[FreeNX-kNX] FreeNX CentOS Permission denied (publickey, gssapi-keyex, gssapi-with-mic)

chris at ccburton.com chris at ccburton.com
Thu Jul 25 18:28:48 UTC 2013


> I did go over the documentation here, but I still have problems:
> 
> http://wiki.centos.org/HowTos/FreeNX 
> 
> I followed this guide because I wanted to use different keys:
> 
> 
http://techblog.tgharold.com/2009/01/setting-up-freenxnx-on-centos-5.shtml
> 
> No luck here either.  I still get that message.   My SSHD_Config 
> specifies to allow the user nx and my user.  The authorized_keys2 
> file in /var/lib/nxserver/home/.ssh is owned by nx:root and has 
> chmod of 600.  My user's ~/home/.ssh is owned by user:user and has 
> chmod of 600.  Both authorized_keys2 files have the nxserver public 
> key in them.
> 
> I'm still not sure why it's denying access when I can SSH via 
> terminal using a private key without issue.
> 
> Logs don't seem to contain much either...



I think you're getting mixed up ( by the sound of it )

FreeNX sessions are by default set up as follows :-

1/ Initial ssh connection to form a tunnel
from
         nxclient to FreeNX server
as user "nx" using
either
the default nomachine key pair ( already in the client )
or
a new one generated by nxkeygen
which
requires the nxclient (prive) key to be updated to match the
new (public) one added to 

        /var/lib/nxserver/home/.ssh/authorized_keys


2/ once this has happened, the default is to log in as the user
via the "nx" tunnel using the user-name and password entered
into the nxclient.

This is carried out by a local ssh on the FreeNX server
i.e. to 127.0.0.1
using
password authentication,
which ssh session
is then redirected back along the tunnel to the nxclient.


You can't use your keypair on the server for this login
         instead of password authentication
because
you aren't yet logged into the server at this stage,
only
sitting at the far end of a tunnel owned by user nx.


A way round this, called PASSDB uses a SEPARATE key pair
which IS available to the tunnel set up account, ie. user nx,
which
means the public key of this separate key pair has to be added
to your authorized_keys file
allowing
user nx to log in locally over ssh in as your username
and
redirect that ssh session back down the tunnel to your client.

PASSDB still uses your username and password tho to make sure
you are who you say you are, but the separate key isn't removed
from your authorized_keys file and anyone getting into the nx
account can use it to log in as anyone else.

You also now have TWO password databases to keep in sync
        ( or keep out sync )


The "advantage" of this mess is that the sshd can be set not to have 
        passwordAuthentication yes
which is not a good idea to have enabled if the sshd is accessible
from the Internet
especially
on port 22, where you can reliably expect to have a sucession of
script kiddies scan you,
and
 try a few hundred "common user name"/silly password"
"brute force" combos every 15 mins 24 hours a day.

Try it if you don't believe me.

Ether you have to turn off logging from sshd or
see the logs full of :-
        Failed password for invalid user pete from a.b.c.d
etc



A better way in my view is to have ONE sshd on port 22 on your
external interface set to key pair only 9 no root etc)
and
ANOTHER sshd listening only on 127.0.0.1 localhost set to
        PasswordAuthentication yes

You can filter usage with
         AllowGroups freenxusers admins



You seem to have
neither
         PASSDB set up
or
        your sshd accepting PasswordAuthentication
which
would explain your error messages

What exactly have you done ?????

Maybe you could sanitize your sshd_config and node.conf
and send them over . . .





-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130725/ce6c1da9/attachment.html>


More information about the FreeNX-kNX mailing list