[FreeNX-kNX] getting nx to work with non-standard PAM setup

Alex Aminoff aminoff at nber.org
Thu Jan 27 16:54:33 UTC 2011 

Hi folks. We are trying to get NX to work with a non-standard setup. To 
log in the user, ssh is calling PAM, which calls a module that rings the
user's phone and waits for a given key to be pressed. We would also
like to be able to use otpw as an alternative second factor for 
authentication.

The problem we are getting seems to be that the user's password is not 
sent because PAM is doing something other than expected. The following is 
from nxserver.log with loglevel 6:

HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
NX> 105 hello NXCLIENT - Version 3.2.0
NX> 134 Accepted protocol: 3.2.0
NX> 105 SET SHELL_MODE SHELL
NX> 105 SET AUTH_MODE PASSWORD
NX> 105 login
NX> 101 User: aminoff
NX> 102 Password:
Info: Auth method: ssh This server requires two-factor authentication. 
Enter your unix password, then either use otpw or phone authentication. 
Press
Password:
Info: Closing connection to slave with pid 7902.

NX> 404 ERROR: wrong password or login
NX> 999 Bye

Uncommented lines in our node.conf:

ENABLE_SLAVE_MODE="1"
NX_LOG_LEVEL=6
NX_LOG_SECURE=0
NX_LOGFILE=/var/log/nxserver.log

We realize that OTPW will be a problem because then we would need an 
additional prompt on the client side, so for testing we are using an 
account that does not have OTPW set up: pam_otpw just silently fails.

Here is an excerpt from our pam.d/sshd:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       required     pam_env.so
auth       optional     pam_echo.so This server requires two-factor 
authentication. Enter your unix password, then either use otpw or phone 
authentication. Press # on your phone when you hear the ding.
auth       requisite    pam_succeed_if.so uid >= 500 quiet
auth       requisite    pam_ldap.so try_first_pass debug
auth       sufficient   pam_otpw.so debug
auth       sufficient   pam_exec.so debug log=/var/log/pam_phone.log 
/etc/cvslocal/perlscript/pam_phone
auth       required     pam_deny.so

Basically, my question is, can NX be made to support any arbitrary 
communications/prompts that ssh sends? If it does not do so now, we would 
be willing to pay NoMachine a bit to have them implement it. Does that 
seem sensible?

   - Alex Aminoff
     BaseSpace.net
     National Bureau of Economic Research (nber.org)

More information about the FreeNX-kNX mailing list