freenx-team team mailing list archive

[Paul van Gerven <baloedebruinebeer@xxxxxxxxx>]

Dear FreeNX-team,

I installed a FreeNX server on Ubuntu Jaunty. Roughly following the Ubuntu
guide <https://help.ubuntu.com/community/FreeNX> and links referenced
therein, I noticed FreeNX requires PasswordAuthentication to be set to yes
in sshd_config (for authenticating the real user logging in on localhost).
This step in itself is not covered in the howto, nor did the installation
script take care of it (at least in my case; I did encounter some
anomalies). Can you confirm that users have to do that manually in Jaunty
and Karmic? If so, I would like to add it to the documentation. (In case you
are wondering, I am not quite ready to upgrade to Karmic, hence my asking).

Secondly, I feel setting PasswordAuthencation to yes in SSH is unsafe when
the port in question is exposed to the internet. Any other user than nx
trying to connect with SSH will be prompted for a password, even if key
authentication is set up. Some may not mind this behavior, but I am sure
some will want a bit more security. At least people should have the option.
I figured out how to disable the SSH authentication on localhost and replace
it by passdb (with custom keys for FreeNX authentication that is safe
enough), and I am willing to share that procedure in the aforementioned
howto, but I hesitate. That is, I am not sure whether 'my' procedure is
generally applicable. For example, the procedure intended for the same
outcome described in this
<http://ubuntuforums.org/showthread.php?t=1062942>post
did not work for me. Perhaps you could determine whether 'my' procedure is
viable and worth adding to the howto.

The thing I did differently - and actually had to do differently to obtain a
positive result - compared to the howto, is editing node.conf and running
dpkg-reconfigure prior to running nxsetup --install. The procedure thus
boils down to:

1) Setting up SSH with key authentication and putting 'PasswordAuthencation
no' in sshd_config
2) Editing node.conf to set ENABLE_PASSDB_AUTHENTICATION="1" and
ENABLE_SSH_AUTHENTICATION="0"
3) Running dpkg-configure freenx-server, creating custom keys in
/var/lib/nxserver/home/custom_keys and selecting passdb as the
authentication method
4) Running /usr/lib/nxsetup, selecting custom keys. These are put in
/etc/nxserver, but the keys generated in step #3 is the one you need (this
puzzles me).
5) Creating a user with nxsetup --adduser and attach a password to it.

You might find it interesting that I could not create this setup by any
other means after installing FreeNX 'normally', as described in the howto -
I had to start with a clean slate. Somehow any chances I made in node.conf
were not used. And yes, I did restart the server after making changes or ran
nxsetup again after editing ;-) This might be worth looking into.

Let me know what you think,

Paul