[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.

Marco Passerini marco.passerini at csc.fi
Thu Aug 1 09:12:30 UTC 2013 

Hi, 

Replying to an old post.. 
If you're using Freenx you can set up the following: 
ENABLE_SU_AUTHENTICATION="1" 

Then you should edit /etc/ssh/sshd_config and add the following string: AllowGroups sshadm 
sshadm:x:90:root,nx 

This means that users can use the shared key to log into the server as the "nx" users, and then NX will "su" to their user. 
Users will however not be able to ssh into the server with their account. 
They can still log into the server as the "nx" user via ssh, but they would not get a usable shell (only the internal nx shell). 


Unfortunately I'm right now in the situation where we bought a licence for the commercial Nomachine NX server, and it seems that the "su authentication" feature is not enabled there, so I don't know how to prevent user logins to the server via ssh. 



----- Original Message -----

From: "Mark Christian" <MCHRISTI at altera.com> 
To: "freenx-knx at kde.org" <freenx-knx at kde.org> 
Sent: Friday, 1 February, 2013 7:41:20 PM 
Subject: [FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions. 

[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions. 

I was wondering if it is possible to configure sshd_config, possibly using the ForceCommand keyword, to prevent arbitrary command execution/data transfers on the same host which is providing the NX sessions. For example I can configure sshd_config with: 

ForceCommand /bin/bash 

..which subsequently prevents, scp, rsync over ssh, and even something like "ssh remoteHost 'cat /etc/passwd'", but still allows interactive ssh sessions with a bash shell. 

Does anyone have any ideas on how I can provide NX sessions to a remoteHost, yet prevent any data transfers to/from that sameHost over ssh? Using the example above can I ForceCommand the NX tunneling bits, and if so what are they? Or can NX be configured not to use ssh? 

Thank you for your time. 

Mark Christian 

Confidentiality Notice. 
This message may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient, you are hereby notified that any use, disclosure, dissemination, distribution, or copying of this message, or any attachments, is strictly prohibited. If you have received this message in error, please advise the sender by reply e-mail, and delete the message and any attachments. Thank you. 

________________________________________________________________ 
Were you helped on this list with your FreeNX problem? 
Then please write up the solution in the FreeNX Wiki/FAQ: 

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ 

Don't forget to check the NX Knowledge Base: 
http://www.nomachine.com/kb/ 

________________________________________________________________ 
FreeNX-kNX mailing list --- FreeNX-kNX at kde.org 
https://mail.kde.org/mailman/listinfo/freenx-knx 
________________________________________________________________ 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130801/cb395dce/attachment.html>

More information about the FreeNX-kNX mailing list