[FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.
Marco Passerini
marco.passerini at csc.fi
Fri Aug 2 09:25:55 UTC 2013
In fact I did a bit more tests but I couldn't get the "match" configuration working.
It seems to be like this
1) user authenticates via SSH with identity "nx" and the dsa key from his IP
2) the user then authenticates via SSH with his account and password coming this time from localhost ===> i thought this would work with only his password, without public keys ==> but for some reason it seems like there's still public key authentication going on, and it does not work for users who don't have their public key in authorized_keys of their home
I can't figure out why it goes like this, but then I decided to try with a double SSH daemon, and that works fine, it seems.
----- Original Message -----
From: "Chris" <chris at ccburton.com>
To: "User Support for FreeNX Server and kNX Client" <freenx-knx at kde.org>
Sent: Thursday, 1 August, 2013 5:03:53 PM
Subject: Re: [FreeNX-kNX] preventing data transfers over SSH, yet still allow NX sessions.
freenx-knx-bounces at kde.org wrote on 01/08/2013 14:14:39:
> Hi,
>
> Maybe I found a better way, at least for my case. I edited
> /etc/ssh/sshd_config with these fields:
>
> PermitRootLogin without-password
Hmm, your choice, but I think root should never log in.
> PasswordAuthentication no
> Match Address 127.0.0.1
> PasswordAuthentication yes
>
> In this way I allow password-authentication only from localhost (so
> from the nx shell), and key-based authentication from the outside.
> I'm providing to the users a very limited Fluxbox-based graphical
> interface and I'm not going to give them access to the local shell.
> In this way they aren't going to be able to copy their ssh keys locally.
I haven't ever bothered moving over to "match address"
(call me over cautious if you wish)
but it certainly saves having two sets of config files and startup scripts.
If I was you I'd keep any match(es) right at the end of the
sshd_config file.
Watch out for them emailing themselves . . . .
________________________________________________________________
Were you helped on this list with your FreeNX problem?
Then please write up the solution in the FreeNX Wiki/FAQ:
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
Don't forget to check the NX Knowledge Base:
http://www.nomachine.com/kb/
________________________________________________________________
FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130802/493e4605/attachment.html>
More information about the FreeNX-kNX
mailing list