[FreeNX-kNX] Re: Disable SCP for users that connect through NX

chris at ccburton.com chris at ccburton.com
Mon Apr 18 08:37:06 UTC 2011


Adrian Coman <adi.coman at gmail.com> wrote on 16/04/2011 20:10:03:

> Hi,
> 
> I would like to setup a NX server that users can connect to, but 
> they can not copy files from the server via SCP. Since NX functions 
> through SSH, I have to leave the SSHD port open, so all the SSH 
> functionality is there, including SCP.
> 
> Do you have any suggestion?

You can run two sshd daemons.
1/ listening on
        Port 22 
        ListenAddress 127.0.0.1  (only)
        PasswordAuthentication yes
2/ listening on another port
        Port 600 (choose your own)
        ListenAddress your.external.interface.ip
        PasswordAuthentication no
        AllowUsers nx admin

** change the Port in ALL your nxclients
<Configure (button)><General Tab><Server> **

This arrangement is safer anyway, especialy if you have NX
on an Internet IP.

If you don't then you could have 22 as the external P/Pkey 
only, and run PasswordAuthentication on 127.0.0.1:600,
in which case you don't need to change the nxclient but
you do need to update to 600 (or whatever)
        SSHD_PORT=
in /etc/nxserver/node.conf


Note
This won't stop logged in NX users nc-ing or ssh-ing back
to their home machines unless you packet-inspect egress,
remove the ssh client and nc from the server and don't
allow exec from any mount that users can write to
( a good idea anyway imho)


It's stil possible for users to copy the nx user key from
the nxclient and manually connect as user nx
eg.
ssh -i copy-of-nx-key -l nx -p ext.sshd.port yourhost

but the nx user's shell is set to /usr/bin/nxserver.
> 
> Thanks.________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20110418/df6c9881/attachment.html>


More information about the FreeNX-kNX mailing list