[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.

Chris chris at ccburton.com
Thu Aug 1 14:03:53 UTC 2013


freenx-knx-bounces at kde.org wrote on 01/08/2013 14:14:39:

> Hi,
> 
> Maybe I found a better way, at least for my case. I edited 
> /etc/ssh/sshd_config with these fields:
> 
> PermitRootLogin without-password

Hmm, your choice, but I think root should never log in.

> PasswordAuthentication no
> Match Address 127.0.0.1
>     PasswordAuthentication yes
> 
> In this way I allow password-authentication only from localhost (so 
> from the nx shell), and key-based authentication from the outside.
> I'm providing to the users a very limited Fluxbox-based graphical 
> interface and I'm not going to give them access to the local shell. 
> In this way they aren't going to be able to copy their ssh keys locally.
 
I haven't ever bothered moving over to "match address"
        (call me over cautious if you wish)
but it certainly saves having two sets of config files and startup 
scripts. 

If I was you I'd keep any match(es) right at the end of the
sshd_config file.

Watch out for them emailing themselves . . . . 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130801/cd05b4a1/attachment.html>


More information about the FreeNX-kNX mailing list