[CentOS] freenx
Maciej Żenczykowski
maze at cela.pl
Tue Jan 24 09:33:35 UTC 2006
> copied the above key (that which was between the ----BEGIN and -----END
> but not including those lines) and pasted into the key section and that
why without the --begin-- --end-- lines? I always copy with'em.
> 1 - there is no /etc/nxserver/node.conf #only node.conf.sample
well, you should probably make a node.conf and allow all users to login...
my /etc/nxserver/node.conf has:
ENABLE_USERMODE_AUTHENTICATION="1"
ENABLE_FORCE_ENCRYPTION="1"
SSHD_CHECK_IP="1"
DISPLAY_BASE=20
SESSION_LIMIT=50
SESSION_USER_LIMIT=10
NX_LOG_LEVEL=7
NX_LOG_SECURE=0
DEFAULT_X_WM="twm"
EXPORT_USERIP="1"
EXPORT_SESSIONID="1"
ENABLE_USESSION="1"
COMMAND_SESSREG="/usr/X11R6/bin/sessreg"
APPLICATION_LIBRARY_PATH="/usr/lib/NX/lib"
> 2 - the pub key I listed above apparently is the one distributed with
> the binary and that would seem to be a security issue
Agreed and that's why I don't use it.
I generate keys using ssh-keygen, and stick them into:
/var/lib/nxserver/home/.ssh/authorized_keys2
(or without the '2' depends on sshd server setup)
[in one line] and the entire private key into the client.
Basically:
# ssh-keygen -t dsa -f key
<enter: empty passphrase>
<enter again>
# cat key.pub >> /var/lib/nxserver/home/.ssh/authorized_keys2
{ you might want to actually prefix the key with from="ip.ip.ip.ip" or
from="fully.qualified.domain.name" to further restrict logins to valid IPs
only but do this only once everything is working... }
< copy "key" into the client >
# cat /etc/passwd | grep nx
nx:x:110:110:NX Remote Access:/var/lib/nxserver/home:/usr/bin/nxserver
# cat /etc/shadow | grep nx
nx:!!:13002::::::
# cat /etc/group | grep nx
utmp:x:22:nx
nx:x:110:
# cat /etc/gshadow | grep nx
utmp:x::nx
nx:!::
Make sure that sshd is configured to let in user NX via pubkey from all
important IP addresses
(ssh -i key nx at serverip)
Make sure that sshd is configured to let in other users with password from
localhost
(ssh craig at serverip
<type in password>)
Might still be missing something, but any other problems should show up as
errors in /var/log/secure or /var/log/messages or the nx logs.
Oh, make sure bash-completion is _NOT_ installed.
Cheers,
MaZe.
More information about the CentOS
mailing list