[FreeNX-kNX] FreeNX CentOS Permission denied (publickey, gssapi-keyex, gssapi-with-mic)

chris at ccburton.com chris at ccburton.com
Thu Jul 25 11:16:20 UTC 2013 

freenx-knx-bounces at kde.org wrote on 25/07/2013 09:41:24:

> On Wed, Jul 24, 2013 at 9:28 PM, OwN-3m-All <own3mall at gmail.com> wrote:
> 
> >
> > Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
> > NX> 280 Exiting on signal: 15
> >
> > The client itself shows "Downloading the session information" and then
> > states "The NX service is not available or the NX access was disabled 
on
> > host <IP>"
> >
> > I am able to ssh into the server just fine through a normal terminal 
when
> > using my key.  Does anyone have any idea why the session will not 
start up?
> > I have verified permissions on the authorized_keys2 files and made 
sure the
> > public key information was added to this file in both
> > /var/lib/nxserver/home/.ssh and ~/.ssh
> >
> > Service freenx-server status shows NXServer is running.
> 
> Please try following the instructions in this CentOS wiki article:
> 
> http://wiki.centos.org/HowTos/FreeNX
> 
> Pay attention to the setup involving the "key-based authentication".
> 
> Akemi


. . .  but don't forget that 

        PASSDB  authentication setup

adds the FreeNX-user-publickey (typically /etc/nxserver/users.id_dsa.pub)
to
        each "set up" FreeNX user's ~/.ssh/authorized_keys
so
        anyone who gets hold of the private key 
(/etc/nxserver/users.id_dsa)
can
        connect as any user who has been set up in PASSDB
even
         if they are later removed
because
even
        uninstalling FreeNX
        doesn't remove the entries in users ~/.ssh/authorized_keys

(This is another FreeNX not-quite-finished-ism)

These entries need to be removed manually.

This is not mentioned in the documentation.



NOTE also
The private key in question is owned by user nx not by root
which user
        has it's private key in every nxclient
and
        is only protected by restrictions in its own authorized_keys2 file
i.e.
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/usr/bin/nxserver"



And
        you still need a password to use FreeNX
and
        you now have TWO password databases to maintain.


IMNSHO running
         two sshd/sshd_config
is the safest and simplest method to avoid
user PasswordAuthentication from outside the machine . . .






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130725/01f452ef/attachment.html>

More information about the FreeNX-kNX mailing list