[CentOS] freenx

Tue Jan 24 09:33:35 UTC 2006
Maciej Żenczykowski <maze at cela.pl>

> copied the above key (that which was between the ----BEGIN and -----END
> but not including those lines) and pasted into the key section and that

why without the --begin-- --end-- lines?  I always copy with'em.

> 1 - there is no /etc/nxserver/node.conf #only node.conf.sample

well, you should probably make a node.conf and allow all users to login...

my /etc/nxserver/node.conf has:
ENABLE_USERMODE_AUTHENTICATION="1"
ENABLE_FORCE_ENCRYPTION="1"
SSHD_CHECK_IP="1"
DISPLAY_BASE=20
SESSION_LIMIT=50
SESSION_USER_LIMIT=10
NX_LOG_LEVEL=7
NX_LOG_SECURE=0
DEFAULT_X_WM="twm"
EXPORT_USERIP="1"
EXPORT_SESSIONID="1"
ENABLE_USESSION="1"
COMMAND_SESSREG="/usr/X11R6/bin/sessreg"
APPLICATION_LIBRARY_PATH="/usr/lib/NX/lib"

> 2 - the pub key I listed above apparently is the one distributed with
> the binary and that would seem to be a security issue

Agreed and that's why I don't use it.

I generate keys using ssh-keygen, and stick them into:
/var/lib/nxserver/home/.ssh/authorized_keys2
(or without the '2' depends on sshd server setup)
[in one line] and the entire private key into the client.

Basically:

# ssh-keygen -t dsa -f key
<enter: empty passphrase>
<enter again>
# cat key.pub >> /var/lib/nxserver/home/.ssh/authorized_keys2
{ you might want to actually prefix the key with from="ip.ip.ip.ip" or 
from="fully.qualified.domain.name" to further restrict logins to valid IPs 
only but do this only once everything is working... }
< copy "key" into the client >

# cat /etc/passwd | grep nx
nx:x:110:110:NX Remote Access:/var/lib/nxserver/home:/usr/bin/nxserver
# cat /etc/shadow | grep nx
nx:!!:13002::::::
# cat /etc/group | grep nx
utmp:x:22:nx
nx:x:110:
# cat /etc/gshadow | grep nx
utmp:x::nx
nx:!::

Make sure that sshd is configured to let in user NX via pubkey from all 
important IP addresses
(ssh -i key nx at serverip)

Make sure that sshd is configured to let in other users with password from 
localhost
(ssh craig at serverip
<type in password>)


Might still be missing something, but any other problems should show up as 
errors in /var/log/secure or /var/log/messages or the nx logs.

Oh, make sure bash-completion is _NOT_ installed.

Cheers,
MaZe.