freenx-team team mailing list archive

[Marcelo Boveto Shima <marceloshima@xxxxxxxxx>]

Hi,

On Fri, Nov 13, 2009 at 12:14 PM, Paul van Gerven
<baloedebruinebeer@xxxxxxxxx> wrote:
> Dear FreeNX-team,
>
> I installed a FreeNX server on Ubuntu Jaunty. Roughly following the Ubuntu
> guide and links referenced therein, I noticed FreeNX requires
> PasswordAuthentication to be set to yes in sshd_config (for authenticating
> the real user logging in on localhost). This step in itself is not covered
> in the howto, nor did the installation script take care of it (at least in
> my case; I did encounter some anomalies). Can you confirm that users have to
> do that manually in Jaunty and Karmic? If so, I would like to add it to the
> documentation. (In case you are wondering, I am not quite ready to upgrade
> to Karmic, hence my asking).
>

Yes I can confirm this behavior because the default authentication
method is ssh.
We can detect this behavior and then set to su authentication method
automatically.
It should be 1 line of regexp detection. So it should be simple, but I
am not a regexp
expertise.
I think putting this is the documentation is enough.

> Secondly, I feel setting PasswordAuthencation to yes in SSH is unsafe when
> the port in question is exposed to the internet. Any other user than nx
> trying to connect with SSH will be prompted for a password, even if key
> authentication is set up. Some may not mind this behavior, but I am sure
> some will want a bit more security. At least people should have the option.
> I figured out how to disable the SSH authentication on localhost and replace
> it by passdb (with custom keys for FreeNX authentication that is safe
> enough), and I am willing to share that procedure in the aforementioned
> howto, but I hesitate. That is, I am not sure whether 'my' procedure is
> generally applicable. For example, the procedure intended for the same
> outcome described in this post did not work for me. Perhaps you could
> determine whether 'my' procedure is viable and worth adding to the howto.
>
> The thing I did differently - and actually had to do differently to obtain a
> positive result - compared to the howto, is editing node.conf and running
> dpkg-reconfigure prior to running nxsetup --install. The procedure thus
> boils down to:
>
> 1) Setting up SSH with key authentication and putting 'PasswordAuthencation
> no' in sshd_config
> 2) Editing node.conf to set ENABLE_PASSDB_AUTHENTICATION="1" and
> ENABLE_SSH_AUTHENTICATION="0"

This isn't necessary. dpkg-configure do that and put the configuration in
/etc/nxserver/node.conf.d/

> 3) Running dpkg-configure freenx-server, creating custom keys in
> /var/lib/nxserver/home/custom_keys and selecting passdb as the
> authentication method
> 4) Running /usr/lib/nxsetup, selecting custom keys. These are put in
> /etc/nxserver, but the keys generated in step #3 is the one you need (this
> puzzles me).

nxsetup is not supported. It should be removed from the package.
It use paths that aren't the same we use.

> 5) Creating a user with nxsetup --adduser and attach a password to it.

Managing the passdb is the only use of nxsetup that isn't added to
another script.

>
> You might find it interesting that I could not create this setup by any
> other means after installing FreeNX 'normally', as described in the howto -
> I had to start with a clean slate. Somehow any chances I made in node.conf
> were not used. And yes, I did restart the server after making changes or ran
> nxsetup again after editing ;-) This might be worth looking into.
>

I think I stopped shipping the files needed by passdb, but I am not sure.

I really don't think this is the best way to do that.
Freenx passdb is kind of deprecated.
The reason is that I really don't like the password being kept in
more than 1 place. And probably most sysadmins don't like this too.

I think the way to go is:
 - set su authentication method instead of the ssh one.
    So ssh would be used only to connect to the server.
    ssh can have password disabled.

 - Make this change to nxserver:

--- nxserver	2009-11-13 22:46:31.791530037 -0200
+++ /usr/lib/nx/nxserver	2009-11-13 22:47:22.347566742 -0200
@@ -1414,7 +1414,7 @@
 	if [ -x "$COMMAND_NXACL" ]
 	then
 			log 3 "Info: Using $COMMAND_NXACL to change session parameters or
deny session."
-			NEW_PARAMS=$($COMMAND_NXACL "$CMDLINE")
+			NEW_PARAMS=$($COMMAND_NXACL "$CMDLINE" "$USER")
 			if [ $? -ne 0 ]
 			then
 				echo_x "NX> 596 The session failed due to a nxacl policy setting:
$NEW_PARAMS"


Then you can control the permission on /etc/nxserver/nxacl.
You can have permission by user, by group, by parameter.
You can modify parameters.
You can do almost everything.

By user:
	if [ "$2" == "allowed_user" ]
	then
		echo "user allowed_user is allowed"
		exit 0
	fi

About the guide, you are free to put your findings on it.
Free software is about alternatives =).

Hope this helps.

Regards.
Marcelo Shima


> Let me know what you think,
>
> Paul
>
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~freenx-team
> Post to     : freenx-team@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~freenx-team
> More help   : https://help.launchpad.net/ListHelp
>
>