Mailinglist Archive: opensuse (3337 mails)
| < Previous | Next > |
Re: [SLE] Resolved - Setting up NXfree to use ssh keys
- From: "Greg Freemyer" <greg.freemyer@xxxxxxxxx>
- Date: Tue, 18 Apr 2006 18:09:03 -0400
- Message-id: <87f94c370604181509w1d7b09bdj575fe62d6ead1192@xxxxxxxxxxxxxx>
I got this to work. Somehow I broke FreeNX in the process, but a full
uninstall/reinstall of both the rpm and the actual environment did the
trick.
Steps to follow that should work:
0) Uninstall FreeNX: "nxsetup --uninstall --purge" followed by using
yast to remove the rpm
1) Ensure openssh is installed with a vanilla /etc/ssh/sshd_config file
2) Install FreeNX via yast
3) run "nxsetup --install" (Note that the lack of --setup-nomachine-key)
4) per the output from above copy the newly generated nx private key
to your clients and install in the various nx-clients. Note that all
nx-clients share this one key!!!
5) Edit /etc/nxserver/node.conf to ENABLE_SU_AUTHENTICATION
6) Add nx to the users group ("groupmod -A nx users")
7) Edit /etc/ssh/sshd_config and disable ChallengeResponseAuthentication
Now ssh works if, and only if, you have the appropriate private /
public key setup working.
And the NXfree client works if, and only if, you have the unique
private key installed.
I suspect I could get NXfree to use unique key pairs per user but I
don't need that for my environment.
Unless someone sees something I did wrong, I'm now going to open up my
firewall's ssh port.
Greg
On 4/15/06, Jerry Westrick <jerry@xxxxxxxxxxxx> wrote:
> On Saturday 15 April 2006 04:21, Scott Leighton wrote:
> > On Thursday 13 April 2006 12:28 pm, Greg Freemyer wrote:
> > > I've been using NXfree as a client in the office where I have not
> > > worried about ssh keys.
> > >
> > > Does anyone know how to do this with SUSE 10 and the NX server in the
> > > distro?
> > >
> > > Details:
> > > Prior to doing anything today I had ssh and NXfree working but they
> > > used simple password authentication.
> > >
> > > I want to restrict all secure shell access to people with keys so I
> > > can open up the firewall port.
> > >
> > > I have my server user account ssh working now, but I can't get the
> > > NXfree client to connect via the same key.
> > >
> > > Is their something special I need to do.
> > >
> > > What I've done so far:
> > >
> > > On my client pc (windows) I used cygwin to create a key pair:
> > >
> > > ssh-keygen -t rsa
> > >
> > > I uploaded the public key to my servers .ssh user directory
> > >
> > > scp .ssh/id_rsa.pub gaf@my_server:.ssh/
> > >
> > > logged into server and created the authorized_keys file
> > >
> > > cp id_rsa.pub > authorized_keys
> > >
> > > Then I tried logging into the server via standard ssh and no password
> > > from the original client pc. It works. Good.
> > >
> > > Now for NXclient. I start it up on the pc client and go to the
> > > config. I hit key and import in the private key that pairs with the
> > > above. That seems to be what the various howto's I found say to do.
> > >
> > > Seems to work, but when I try to connect NXfree fails. Even if I put
> > > in my user account password for the server, NXfree fails.
> > >
> > > If I go back to the config-key dialog box and reset to the default key
> > > I can login with my password.
> > >
> > > Ideas?
> >
> > Greg,
> >
> > I could be way off base here, but I think that nxserver uses its
> > own key system, not the ssh key. If memory serves, you have to
> > generate a 'custom key' for the server, that key resides at
> > /var/lib/nxserver/home/.ssh with the file name client.id_dsa.key
> >
> > That's the key that you have to copy/paste into the config-key
> > dialog box on the client side.
> >
> > I know it works with 9.3, I have it working, but I'm not sure
> > if it is the same for 10.0.
> >
> > Scott
> >
> Greg I use FreeNx on SuSe 10.0 and 10.1.
>
> I use ssh username/password authentication scheeme though.
> This is the way I set it up:
>
> SSH Configuration
> ==============
> The following changes need to be made for SSH:
> User Group to control access
> ---------------------------------------
> Create Group "remotessh",
> Add users that are allowed remote access to the group.
>
> In file /etc/ssh/sshd_config
> add the following lines to bottom of file:
> #
> # Westrick GmbH Configuration
> #
> Port <not-port-22>
> AllowGroups remotessh
> GatewayPorts yes
> X11DisplayOffset 50
> X11Forwarding yes
>
> restart ssh server with: "rcsshd restart"
>
> In file /etc/ssh/ssh_config
>
> Add lines:
> ForwardAgent yes
> ForwardX11 yes
>
> Then for each known host with alternate port add following lines before "Host
> *" line:
> Host jerry.westrick.com
> Port <not-port-22>
>
>
>
> Setup NxServer
> ============
>
> Install the nxserver software with yast.
>
> Execute following command in root-shell
> nxsetup --install -–setup-nomachine-key
>
> Edit /etc/nxserver/node.conf:
> change port to <not-port-22>
> SSHD_PORT=<not-port-22>
>
> Enable SSH Authentication
> ENABLE_SSH_AUTHENTICATION="1"
>
> Add user nx to remotessh group!
>
> Download nxclient from http://www.nomachine.com/download.php .
> ----------------------------------------------------------------------------------------
> When connecting you need to specify 2 options:
> 1.General->Server->Port is <not-port-22>.
> 2.Advanced->Network->Enable SSL encryption of all traffic is enabled.
>
>
>
>
> Then I can control who is allowed to remote into the machine
> by adding and removing users from the remotessh group...
>
>
> Jerry Westrick
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>
>
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
uninstall/reinstall of both the rpm and the actual environment did the
trick.
Steps to follow that should work:
0) Uninstall FreeNX: "nxsetup --uninstall --purge" followed by using
yast to remove the rpm
1) Ensure openssh is installed with a vanilla /etc/ssh/sshd_config file
2) Install FreeNX via yast
3) run "nxsetup --install" (Note that the lack of --setup-nomachine-key)
4) per the output from above copy the newly generated nx private key
to your clients and install in the various nx-clients. Note that all
nx-clients share this one key!!!
5) Edit /etc/nxserver/node.conf to ENABLE_SU_AUTHENTICATION
6) Add nx to the users group ("groupmod -A nx users")
7) Edit /etc/ssh/sshd_config and disable ChallengeResponseAuthentication
Now ssh works if, and only if, you have the appropriate private /
public key setup working.
And the NXfree client works if, and only if, you have the unique
private key installed.
I suspect I could get NXfree to use unique key pairs per user but I
don't need that for my environment.
Unless someone sees something I did wrong, I'm now going to open up my
firewall's ssh port.
Greg
On 4/15/06, Jerry Westrick <jerry@xxxxxxxxxxxx> wrote:
> On Saturday 15 April 2006 04:21, Scott Leighton wrote:
> > On Thursday 13 April 2006 12:28 pm, Greg Freemyer wrote:
> > > I've been using NXfree as a client in the office where I have not
> > > worried about ssh keys.
> > >
> > > Does anyone know how to do this with SUSE 10 and the NX server in the
> > > distro?
> > >
> > > Details:
> > > Prior to doing anything today I had ssh and NXfree working but they
> > > used simple password authentication.
> > >
> > > I want to restrict all secure shell access to people with keys so I
> > > can open up the firewall port.
> > >
> > > I have my server user account ssh working now, but I can't get the
> > > NXfree client to connect via the same key.
> > >
> > > Is their something special I need to do.
> > >
> > > What I've done so far:
> > >
> > > On my client pc (windows) I used cygwin to create a key pair:
> > >
> > > ssh-keygen -t rsa
> > >
> > > I uploaded the public key to my servers .ssh user directory
> > >
> > > scp .ssh/id_rsa.pub gaf@my_server:.ssh/
> > >
> > > logged into server and created the authorized_keys file
> > >
> > > cp id_rsa.pub > authorized_keys
> > >
> > > Then I tried logging into the server via standard ssh and no password
> > > from the original client pc. It works. Good.
> > >
> > > Now for NXclient. I start it up on the pc client and go to the
> > > config. I hit key and import in the private key that pairs with the
> > > above. That seems to be what the various howto's I found say to do.
> > >
> > > Seems to work, but when I try to connect NXfree fails. Even if I put
> > > in my user account password for the server, NXfree fails.
> > >
> > > If I go back to the config-key dialog box and reset to the default key
> > > I can login with my password.
> > >
> > > Ideas?
> >
> > Greg,
> >
> > I could be way off base here, but I think that nxserver uses its
> > own key system, not the ssh key. If memory serves, you have to
> > generate a 'custom key' for the server, that key resides at
> > /var/lib/nxserver/home/.ssh with the file name client.id_dsa.key
> >
> > That's the key that you have to copy/paste into the config-key
> > dialog box on the client side.
> >
> > I know it works with 9.3, I have it working, but I'm not sure
> > if it is the same for 10.0.
> >
> > Scott
> >
> Greg I use FreeNx on SuSe 10.0 and 10.1.
>
> I use ssh username/password authentication scheeme though.
> This is the way I set it up:
>
> SSH Configuration
> ==============
> The following changes need to be made for SSH:
> User Group to control access
> ---------------------------------------
> Create Group "remotessh",
> Add users that are allowed remote access to the group.
>
> In file /etc/ssh/sshd_config
> add the following lines to bottom of file:
> #
> # Westrick GmbH Configuration
> #
> Port <not-port-22>
> AllowGroups remotessh
> GatewayPorts yes
> X11DisplayOffset 50
> X11Forwarding yes
>
> restart ssh server with: "rcsshd restart"
>
> In file /etc/ssh/ssh_config
>
> Add lines:
> ForwardAgent yes
> ForwardX11 yes
>
> Then for each known host with alternate port add following lines before "Host
> *" line:
> Host jerry.westrick.com
> Port <not-port-22>
>
>
>
> Setup NxServer
> ============
>
> Install the nxserver software with yast.
>
> Execute following command in root-shell
> nxsetup --install -–setup-nomachine-key
>
> Edit /etc/nxserver/node.conf:
> change port to <not-port-22>
> SSHD_PORT=<not-port-22>
>
> Enable SSH Authentication
> ENABLE_SSH_AUTHENTICATION="1"
>
> Add user nx to remotessh group!
>
> Download nxclient from http://www.nomachine.com/download.php .
> ----------------------------------------------------------------------------------------
> When connecting you need to specify 2 options:
> 1.General->Server->Port is <not-port-22>.
> 2.Advanced->Network->Enable SSL encryption of all traffic is enabled.
>
>
>
>
> Then I can control who is allowed to remote into the machine
> by adding and removing users from the remotessh group...
>
>
> Jerry Westrick
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>
>
--
Greg Freemyer
The Norcross Group
Forensics for the 21st Century
| < Previous | Next > |