[FreeNX-kNX] getting nx to work with non-standard PAM setup
Alex Aminoff
aminoff at nber.org
Thu Jan 27 16:54:33 UTC 2011
Hi folks. We are trying to get NX to work with a non-standard setup. To
log in the user, ssh is calling PAM, which calls a module that rings the
user's phone and waits for a given key to be pressed. We would also
like to be able to use otpw as an alternative second factor for
authentication.
The problem we are getting seems to be that the user's password is not
sent because PAM is doing something other than expected. The following is
from nxserver.log with loglevel 6:
HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
NX> 105 hello NXCLIENT - Version 3.2.0
NX> 134 Accepted protocol: 3.2.0
NX> 105 SET SHELL_MODE SHELL
NX> 105 SET AUTH_MODE PASSWORD
NX> 105 login
NX> 101 User: aminoff
NX> 102 Password:
Info: Auth method: ssh This server requires two-factor authentication.
Enter your unix password, then either use otpw or phone authentication.
Press
Password:
Info: Closing connection to slave with pid 7902.
NX> 404 ERROR: wrong password or login
NX> 999 Bye
Uncommented lines in our node.conf:
ENABLE_SLAVE_MODE="1"
NX_LOG_LEVEL=6
NX_LOG_SECURE=0
NX_LOGFILE=/var/log/nxserver.log
We realize that OTPW will be a problem because then we would need an
additional prompt on the client side, so for testing we are using an
account that does not have OTPW set up: pam_otpw just silently fails.
Here is an excerpt from our pam.d/sshd:
#%PAM-1.0
auth required pam_sepermit.so
auth required pam_env.so
auth optional pam_echo.so This server requires two-factor
authentication. Enter your unix password, then either use otpw or phone
authentication. Press # on your phone when you hear the ding.
auth requisite pam_succeed_if.so uid >= 500 quiet
auth requisite pam_ldap.so try_first_pass debug
auth sufficient pam_otpw.so debug
auth sufficient pam_exec.so debug log=/var/log/pam_phone.log
/etc/cvslocal/perlscript/pam_phone
auth required pam_deny.so
Basically, my question is, can NX be made to support any arbitrary
communications/prompts that ssh sends? If it does not do so now, we would
be willing to pay NoMachine a bit to have them implement it. Does that
seem sensible?
- Alex Aminoff
BaseSpace.net
National Bureau of Economic Research (nber.org)
More information about the FreeNX-kNX
mailing list