[FreeNX-kNX] freenx ssh key question on CENTOS 5.8

chris at ccburton.com chris at ccburton.com
Wed May 9 12:24:18 UTC 2012 

OOOPS - in too much of a hurry 


If you ever need to change your keys manually :- 
 


To replace just the PASSDB "ssh to localhost key"
if it gets compromised :-

as user nx
export $(grep ^NX_ETC_DIR /usr/bin/nxloadconfig) 

/usr/bin/ssh-keygen -f $NX_ETC_DIR/users.id_dsa -t dsa -N "" 
chown nx:root $NX_ETC_DIR/users.id_dsa $NX_ETC_DIR/local.id_dsa.pub

This will save you having to update all your nxclients.



To manually replace the other key pair for user nx "tunnel"
without just running nxsetup is a bit more involved :-


as user nx
export $(grep ^NX_HOME_DIR /usr/bin/nxloadconfig)
export $(grep ^NX_ETC_DIR /usr/bin/nxloadconfig)

/usr/bin/ssh-keygen -q -t dsa -N '' -f $NX_ETC_DIR/local.id_dsa

mv $NX_ETC_DIR/local.id_dsa     $NX_ETC_DIR/client.id_dsa.key
mv $NX_ETC_DIR/local.id_dsa.pub $NX_ETC_DIR/server.id_dsa.pub.key

chmod 600     $NX_ETC_DIR/client.id_dsa.key 
$NX_ETC_DIR/server.id_dsa.pub.key
chown nx:root $NX_ETC_DIR/client.id_dsa.key 
$NX_ETC_DIR/server.id_dsa.pub.key

cp -f $NX_ETC_DIR/client.id_dsa.key $NX_HOME_DIR/.ssh/client.id_dsa.key
cp -f $NX_ETC_DIR/server.id_dsa.pub.key 
$NX_HOME_DIR/.ssh/server.id_dsa.pub.key
chmod 600 $NX_HOME_DIR/.ssh/client.id_dsa.key 
$NX_HOME_DIR/.ssh/server.id_dsa.pub.key

echo -n "127.0.0.1 " > $NX_HOME_DIR/.ssh/known_hosts
cat /etc/ssh/ssh_host_rsa_key.pub >> $NX_HOME_DIR/.ssh/known_hosts
chmod 644 $NX_HOME_DIR/.ssh/known_hosts
chown nx:root $NX_HOME_DIR/.ssh/known_hosts

echo -n "no-port-forwarding,no-X11-forwarding,\
        no-agent-forwarding,command=\"/usr/bin/nxserver\" " \
        > $NX_HOME_DIR/.ssh/authorized_keys2
cat $NX_HOME_DIR/.ssh/server.id_dsa.pub.key >> 
$NX_HOME_DIR/.ssh/authorized_keys2

chmod 640 $NX_HOME_DIR/.ssh/authorized_keys2



then replace the key in all your nxclients . . . . 



So if I was you I think I'd just uninstall the rpm

delete/rename all these files else you won't get new keys

        $NX_ETC_DIR/users.id_dsa
        $NX_ETC_DIR/client.id_dsa.key
        $NX_ETC_DIR/server.id_dsa.pub.key

        $NX_HOME_DIR/.ssh/client.id_dsa.key
        $NX_HOME_DIR/.ssh/server.id_dsa.pub.key

then reinstall . . .

Then replace the keys in all your nxclients

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20120509/5c33e3e2/attachment.html>

More information about the FreeNX-kNX mailing list