -p $SSH2_HOME_DIR
		chmod 700 $SSH2_HOME_DIR
		
		cat >  ${SSH2_HOME_DIR}/$SSH2_PUBKEY <<EOF
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted from OpenSSH by root at localhost"
AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/
0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEa
KWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8O
SgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoM
nGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq
/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+
3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHT
NGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK
/SI7cjzA+SqNfD7qEo8=
---- END SSH2 PUBLIC KEY ----
EOF
		echo "Key $SSH2_PUBKEY" >> ${SSH2_HOME_DIR}/$SSH2_AUTHORIZATION
		echo "Options no-port-forwarding,no-agent-forwarding,command=\"$PATH_BIN/nxserver\"" >> ${SSH2_HOME_DIR}/$SSH2_AUTHORIZATION
		chmod 600 ${SSH2_HOME_DIR}/$SSH2_AUTHORIZATION ${SSH2_HOME_DIR}/$SSH2_PUBKEY
	fi
	
	if [ ! -f $NX_HOME_DIR/.ssh/known_hosts -a "$BUILD_KNOWN_HOSTS" = "yes" ]
	then
		echo -n "127.0.0.1 " > $NX_HOME_DIR/.ssh/known_hosts
		cat /etc/ssh/ssh_host_rsa_key.pub >> $NX_HOME_DIR/.ssh/known_hosts
	fi
	
	echo "done"
	
	echo -n "Setting up permissions ..."
	chown -R nx:root $NX_SESS_DIR
	chown -R nx:root $NX_ETC_DIR
	chown -R nx:root $NX_HOME_DIR
	chown nx:root "$NX_LOGFILE"

	echo "done"

	if [ -d "$CUPS_BACKEND" ]
	then
		echo -n "Setting up cups nxipp backend ..."
		cp -af "$CUPS_BACKEND/ipp" "$CUPS_IPP_BACKEND"
		chmod 755 "$CUPS_IPP_BACKEND"
		echo "done"
	fi
}

test_nx()
{
	echo ""
	echo "----> Testing your nxserver configuration ..."
	[ "$IGNORE_ERRORS" = "yes" ] && NO_ERRORS="--ignore-errors"
	. $(PATH=$(cd $(dirname $0) && pwd):$PATH which nxloadconfig) --check $NO_ERRORS
	echo "<---- done"
	echo ""
	echo "----> Testing your nxserver connection ..."
	
	CONNECTION=""
	while read -t 3 line
	do
		echo $line
		
		case "$line" in
			*"HELLO NXSERVER - Version $NX_VERSION"*)
				CONNECTION="yes"
			;;
			*"HELLO NXSERVER - Version"*)
				echo "Warning: Version mismatch. Expected $NX_VERSION got: $line."
				CONNECTION="yes"
			;;
			*"NX> 999 Bye"*)
				break;
			;;
		esac

	done < <(NODE_PUBLICKEY="$NX_HOME_DIR/.ssh/client.id_dsa.key" $PATH_BIN/nxnode-login test-nx nx "$SSHD_PORT" nxserver --check)

	if [ -z "$CONNECTION" ]
	then
		echo "Fatal error: Could not connect to NX Server."
		echo 
		echo "Please check your ssh setup:"
		echo ""
		echo "The following are _examples_ of what you might need to check."
		echo ""
		echo "	- Make sure \"nx\" is one of the AllowUsers in sshd_config."
		echo "    (or that the line is outcommented/not there)"
		echo "	- Make sure \"nx\" is one of the AllowGroups in sshd_config."
		echo "    (or that the line is outcommented/not there)"
		echo "	- Make sure your sshd allows public key authentication."
		echo "	- Make sure your sshd is really running on port $SSHD_PORT."
		echo "	- Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to $SSH_AUTHORIZED_KEYS."
		echo "    (this should be a filename not a pathname+filename)"
		echo "  - Make sure you allow ssh on localhost, this could come from some"
		echo "    restriction of:"
		echo "      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost"
		echo "      -the iptables. add to it:"
		echo "         $ iptables -A INPUT  -i lo -j ACCEPT"
		echo "         $ iptables -A OUTPUT -o lo -j ACCEPT"
		exit 1
	fi
	echo "<--- done"
	echo ""
}

uninstall_nx() 
{
	if nx_user_exists
	then
		echo -n "Removing special user \"nx\" ..."
		
		if [ "$SETUP_LOCAL_USER" = "yes" ]
		then
			luserdel nx
		else
			userdel nx
		fi
			
		echo "done"
	fi
	
	if [ -e "$NX_SESS_DIR" ]
	then
		echo -n "Removing session database ..."
		rm -f -r $NX_SESS_DIR/closed $NX_SESS_DIR/running $NX_SESS_DIR/failed 2>/dev/null
		rmdir -p $NX_SESS_DIR 2>/dev/null
		echo "done"
	fi
	
	if [ -e "$NX_LOGFILE" ] 
	then
		echo -n "Removing logfile ..."
		rm -f "$NX_LOGFILE" 2>/dev/null
		rmdir -p $(dirname "$NX_LOGFILE") 2>/dev/null
		echo "done"
	fi
	
	if [ "$PURGE" = "yes" -a -e "$NX_HOME_DIR" ]
	then
		echo -n "Removing home directory of special user \"nx\" ..."
		rm -f -r "$NX_HOME_DIR" 2>/dev/null
		rmdir -p $(dirname "$NX_HOME_DIR") 2>/dev/null
		echo "done"
	fi
	
	if [ "$PURGE" = "yes" -a -e "$NX_ETC_DIR" ]
	then
		echo -n "Removing configuration files ..."
		rm -f "$NX_ETC_DIR/passwords" "$NX_ETC_DIR/passwords.orig" "$NX_ETC_DIR/users.id_dsa" "$NX_ETC_DIR/users.id_dsa.pub" 2>/dev/null
		for i in `ls $NX_ETC_DIR/*.node.conf 2>/dev/null` ;
		do
			rm -f "$i" 2>/dev/null;
		done
		echo "done"
	fi
}

if [ "$TEST" = "yes" ]
then
	test_nx
	exit 0
fi

if [ "$INSTALL" = "yes" ]
then
	#Perform cleanup?
	[ "$CLEAN" = "yes" ] && uninstall_nx
	
	[ -f /etc/nscd.conf ] && { run_nscd --invalidate passwd; run_nscd --invalidate group; }
	install_nx

	[ "$AUTOMATIC" = "no" ] && test_nx
	
	echo "Ok, nxserver is ready."
	echo 
	if [ "$ENABLE_SSH_AUTHENTICATION" = "1" -o "$ENABLE_SU_AUTHENTICATION" = "1" ]
	then
		echo "PAM authentication enabled:"
		if [ "$ENABLE_USER_DB" = "1" ]
		then
			echo "  Users will be able to login with their normal passwords,"
			echo "  but they have to be registered in the NX database to do so."
			echo "  To add new users to the NX user database do:"
			echo "    nxserver --adduser <username>"
		else
			echo "  All users will be able to login with their normal passwords."
		fi
		echo
		if [ "$ENABLE_SSH_AUTHENTICATION" = "1" -a "$ENABLE_SU_AUTHENTICATION" = "1" ]
		then
			echo "  Both SSH and SU authentication is enabled."
			echo "  This does work, but is redundant."
			echo "  Please check if this is really what you intended."
		elif [ "$ENABLE_SSH_AUTHENTICATION" = "1" ]
		then
			echo "  PAM authentication will be done through SSH."
			echo "  Please ensure that SSHD on localhost accepts password authentication."
		else
			echo "  PAM authentication will be done through SU."
			echo "  Please ensure that the user "nx" is a member of the wheel group."
		fi
	else
		echo "PAM authentication disabled."
		echo "  Only users in the NX user database will be able to log in."
		echo
		echo "  To add new users to the NX user database do:"
		echo "    nxserver --adduser <username>"
		echo "  Afterwards change the password with:"
		echo "    nxserver --passwd <username>"
	fi
	echo
	echo "  You can change this behaviour in the $NX_ETC_DIR/node.conf file."
	
	if [ "$SETUP_NOMACHINE_KEY" = "no" -a "$SETUP_NX_KEY" = "yes" ]
	then
		echo
		echo "Warning: Clients will not be able to login to this server with the standard key."
		echo "         Please replace /usr/NX/share/client.id_dsa.key on all clients you want"
		echo "         to use with $NX_HOME_DIR/.ssh/client.id_dsa.key"
		echo "         and protect it accordingly."
		echo ""
		echo "         Since 1.5.0 you need to import the correct key via the GUI."
		echo
		echo "         If you really want to use the NoMachine key please remove"
		echo "         '$NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS'"
		echo "         and then run this script with the --setup-nomachine-key parameter."
	fi
	
	echo "Have Fun!"
elif [ "$UNINSTALL" = "yes" ]
then
	uninstall_nx
	
	echo "Ok, nxserver is uninstalled"
	echo 
	if [ "$PURGE" = "yes" ]
	then
		echo "To complete the uninstallation process, remove the FreeNX scripts in $PATH_BIN"
		echo "and the $NX_ETC_DIR/node.conf configuration file."
	else
		echo "To complete the uninstallation process, remove the FreeNX scripts in $PATH_BIN"
		echo
		echo "Configuration files and ssh keys are saved in case you would like to reinstall"
		echo "freenx at a later time. To remove them, please run 'nxsetup --uninstall --purge'"
	fi
fi


More information about the FreeNX-kNX mailing list