[FreeNX-kNX] Re: Disable SCP for users that connect through NX
chris at ccburton.com
chris at ccburton.com
Mon Apr 18 08:37:06 UTC 2011
Adrian Coman <adi.coman at gmail.com> wrote on 16/04/2011 20:10:03:
> Hi,
>
> I would like to setup a NX server that users can connect to, but
> they can not copy files from the server via SCP. Since NX functions
> through SSH, I have to leave the SSHD port open, so all the SSH
> functionality is there, including SCP.
>
> Do you have any suggestion?
You can run two sshd daemons.
1/ listening on
Port 22
ListenAddress 127.0.0.1 (only)
PasswordAuthentication yes
2/ listening on another port
Port 600 (choose your own)
ListenAddress your.external.interface.ip
PasswordAuthentication no
AllowUsers nx admin
** change the Port in ALL your nxclients
<Configure (button)><General Tab><Server> **
This arrangement is safer anyway, especialy if you have NX
on an Internet IP.
If you don't then you could have 22 as the external P/Pkey
only, and run PasswordAuthentication on 127.0.0.1:600,
in which case you don't need to change the nxclient but
you do need to update to 600 (or whatever)
SSHD_PORT=
in /etc/nxserver/node.conf
Note
This won't stop logged in NX users nc-ing or ssh-ing back
to their home machines unless you packet-inspect egress,
remove the ssh client and nc from the server and don't
allow exec from any mount that users can write to
( a good idea anyway imho)
It's stil possible for users to copy the nx user key from
the nxclient and manually connect as user nx
eg.
ssh -i copy-of-nx-key -l nx -p ext.sshd.port yourhost
but the nx user's shell is set to /usr/bin/nxserver.
>
> Thanks.________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20110418/df6c9881/attachment.html>
More information about the FreeNX-kNX
mailing list