[FreeNX-kNX] Re: getting nx to work with non-standard PAM setup

Chris Fanning christopher.fanning at gmail.com
Fri Jan 28 08:09:44 UTC 2011 

Hi,

Here are some old notes I made when I set up PAM with freenx
http://gatopelao.org/cmsimple/?desktop_image:pam_script

There's an example of the stack in /etc/pam.d/ssh but you'll probably have
to play around with it to get it going.

In the example it mounts samba shares in pam_script_ses_open, but once
you've got the stack working, you can put anything in there.

Hope this helps,
Chris.


On Thu, Jan 27, 2011 at 9:01 PM, <chris at ccburton.com> wrote:

>
> Alex Aminoff <aminoff at nber.org> wrote on 27/01/2011 16:54:33:
>
> > Hi folks. We are trying to get NX to work with a non-standard setup. To
>
> 'lo
>
> > log in the user, ssh is calling PAM, which calls a module that rings the
> > user's phone and waits for a given key to be pressed. We would also
> > like to be able to use otpw as an alternative second factor for
> > authentication.
> >
> > The problem we are getting seems to be that the user's password is not
> > sent because PAM is doing something other than expected. The following is
>
> > from nxserver.log with loglevel 6:
> >
> > HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
> > NX> 105 hello NXCLIENT - Version 3.2.0
> > NX> 134 Accepted protocol: 3.2.0
> > NX> 105 SET SHELL_MODE SHELL
> > NX> 105 SET AUTH_MODE PASSWORD
> > NX> 105 login
> > NX> 101 User: aminoff
> > NX> 102 Password:
> > Info: Auth method: ssh This server requires two-factor authentication.
> > Enter your unix password, then either use otpw or phone authentication.
> > Press
>
> It stops here on "Press" because you have a # in pam.d/ssh which
> comments out the rest of the line.
>
> Change it to \#
>
> > Password:
> > Info: Closing connection to slave with pid 7902.
> >
> > NX> 404 ERROR: wrong password or login
>
> Have you chacked if the account and password are OK ???
>
> > NX> 999 Bye
> >
> > Uncommented lines in our node.conf:
> >
> > ENABLE_SLAVE_MODE="1"
> > NX_LOG_LEVEL=6
> > NX_LOG_SECURE=0
> > NX_LOGFILE=/var/log/nxserver.log
> >
> > We realize that OTPW will be a problem because then we would need an
> > additional prompt on the client side, so for testing we are using an
> > account that does not have OTPW set up: pam_otpw just silently fails.
> >
> > Here is an excerpt from our pam.d/sshd:
> >
> > #%PAM-1.0
> > auth       required     pam_sepermit.so
> > auth       required     pam_env.so
> > auth       optional     pam_echo.so This server requires two-factor
> > authentication. Enter your unix password, then either use otpw or phone
> > authentication. Press # on your phone when you hear the ding.
>
> Here's the bit you need to \# with. The users still won't see it in the
> NX client though.
>
> > auth       requisite    pam_succeed_if.so uid >= 500 quiet
> > auth       requisite    pam_ldap.so try_first_pass debug
> > auth       sufficient   pam_otpw.so debug
> > auth       sufficient   pam_exec.so debug log=/var/log/pam_phone.log
> > /etc/cvslocal/perlscript/pam_phone
> > auth       required     pam_deny.so
> >
> > Basically, my question is, can NX be made to support any arbitrary
> > communications/prompts that ssh sends? If it does not do so now, we would
>
>
> The logging in of the user to FreeNX is done with an "expect" script which
> you can test yourself,
>
> eg  run:-
>
>      /usr/bin/nxnode-login ssh aminoff 22 /usr/bin/nxnode --check
>
> The script waits with NO prompt for you to enter your password.
>
>
> The expect script    "while {1}s" around a loop until it sees a string
>  which matches for a fail or a success, so your string shouldn't
> cause it any problems.
>
> My guess is something else is wrong, maybe the password
> maybe something else in pam.d
>
> If you try that we'll see.
>
> > be willing to pay NoMachine a bit to have them implement it. Does that
> > seem sensible?
>
> Not really. Nomachine don't have anything to do with FreeNX.
>
> In fact nomachine seem to be a bit annoyed with the proliferation of
> Open Source nxagent launchers, which seem to be getting associated
> with them, so much so that the next version of the nx libraries and
> Xserver (nxagent) won't be Open Source.
>
> I suspect X is on its way out now anyway though.
>
> >    - Alex Aminoff
>
> ________________________________________________________________
>     Were you helped on this list with your FreeNX problem?
>    Then please write up the solution in the FreeNX Wiki/FAQ:
>
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
>
>         Don't forget to check the NX Knowledge Base:
>                 http://www.nomachine.com/kb/
>
> ________________________________________________________________
>       FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
>      https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20110128/2c5045cc/attachment.html>

More information about the FreeNX-kNX mailing list