[CentOS] freenx

Maciej Żenczykowski maze at cela.pl
Tue Jan 24 21:15:17 UTC 2006 

>> Which is of course totally screwed in the NX protocol.  What the hell 
>> for does it need an nx user for?  Pretty much nothing.  Indeed nothing 
>> at all.

> I'd say it is much, much better than trying to re-invent
> a different secure connection protocol.

Okay: let's evalute what it does and what it could do and explain to me 
how the current situation is better.

It currently logs in via ssh and privatekey to nx at servermachine, after 
which it takes the user supplied user/password combo and passes it to the 
nxserver which uses them to ssh user at localhost and passes the password. 
Effectively we're logged in as user at servermachine.  Furthermore sometimes 
the freenx server makes a mess of things and leaves around files which 
only nx (thus root) can delete making further use of nx impossible without 
root intervention.

Why can't we have: the client gets user/password combo (or even a 
privatekey for the user!) and ssh's directly into user at servermachine. 
Effectively we've achieved the same thing, except we've no need for an nx 
account and if freenx makes a booboo a user can clean out it's temporary 
files by himself.

>> It could just as well ssh directly into your account via ssh user at host 
>> /usr/bin/nxserver.

> The real login does not have to run over ssh or use encryption.
> That is optional and a waste of CPU if not needed.

I don't get this comment? We're running ssh on top of ssh - isn't that 
wasteful in and of itself? (is this only in freenx?)

The only use the 'nx' account design decision has is making stuff harder 
for the administrator.

>> But so much on bad design decisions.
>
> It's not that bad compared to a lot of other ways they might
> have tried to ensure that the real user password exchange is
> encrypted.

Sure they could have screwed up worse, but normal ssh already allows a 
user to login with user/password combo - and everything is encrypted.

And of course they could have used a different protocol or designed their 
own instead of ssh - that would have been a bigger mess.

> The nomachine server always uses the same key for for the nx user and 
> trusts the shell program to not permit anything but the next stage login 
> to happen.  That eliminates the key-setup issue that you have with the 
> freenx variation which builds new keys during the install on each 
> server.

OK, truthfully I don't trust the shell program to not permit anything 
else.  Why can't we leave authentication up to ssh?  Stop all the already 
ironed out bugs out of ssh from having an opportunity to show up in the 
nxserver shell?  Again what do we gain?

I'm lost... is there something I'm not seeing?
Maybe this is partly due to being freenx and not the nomachine server. 
But frankly I still don't see why the NX server - which _DOES_ not require 
any special priveledges can't run as the user you want to log in as.  Does 
it require special priveledges (which? what for?)

Enlighten me, please.

Cheers,
MaZe.

More information about the CentOS mailing list