On Tue, 2006-01-24 at 17:50, Maciej Żenczykowski wrote:
I've read through the thread you provided and I'm not convinced. Indeed it still seems like a bad design decision to me. Why isn't the normal ssh authentication good enough for NX?
I think the idea was to have a minimally-privileged program that can't do anything but provide a tunnel.
I'm not sure I understand you there - isn't ssh already an encrypted tunnel provider with authorization? What more do we need?
It is, but you may not want to let real users log in directly on an exposed interface. Even if the nx user managed to break out of the shell program that isn't supposed to do anything else, it would be as a user that didn't own anything useful.
FURTHERMORE!!!! THE WAY I SEE IT the FREENX server has a BIG HOLE if using the nomachine standard keys. Does the Nomachine server have the same hole? don't know.
I believe the commercial server may have a modified ssh that does not permit tunnels or other unneeded operations.
private.key contains a privatekey which allows login to nx account - if your server accepts the nomachine standard keys than this is the key distributed with the nomachine nxclient.
$ ssh -i private.key -L 1111:localhost:631 Last login: Wed Jan 25 00:35:15 2006 from gaia.ifj.edu.pl 7 -- /var/log/nxserver.log -- HELLO NXSERVER - Version 1.4.0-44 OS (GPL) 7 -- /var/log/nxserver.log -- NX> 105
here we let it be, and in a different terminal
$ telnet localhost 1111 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET / HTTP/1.1 Host: localhost
Hmm - we're through the firewall! and we can connect to ANY port that the server is allowed to connect to (both on the server and in the local network). We can use this to connect to the SMTP port and send mail as if from localhost - in effect we've an open relay.
You are talking to the stock sshd here, not something that came with freenx. If you want port forwarding turned off, you can turn it off.
Is the nomachine server vulnerable? don't know - but the freenx server IS.
Don't think so. It might be wise to turn it off, but note that the freenx server generates new keys when installed so you are only exposed to the extent that you give away the keys. If you don't let them get out to anyone that didn't have an ssh login already you are in about the same shape.
Where does the problem come from? It comes from reinventing the wheel...
It doesn't reinvent anything - it just uses an extra login.