[FreeNX-kNX] FreeNX CentOS Permission denied (publickey, gssapi-keyex, gssapi-with-mic)
Akemi Yagi
amyagi at gmail.com
Thu Jul 25 16:34:44 UTC 2013
On Thu, Jul 25, 2013 at 4:16 AM, <chris at ccburton.com> wrote:
> http://wiki.centos.org/HowTos/FreeNX
>
>>
>> Pay attention to the setup involving the "key-based authentication".
>
> . . . but don't forget that
>
> PASSDB authentication setup
>
> adds the FreeNX-user-publickey (typically /etc/nxserver/users.id_dsa.pub)
> to
> each "set up" FreeNX user's ~/.ssh/authorized_keys
> so
> anyone who gets hold of the private key (/etc/nxserver/users.id_dsa)
> can
> connect as any user who has been set up in PASSDB
> even
> if they are later removed
> because
> even
> uninstalling FreeNX
> doesn't remove the entries in users ~/.ssh/authorized_keys
>
> (This is another FreeNX not-quite-finished-ism)
>
> These entries need to be removed manually.
>
> This is not mentioned in the documentation.
>
> NOTE also
> The private key in question is owned by user nx not by root
> which user
> has it's private key in every nxclient
> and
> is only protected by restrictions in its own authorized_keys2 file
> i.e.
> no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/usr/bin/nxserver"
>
> And
> you still need a password to use FreeNX
> and
> you now have TWO password databases to maintain.
>
> IMNSHO running
> two sshd/sshd_config
> is the safest and simplest method to avoid
> user PasswordAuthentication from outside the machine . . .
Thanks, Chris, for your notes. That particular section was added by
someone and later "amended" by yet another person. In my brief test,
it "worked" so did not look at the setup in more details. I will
contact them and make sure we get things right.
Akemi
More information about the FreeNX-kNX
mailing list