[FreeNX-kNX] freenx ssh key question on CENTOS 5.8

chris at ccburton.com chris at ccburton.com
Wed May 9 13:53:17 UTC 2012


freenx-knx-bounces at kde.org wrote on 09/05/2012 13:24:18:


Still not got all of it.

 
> To replace just the PASSDB "ssh to localhost key" 
> if it gets compromised :- 
> 
> as user nx 
> export $(grep ^NX_ETC_DIR /usr/bin/nxloadconfig) 
> 
> /usr/bin/ssh-keygen -f $NX_ETC_DIR/users.id_dsa -t dsa -N "" 
> chown nx:root $NX_ETC_DIR/users.id_dsa $NX_ETC_DIR/local.id_dsa.pub 
> 
> This will save you having to update all your nxclients. 


OK, that replaces the PASSDB keys

but to actually change the PASSDB keys in use

you then have to run

        nxserver --adduser

again on ALL your PASSDB users because

adduser ADDS the

         local.id_dsa.pub

key to all the user's

         ~/.ssh/authorized_keys2

files.




passdb_add_user()
{
        [SNIP]
        su - $PASSDB_CHUSER -c "$PATH_BIN/nxnode --setkey"

 --setkey)
                [SNIP]
               cat $NX_ETC_DIR/users.id_dsa.pub >> 
$HOME/.ssh/$SSH_AUTHORIZED_KEYS

HOME being the user's home diresctory



BUT

there is no automated way of removing them
so
if you think you have a compromised

        $NX_ETC_DIR/users.id_dsa

file,
which will
allow an intruder to "ssh -i keyfile" in to your server
as
any user set up for PASSD with local.id_dsa.pub in their

        ~/.ssh/authorized_keys2

you then have to remove the old key manually from all
their authorized_keys2 files.

None of this messy stuff appears in the documentation.



I don't like the sound of PASSDB at all
and
the fact that centos (no nxsetup) won't overwrite the
user nx key files without them being deleted sounds
a bit of an issue too . . .

I wonder how many people have re-installed thinking
that they then have a nice new setup . . .

nxsetup --install just overwrites the nx user key files
but
even that won't replace users.id_dsa without a --purge

I think I'll stick with ssh + ssh password


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20120509/26cf8029/attachment.html>


More information about the FreeNX-kNX mailing list