<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<STYLE type=text/css>@import url( C:\Documents and Settings\gaohu\Local Settings\Temporary Internet Files\scrollbar.css );
</STYLE>
<META content="text/html; charset=ISO-8859-1" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 8.00.6001.18928">
<STYLE>@font-face {
font-family: 宋
}
@font-face {
font-family: Verdana;
}
@font-face {
font-family: @宋
}
@page Section1 {size: 595.3pt 841.9pt; margin: 72.0pt 90.0pt 72.0pt 90.0pt; layout-grid: 15.6pt; }
P.MsoNormal {
TEXT-JUSTIFY: inter-ideograph; TEXT-ALIGN: justify; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10.5pt
}
LI.MsoNormal {
TEXT-JUSTIFY: inter-ideograph; TEXT-ALIGN: justify; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10.5pt
}
DIV.MsoNormal {
TEXT-JUSTIFY: inter-ideograph; TEXT-ALIGN: justify; MARGIN: 0cm 0cm 0pt; FONT-FAMILY: "Times New Roman"; FONT-SIZE: 10.5pt
}
A:link {
COLOR: blue; TEXT-DECORATION: underline
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline
}
SPAN.EmailStyle17 {
FONT-STYLE: normal; FONT-FAMILY: Verdana; COLOR: windowtext; FONT-WEIGHT: normal; TEXT-DECORATION: none; mso-style-type: personal-compose
}
DIV.Section1 {
page: Section1
}
UNKNOWN {
FONT-SIZE: 10pt
}
BLOCKQUOTE {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
</STYLE>
</HEAD>
<BODY style="MARGIN: 10px; FONT-FAMILY: verdana; FONT-SIZE: 10pt">
<DIV><FONT face=Verdana></FONT></DIV>
<DIV><FONT size=3 face="Times New Roman">
<DIV><FONT size=2
face=Verdana>On Sun, Aug 15, 2010 at 11:17 AM, gaohu <tigerheight@gmail.com> wrote:</FONT></DIV>
<DIV>
<DIV><FONT size=2
face=Verdana>> I have installed freenx with this article</FONT></DIV>
<DIV><FONT size=2 face=Verdana>></FONT></DIV>
<DIV><FONT size=2
face=Verdana>> http://wiki.centos.org/HowTos/FreeNX</FONT></DIV>
<DIV><FONT size=2 face=Verdana>></FONT></DIV>
<DIV><FONT size=2
face=Verdana>> but when I use freenx-client on windows to connect to server,</FONT></DIV>
<DIV><FONT size=2
face=Verdana>> I always get an "freenx Authentication failed."</FONT></DIV>
<DIV><FONT size=2 face=Verdana></FONT></DIV>
<DIV><FONT size=2
face=Verdana>You appear to have missed a step or configured the auth bits</FONT></DIV>
<DIV><FONT size=2
face=Verdana>incorrectly. The NX user is the user who authenticates via ssh, and</FONT></DIV>
<DIV><FONT size=2
face=Verdana>you authenticate via nx to the proper session. Go through the steps in</FONT></DIV>
<DIV><FONT size=2
face=Verdana>the wiki again carefully and double check the logs to see who you're</FONT></DIV>
<DIV><FONT size=2
face=Verdana>attempting to authenticate as. I'd bet you're trying to auth as your</FONT></DIV>
<DIV><FONT size=2
face=Verdana>user instead of as the nx user and since the wiki states that only the</FONT></DIV>
<DIV><FONT size=2
face=Verdana>nx user is authorized (via the AllowUsers nx statement) auth is</FONT></DIV>
<DIV><FONT size=2
face=Verdana>failing for that reason.</FONT></DIV>
<DIV><FONT size=2 face=Verdana></FONT></DIV>
<DIV><FONT size=2 face=Verdana></FONT></DIV>
<DIV><FONT size=2 face=Verdana>-- </FONT></DIV>
<DIV><FONT size=2
face=Verdana>During times of universal deceit, telling the truth becomes a revolutionary act.</FONT></DIV>
<DIV><FONT size=2 face=Verdana>George Orwell</FONT></DIV>
<DIV><FONT size=2
face=Verdana>_______________________________________________</FONT></DIV>
<DIV><FONT size=2 face=Verdana>CentOS mailing list</FONT></DIV>
<DIV><FONT size=2 face=Verdana>CentOS@centos.org</FONT></DIV>
<DIV><FONT size=2
face=Verdana>http://lists.centos.org/mailman/listinfo/centos</FONT></DIV></DIV></FONT></DIV>
<DIV><FONT size=3 face="Times New Roman"></FONT> </DIV>
<DIV><FONT size=3
face="Times New Roman">==========================================================================</FONT></DIV>
<DIV><FONT size=3 face="Times New Roman">My config as follows:</FONT></DIV>
<DIV><FONT size=3 face="Times New Roman">1. config sshd config, I
add</FONT></DIV>
<DIV><PRE><FONT face="Times New Roman"><FONT size=3>PasswordAuthentication no
<SPAN id=line-46 class=anchor></SPAN> <FONT color=#ff0000> AllowUsers nx ---> nx is not an actual user in my system.</FONT></FONT></FONT></PRE></DIV>
<DIV><FONT size=3 face="Times New Roman">2. add user, I config</FONT></DIV>
<DIV><FONT face="Times New Roman"><FONT size=3> <FONT
color=#ff0000>nxserver --add user gaohu <--- gaohu is a
common user on my system, and can connect via ssh with isa
key</FONT></FONT></FONT></DIV>
<DIV><FONT color=#ff0000 size=3
face="Times New Roman">
, (and password also works before I use ssh key to audit.)</FONT></DIV>
<DIV><FONT size=3 face="Times New Roman"></FONT> </DIV>
<DIV><FONT size=3 face="Times New Roman"> then re config sshd config file,
set</FONT></DIV>
<DIV><FONT face="Times New Roman"><FONT size=3> <EM>AllowUsers nx
gaohu</EM></FONT></FONT></DIV>
<DIV><EM><FONT size=3 face="Times New Roman"></FONT></EM> </DIV>
<DIV><FONT face=Verdana><FONT size=3 face="Times New Roman"> one thing I
can not understand is sshd default use </FONT><PRE><FONT size=3 face="Times New Roman">/home/myuser/.ssh/authorized_keys, file</FONT></PRE><PRE><FONT size=3 face="Times New Roman">but nxserver generate the key at
</FONT><PRE> </PRE><PRE><FONT size=3 face="Times New Roman">/home/myuser/.ssh/authorized_keys2 file, should I do other settings</FONT></PRE><PRE><FONT size=3 face="Times New Roman">in sshd config file to support this?</FONT></PRE><PRE><FONT size=3 face="Times New Roman"></FONT> </PRE><PRE><FONT size=3 face="Times New Roman">3.then I install the client and copy <STRONG>/</STRONG>etc/nxserver/client.id_dsa.key file content</FONT></PRE><PRE><FONT size=3 face="Times New Roman">to the key window.</FONT></PRE><PRE><FONT size=3 face="Times New Roman"></FONT> </PRE><PRE><FONT size=3 face="Times New Roman">That's all.</FONT></PRE><PRE><FONT size=3 face="Times New Roman"></FONT> </PRE><PRE><FONT color=#ff0000 size=3 face="Times New Roman">but when I run nxserver --test ? I just got permission denied ? why?</FONT></PRE><PRE> </PRE><PRE><FONT color=#ff0000>following is my sshd_config file, Could any one help?</FONT></PRE><PRE> </PRE><PRE>=========================================================</PRE><PRE> </PRE><PRE><DIV># $OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $</DIV><DIV></DIV><DIV># This is the sshd server system-wide configuration file. See</DIV><DIV># sshd_config(5) for more information.</DIV><DIV></DIV><DIV># This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin</DIV><DIV></DIV><DIV># The strategy used for options in the default sshd_config shipped with</DIV><DIV># OpenSSH is to specify options with their default value where</DIV><DIV># possible, but leave them commented. Uncommented options change a</DIV><DIV># default value.</DIV><DIV></DIV><DIV>#Port 22</DIV><DIV>#Protocol 2,1</DIV><DIV>Protocol 2</DIV><DIV>#AddressFamily any</DIV><DIV>#ListenAddress 0.0.0.0</DIV><DIV>#ListenAddress ::</DIV><DIV></DIV><DIV># HostKey for protocol version 1</DIV><DIV>#HostKey /etc/ssh/ssh_host_key</DIV><DIV># HostKeys for protocol version 2</DIV><DIV>#HostKey /etc/ssh/ssh_host_rsa_key</DIV><DIV>#HostKey /etc/ssh/ssh_host_dsa_key</DIV><DIV></DIV><DIV># Lifetime and size of ephemeral version 1 server key</DIV><DIV>#KeyRegenerationInterval 1h</DIV><DIV>#ServerKeyBits 768</DIV><DIV></DIV><DIV># Logging</DIV><DIV># obsoletes QuietMode and FascistLogging</DIV><DIV>#SyslogFacility AUTH</DIV><DIV>SyslogFacility AUTHPRIV</DIV><DIV>#LogLevel INFO</DIV><DIV></DIV><DIV># Authentication:</DIV><DIV></DIV><DIV>#LoginGraceTime 2m</DIV><DIV>#PermitRootLogin yes</DIV><DIV>#StrictModes yes</DIV><DIV>#MaxAuthTries 6</DIV><DIV></DIV><DIV>RSAAuthentication yes</DIV><DIV>PubkeyAuthentication yes</DIV><DIV>AuthorizedKeysFile .ssh/authorized_keys </DIV><DIV></DIV><DIV># For this to work you will also need host keys in /etc/ssh/ssh_known_hosts</DIV><DIV>#RhostsRSAAuthentication no</DIV><DIV># similar for protocol version 2</DIV><DIV>#HostbasedAuthentication no</DIV><DIV># Change to yes if you don't trust ~/.ssh/known_hosts for</DIV><DIV># RhostsRSAAuthentication and HostbasedAuthentication</DIV><DIV>#IgnoreUserKnownHosts no</DIV><DIV># Don't read the user's ~/.rhosts and ~/.shosts files</DIV><DIV>#IgnoreRhosts yes</DIV><DIV></DIV><DIV># To disable tunneled clear text passwords, change to no here!</DIV><DIV>#PasswordAuthentication yes</DIV><DIV>#PermitEmptyPasswords no</DIV><DIV>PasswordAuthentication no</DIV><DIV> AllowUsers nx gaohu</DIV><DIV></DIV><DIV># Change to no to disable s/key passwords</DIV><DIV>#ChallengeResponseAuthentication yes</DIV><DIV>ChallengeResponseAuthentication no</DIV><DIV></DIV><DIV># Kerberos options</DIV><DIV>#KerberosAuthentication no</DIV><DIV>#KerberosOrLocalPasswd yes</DIV><DIV>#KerberosTicketCleanup yes</DIV><DIV>#KerberosGetAFSToken no</DIV><DIV></DIV><DIV># GSSAPI options</DIV><DIV>#GSSAPIAuthentication no</DIV><DIV>GSSAPIAuthentication yes</DIV><DIV>#GSSAPICleanupCredentials yes</DIV><DIV>GSSAPICleanupCredentials yes</DIV><DIV></DIV><DIV># Set this to 'yes' to enable PAM authentication, account processing, </DIV><DIV># and session processing. If this is enabled, PAM authentication will </DIV><DIV># be allowed through the ChallengeResponseAuthentication mechanism. </DIV><DIV># Depending on your PAM configuration, this may bypass the setting of </DIV><DIV># PasswordAuthentication, PermitEmptyPasswords, and </DIV><DIV># "PermitRootLogin without-password". If you just want the PAM account and </DIV><DIV># session checks to run without PAM authentication, then enable this but set </DIV><DIV># ChallengeResponseAuthentication=no</DIV><DIV>#UsePAM no</DIV><DIV>UsePAM yes</DIV><DIV></DIV><DIV># Accept locale-related environment variables</DIV><DIV>AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES </DIV><DIV>AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT </DIV><DIV>AcceptEnv LC_IDENTIFICATION LC_ALL</DIV><DIV>#AllowTcpForwarding yes</DIV><DIV>#GatewayPorts no</DIV><DIV>#X11Forwarding no</DIV><DIV>X11Forwarding yes</DIV><DIV>#X11DisplayOffset 10</DIV><DIV>#X11UseLocalhost yes</DIV><DIV>#PrintMotd yes</DIV><DIV>#PrintLastLog yes</DIV><DIV>#TCPKeepAlive yes</DIV><DIV>#UseLogin no</DIV><DIV>#UsePrivilegeSeparation yes</DIV><DIV>#PermitUserEnvironment no</DIV><DIV>#Compression delayed</DIV><DIV>#ClientAliveInterval 0</DIV><DIV>#ClientAliveCountMax 3</DIV><DIV>#ShowPatchLevel no</DIV><DIV>#UseDNS yes</DIV><DIV>#PidFile /var/run/sshd.pid</DIV><DIV>#MaxStartups 10</DIV><DIV>#PermitTunnel no</DIV><DIV>#ChrootDirectory none</DIV><DIV></DIV><DIV># no default banner path</DIV><DIV>#Banner /some/path</DIV><DIV></DIV><DIV># override default of no subsystems</DIV><DIV>Subsystem sftp /usr/libexec/openssh/sftp-server</DIV></PRE><PRE> </PRE><PRE>==========================================================</PRE><PRE> </PRE></PRE></FONT></DIV></BODY></HTML>