[FreeNX-kNX] FreeNX CentOS Permission denied (publickey, gssapi-keyex, gssapi-with-mic)

Sun Jul 28 11:43:19 UTC 2013

freenx-knx-bounces at kde.org wrote on 28/07/2013 01:46:35:

> > "Permission denied (publickey, gssapi-keyex,gssapi-with-mic).
> > NX> 280 Exiting on signal: 15

> Just a thought: As chris described, a secondary ssh connection (through
> the tunnel) is used to authenticate the user using *password* auth. This
> implies, that password-authentication must be supported by your sshd.
> Your error message indicates that this is not the case - the possible
> authentication methods shown do not list "password").
> 
> => Have a look at your /etc/ssh/sshd_config ...
> - -Fritz

You missed the "fun" bit Fritz . . .

. . .  he's using PASSDB (which seems to be the Centos default !!)

This gets around . .
        1/ needing PasswordAuthentication enabled on sshd
                        visible externaly
and
        2/ not having to run TWO sshd instances
                2nd one internal only with password
 by having a
         universal key pair log-in for all (FreeNX) users
with (its)
         distributed public key in every user's ~/.ssh/authorized_keys
file.

So instead of you logging in with your password, FreeNX checks your
password against a hash in its
        /etc/nxserver/passwords
and if there is a match, logs you in as your user with the distributed
key ( not so good in my view)

> 
> I enabled password authentication, and I still get the same error.  

Forget that, if you have PASSDB enabled . . . .

> Also, I don't have password authentication enabled on my Ubuntu 
> servers.

Quite

>  On Ubuntu, FreeNX and SSH both work, but here, using the 
> same settings, I keep getting an error.

Well, sounnds like there's just a bug somewhere causing
        server_nxnode_start
to fall over . . . 

Sounds a bit like like the $LOGIN_METHOD is going wrong
but
I don't quite see how it could,
so
there may be a hidden ssh-ism or selinixism
but
I can't see that either
so
lets follow through FreeNX anyway . . .

Next test . . . .

Clear the log and enable user account logging

        sudo chmod 777 /var/log/nx/nxserver.log
        echo " " > /var/log/nx/nxserver.log

** BACK UP ** your  nxserver  script   e.g.

        cp /usr/bin/nxserver /usr/bin/nxserver.20130728-bak
        md5sum /usr/bin/nxserver /usr/bin/nxserver.20130728-bak

then edit

        /usr/bin/nxserver

at about line 933 ( looking at a Centos one ) where you can see 

       else
            echo "$@" | $COMMAND_SSH -l "$USER" . . .   etc
       fi

add the following line ( sorry about the \ line wrap again )

echo -e "We got to PASSDB with\n$@\n$COMMAND_SSH\n \
$USER\n$NODE_HOSTNAME\n$SSHD_PORT\n$PATH_BIN\n \
$CMD\nand login method $LOGIN_METHOD\n"|log_tee

 . . . just before the echo.

Try connecting. Send the logging.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20130728/2a4f9251/attachment.html>