On Wed, Apr 3, 2013 at 10:16 PM, Natxo Asenjo natxo.asenjo@gmail.comwrote:
Following up a bit late on this, I found out the issue with the failing freenx sessions centos 6.4.
We have a growing freeipa infrastructure (http://freeipa.org), using the identity management solution delivered by RHEL. ,A colleague installed a host and before joining it to the domain, installed freenx. It worked. So that made me think that the problem was not with freenx but with freeipa.
Indeed, a joined host to a freeipa domain gets a few options on its ssh client and server config files:
# diff ssh_config ssh_config.ipa 48a49,52
GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts PubkeyAuthentication yes ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
# diff sshd_config sshd_config.ipa 81d80 < GSSAPIAuthentication yes 97d95 < UsePAM yes 139a138,143
KerberosAuthentication no PubkeyAuthentication yes UsePAM yes GSSAPIAuthentication yes AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
If we revert the ssh_config and sshd_config files and join the hosts, freenx works again.
We lose the known_hosts integration but we already were doing that witch cfengine. For other environments this could be an issue.
I will contact the freeipa guys about this issue, but provided freenx is not a part of RHEL, I do not think they will see this as their problem.
We'll see.