[FreeNX-kNX] Re: getting nx to work with non-standard PAM setup

Thu Jan 27 20:01:16 UTC 2011

Alex Aminoff <aminoff at nber.org> wrote on 27/01/2011 16:54:33:
> Hi folks. We are trying to get NX to work with a non-standard setup. To 

'lo

> log in the user, ssh is calling PAM, which calls a module that rings the
> user's phone and waits for a given key to be pressed. We would also
> like to be able to use otpw as an alternative second factor for 
> authentication.
> 
> The problem we are getting seems to be that the user's password is not 
> sent because PAM is doing something other than expected. The following 
is 
> from nxserver.log with loglevel 6:
> 
> HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
> NX> 105 hello NXCLIENT - Version 3.2.0
> NX> 134 Accepted protocol: 3.2.0
> NX> 105 SET SHELL_MODE SHELL
> NX> 105 SET AUTH_MODE PASSWORD
> NX> 105 login
> NX> 101 User: aminoff
> NX> 102 Password:
> Info: Auth method: ssh This server requires two-factor authentication. 
> Enter your unix password, then either use otpw or phone authentication. 
> Press

It stops here on "Press" because you have a # in pam.d/ssh which
comments out the rest of the line.

Change it to \#

> Password:
> Info: Closing connection to slave with pid 7902.
> 
> NX> 404 ERROR: wrong password or login

Have you chacked if the account and password are OK ???

> NX> 999 Bye
> 
> Uncommented lines in our node.conf:
> 
> ENABLE_SLAVE_MODE="1"
> NX_LOG_LEVEL=6
> NX_LOG_SECURE=0
> NX_LOGFILE=/var/log/nxserver.log
> 
> We realize that OTPW will be a problem because then we would need an 
> additional prompt on the client side, so for testing we are using an 
> account that does not have OTPW set up: pam_otpw just silently fails.
> 
> Here is an excerpt from our pam.d/sshd:
> 
> #%PAM-1.0
> auth       required     pam_sepermit.so
> auth       required     pam_env.so
> auth       optional     pam_echo.so This server requires two-factor 
> authentication. Enter your unix password, then either use otpw or phone 
> authentication. Press # on your phone when you hear the ding.

Here's the bit you need to \# with. The users still won't see it in the
NX client though.

> auth       requisite    pam_succeed_if.so uid >= 500 quiet
> auth       requisite    pam_ldap.so try_first_pass debug
> auth       sufficient   pam_otpw.so debug
> auth       sufficient   pam_exec.so debug log=/var/log/pam_phone.log 
> /etc/cvslocal/perlscript/pam_phone
> auth       required     pam_deny.so
> 
> Basically, my question is, can NX be made to support any arbitrary 
> communications/prompts that ssh sends? If it does not do so now, we 
would 

The logging in of the user to FreeNX is done with an "expect" script which
you can test yourself,

eg  run:-

     /usr/bin/nxnode-login ssh aminoff 22 /usr/bin/nxnode --check

The script waits with NO prompt for you to enter your password.

The expect script    "while {1}s" around a loop until it sees a string
 which matches for a fail or a success, so your string shouldn't
cause it any problems.

My guess is something else is wrong, maybe the password
maybe something else in pam.d

If you try that we'll see.

> be willing to pay NoMachine a bit to have them implement it. Does that 
> seem sensible?

Not really. Nomachine don't have anything to do with FreeNX.

In fact nomachine seem to be a bit annoyed with the proliferation of
Open Source nxagent launchers, which seem to be getting associated
with them, so much so that the next version of the nx libraries and
Xserver (nxagent) won't be Open Source.

I suspect X is on its way out now anyway though.

>    - Alex Aminoff
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20110127/70a92091/attachment.html>