[FreeNX-kNX] Fwd: Re: NXClient fails to connect with authentication failed for user.

ChrisB chris at ccburton.com
Sat Sep 26 19:18:07 UTC 2009 

Jeremy Wilkins <wjeremy at shaw.ca> wrote on 26/09/2009 17:56:23:

> 
> I don't know if this is relevant, but I am curious if there may be a
> difference from using the ip:
> ssh -v -p 443 dion at 127.0.0.1
> or the host name:
> ssh -v -p 443 dion at localhost
> on your machine?  Sometimes the ip and host names are treated 
differently. 
> I have run into this on more than one occasion.  Sometimes it can be
> firewall rules related.
> 

In this instance the destination, "localhost" would be resolved to an IP 
address before connection is attempted, though the name of the originating 
machine will be included in the connection.

"Normally" this would involve looking first in /etc/hosts then whatever 
you have configured next, typically DNS.

The connection would be made to the resolved IP address which should be 
127.0.0.1 for localhost.

If you are using other methods of connectivity, the name might be passed 
over too and if you have allowed conectivity from localhost not 127.0.0.1, 
authentication might fail.

MySQL uses some such system for example.

Any firewall will see a connection from one IP address and numerical 
source port to another IP address and numerical destination port, though 
you may be able to configure them using names not numbers.

Open sshd can be told only to listen on 127.0.0.1 not any external IP 
adresses.

It can also be configured to check that the name given by the connecting 
host ( in this case itself ) maches the reverse lookup of the originating 
IP address.

You can run into difficulties if you do not stick to the rules regarding 
/etc/hosts or have all your ptr records covered in your DNS and have 
reverse lookups configured.

> 
> Bugzilla from dion at thinkmoult.com wrote:
> > 
> > It asks for my passphrase. So I rename id_dsa to something else and 
try
> > again 
> > and you are right it asks for my password. I can log in fine.
> > 
> > Trying again with NXClient with the moved id_dsa still fails with the 
same 
> > error as before.
> > 
> > On Saturday 26 September 2009 17:44:20 ChrisB wrote:
> >> Dion Moult <dion at thinkmoult.com> wrote on 26/09/2009 03:01:22:
> >> > Tried changing that, restarting sshd and nxserver, but it still
> >> > gives the same
> >> > error:
> >> >
> >> > sshd[23560]: Connection from 127.0.0.1 port 38026
> >> > sshd[23560]: Failed none for nx from 127.0.0.1 port 38026 ssh2
> >> > sshd[23560]: Found matching DSA key: blahblahblahetcetc
> >> > sshd[23560]: Accepted publickey for nx from 127.0.0.1 port 38026 
ssh2
> >> > sshd[23560]: pam_unix(sshd:session): session opened for user nx by
> >> 
> >> (uid=0)
> >> 
> >> > sshd[23560]: User child is on pid 23562
> >> > nxserver[23692]: (nx) Failed login for user=dion from IP=127.0.0.1
> >> > sshd[23562]: Connection closed by 127.0.0.1
> >> > sshd[23562]: Transferred: sent 2848, received 1968 bytes
> >> > sshd[23562]: Closing connection to 127.0.0.1 port 38026
> >> > sshd[23560]: pam_unix(sshd:session): session closed for user nx
> >> 
> >> Sounds like password or account issues with user dion
> >> 
> >> On the server, try
> >> 
> >>                 ssh -v -p 443 -l dion localhost
> >> 
> >> The -v will tell you what it is trying and what fails.
> >> 
> >> It should ask for a password. If user dion has an id_dsa or id_rsa 
key in
> >> $HOME/.ssh then you need to temporarily rename it id_dsa.000 or some
> >> such.
> >> 
> >> If you can't log in as user dion locally using a password then it 
won't
> >> work over nx, so you need to prove this works/fix it next . . . .
> >> 
> >> > On Saturday 26 September 2009 09:55:03 you wrote:
> >> > > ----------  Forwarded Message  ----------
> >> > >
> >> > > Subject: Re: [FreeNX-kNX] NXClient fails to connect with
> >> 
> >> authentication
> >> 
> >> > >  failed for user.
> >> > > Date: Friday 25 September 2009
> >> > > From: "ChrisB" <chris at ccburton.com>
> >> > > To: User Support for FreeNX Server and kNX Client
> >> <freenx-knx at kde.org>
> >> > >
> >> > > Dion Moult <dion at thinkmoult.com> wrote on 25/09/2009 18:09:17:
> >> > >
> >> > >
> >> > > SNIP
> >> > >
> >> > > > sshd[13479]: Connection from 127.0.0.1 port 40791
> >> > > > sshd[13479]: Found matching DSA key: blahblahblahblah
> >> > > > sshd[13479]: Accepted publickey for nx from 127.0.0.1 port 
40791
> >> 
> >> ssh2
> >> 
> >> > > > sshd[13479]: pam_unix(sshd:session): session opened for user nx 
by
> >> > >
> >> > > (uid=0)
> >> > >
> >> > > > sshd[13479]: User child is on pid 13481
> >> > > > nxserver[13611]: (nx) Failed login for user=dion from 
IP=127.0.0.1
> >> > >
> >> > > Yup
> >> > >
> >> > > > I have checked that the public key is in /home/dion/.
> >> > > > ssh/authorized_keys. If I
> >> > > > do ssh -p 443 localhost on the computer with the account dion 
it
> >> 
> >> asks
> >> 
> >> > > for my
> >> > >
> >> > > > passphrase of my private keypair (not the NX one) and I can log 
in
> >> 
> >> and
> >> 
> >> > > SSH in
> >> > >
> >> > > You need to use password authentication for the local user after
> >> > > connecting via ssh as user nx.
> >> > >
> >> > > Some distros disable this by default because it allows brute 
force
> >> 
> >> attacks
> >> 
> >> > > . . . .
> >> > >
> >> > > > remotely fine without problems. I'm not sure whether it helps 
but
> >> 
> >> when I
> >> 
> >> > > try
> >> > >
> >> > > > ssh -p 443 nx at localhost it asks for a Password, of which 
nothing I
> >> > > > try can log
> >> > > > it in.
> >> > > >
> >> > > > This is my sshd_config:
> >> > > > Port 443
> >> > > > Protocol 2
> >> > > > SyslogFacility AUTH
> >> > > > PermitRootLogin no
> >> > > > RSAAuthentication yes
> >> > > > PubkeyAuthentication yes
> >> > > > PasswordAuthentication no
> >> > >
> >> > > Here
> >> > >
> >> > > Just change to PasswordAuthentication  yes
> >> > >
> >> > > > PermitEmptyPasswords no
> >> > > > UsePAM yes
> >> > > > Compression yes
> >> > > > KeepAlive yes
> >> > > > ClientAliveInterval 30
> >> > > > ClientAliveCountMax 4
> >> > > > AuthorizedKeysFile      .ssh/authorized_keys
> >> > > > LogLevel VERBOSE
> >> > > >
> >> > > > (Note: I run SSH on port 443 on purpose, not by accident)
> >> > > >
> >> > > > Summary: When trying to connect using username and password for 
the
> >> > >
> >> > > account
> >> > >
> >> > > > "dion" which exists on the box running freenx it says
> >> Authentication
> >> > >
> >> > > failed
> >> > >
> >> > > > for user dion.
> >> > > >
> >> > > > Any ideas? Much appreciated.
> >> > >
> >> > > 
> > ________________________________________________________________
> >> > >
> >> > > >      Were you helped on this list with your FreeNX problem?
> >> > > >     Then please write up the solution in the FreeNX Wiki/FAQ:
> >> 
> >> 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> >> 
> >> > > >          Don't forget to check the NX Knowledge Base:
> >> > > >                  http://www.nomachine.com/kb/
> >> > > >
> >> > > > 
> > ________________________________________________________________
> >> > > >        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> >> > > >       https://mail.kde.org/mailman/listinfo/freenx-knx
> >> > > > 
> > ________________________________________________________________
> >> > >
> >> > > -------------------------------------------------------
> >> 
> >> ________________________________________________________________
> >> 
> >> >      Were you helped on this list with your FreeNX problem?
> >> >     Then please write up the solution in the FreeNX Wiki/FAQ:
> >> 
> >> 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> >> 
> >> >          Don't forget to check the NX Knowledge Base:
> >> >                  http://www.nomachine.com/kb/
> >> >
> >> > ________________________________________________________________
> >> >        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> >> >       https://mail.kde.org/mailman/listinfo/freenx-knx
> >> > ________________________________________________________________
> >> 
> > -- 
> > Dion Moult :-)
> > 
> > 
> > ________________________________________________________________
> >      Were you helped on this list with your FreeNX problem?
> >     Then please write up the solution in the FreeNX Wiki/FAQ:
> > 
> > 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> > 
> >          Don't forget to check the NX Knowledge Base:
> >                  http://www.nomachine.com/kb/ 
> > 
> > ________________________________________________________________
> >        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
> >       https://mail.kde.org/mailman/listinfo/freenx-knx
> > ________________________________________________________________
> > 
> 
> -- 
> View this message in context: http://www.nabble.com/Re%3A-Fwd%3A-Re%
> 3A--NXClient-fails-to-connect-with-authentication-failed%09for-user.
> -tp25621598p25626974.html
> Sent from the freenx-knx mailing list archive at Nabble.com.
> 
> ________________________________________________________________
>      Were you helped on this list with your FreeNX problem?
>     Then please write up the solution in the FreeNX Wiki/FAQ:
> 
> 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> 
>          Don't forget to check the NX Knowledge Base:
>                  http://www.nomachine.com/kb/ 
> 
> ________________________________________________________________
>        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
>       https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20090926/25ddd503/attachment.html>

More information about the FreeNX-kNX mailing list