NoMachines/FreeNX ssh key question

temak82 · 01-04-2008, 07:05 AM

Hi all, I am running Ubuntu 7.10 and connecting to server from Windows XP client. Used dpkg to setup client, then node then server. Everything is running fine. However, I can't for the life of me figure out what's going on with the keys. I even enabled the DB in the server.cfg file and still get Authentication login failure. Here's the error I get in the Details of NX Client and when doing ./nxserver --useradd usrname

Code:

root@guest-desktop:/usr/NX/home/nx/.ssh# /usr/NX/bin/nxserver --useradd usrname
NX> 900 Setting password for user: usrname.
NX> 102 Password:
NX> 102 Confirm password:
NX> 110 Password for user: usrname added to the NX password DB.
NX> 900 Adding public key for user: usrname to the authorized keys file.
NX> 900 Verifying public key authentication for NX user: usrname.
NX> 910 WARNING: The SSH  key to be used for user authentication was
NX> 910 WARNING: added to the private authorized keys file of user
NX> 910 WARNING: but user authentication didn't succeed.
NX> 910 WARNING: Please note that, with these settings, the user won't
NX> 910 WARNING: be able to successfully run any sessions.
NX> 910 WARNING: Run the following command to get some hints on the possible
NX> 910 WARNING: reasons of the problem:
NX> 910 WARNING:
NX> 910 WARNING: nxserver --usercheck usrname
NX> 910 WARNING:
NX> 999 Bye.

and when running ./nxserver --usercheck usrname I get the following error:

Code:

NX> 900 Verifying public key authentication for NX user: usrname.
NX> 900 Adding public key for user: usrname to the authorized keys file.
NX> 900 Verifying public key authentication for NX user: usrname.
NX> 500 ERROR: Public key authentication failed
NX> 500 WARNING: NX server was unable to login as user: usrname
NX> 500 WARNING: Please check that the account is enabled to login.
NX> 500 WARNING: Also check that user's home directory, the directory
NX> 500 WARNING: ~/.ssh and the file ~/.ssh/authorized_keys2 have
NX> 500 WARNING: correct permissions according to the StrictModes of
NX> 500 WARNING: your SSHD configuration
NX> 999 Bye.

Strictmodes are enabled and I do have the authorized_keys2 in the sshd config as well. I'm not sure about the permissions though.

If someone could help me with this bit, I would greatly appreciate it.

marozsas · 01-04-2008, 09:43 AM

I think the permissions of "~usrname/.ssh" are incorrect. It must be 0700 for the base dir and 0600 for the files on it. Check it and/or fix it using "chmod -R 0600 ~usrname/.ssh" and after this, "chmod 0700 ~usrname/.ssh" in this order.

temak82 · 01-04-2008, 10:23 AM

maroszs, thank you for your input. I did check that already and they were set. That's why I'm stumped. Keep the suggestions coming.

sharky · 01-12-2011, 07:58 PM

This is an old thread but I don't see a solution and now I'm having the same issue. I can ssh but can not connect to nxserver. usercheck returns an ERROR but I have no idea how to fix it.

Quote:

> sudo /usr/NX/bin/nxserver --usercheck myself
NX> 900 Verifying public key authentication for NX user: myself.
NX> 900 Adding public key for user: myself to the authorized keys file.
NX> 900 Verifying public key authentication for NX user: myself.
NX> 500 ERROR: Public key authentication failed
NX> 500 WARNING: NX server was unable to login as user: myself
NX> 500 WARNING: Please check that the account is enabled to login.
NX> 500 WARNING: Also check that user's home directory, the directory
NX> 500 WARNING: ~/.ssh and the file ~/.ssh/authorized_keys2 have
NX> 500 WARNING: correct permissions according to the StrictModes of
NX> 500 WARNING: your SSHD configuration
NX> 999 Bye.

MCD555 · 01-13-2011, 08:15 AM

Try using the private key generated by freenx...
I mean the one saved in:

/var/lib/nxserver/home/custom_keys/client.id_dsa.key

Just copy the key and put that in your NX client...

Quote:

Originally Posted by sharky

This is an old thread but I don't see a solution and now I'm having the same issue. I can ssh but can not connect to nxserver. usercheck returns an ERROR but I have no idea how to fix it.

sharky · 01-13-2011, 10:01 AM

Quote:

Originally Posted by MCD555

Try using the private key generated by freenx...
I mean the one saved in:

/var/lib/nxserver/home/custom_keys/client.id_dsa.key

Just copy the key and put that in your NX client...

I'm using nomachine, not freenx. I think the same thing is in /usr/NX/home/ but I'm at work so I'll have to check at lunch time or after work.

Pardon the stupid question but how to a actually 'use' a different key?

MCD555 · 01-13-2011, 10:45 AM

Quote:

Originally Posted by sharky

I'm using nomachine, not freenx. I think the same thing is in /usr/NX/home/ but I'm at work so I'll have to check at lunch time or after work.

Pardon the stupid question but how to a actually 'use' a different key?

Yes, you're right, may I missunderstood the original question, sorry!
But as I know the client key must be generated and distributed by the NX server:

Quote:

The initial login between client and server happens through a DSA key-pair. The public part is provided during the installation of the server, while the private part is distributed together with the NX Client. In order to replace the default keys used by clients, you need to generate a new DSA key-pair and distribute the private part to those clients you want to get connected to the server.

and also the file

/usr/NX/home/nx/.ssh/authorized_keys2

should be masked 644.

Sorry but I use freenx and not NX (but they seems very closed from this point of view), I get this info from http://www.nomachine.com/documents/admin-guide.php

Hope to get the right focus on this and give you an useful hint....

sharky · 01-13-2011, 10:38 PM

I switched to freenx. Still no joy.

MCD555 · 01-14-2011, 03:26 AM

Quote:

Originally Posted by sharky

I switched to freenx. Still no joy.

... are you getting the same issue?
Are you using Linux Mint? On my fedora 14 it has been configured in minutes without particoular issues....

jacklh · 01-17-2011, 06:12 PM

I first performed the following command to add my account to NX database.

sudo /usr/NX/bin/nxserver --useradd mylogid --administrative

The following thread then solved my issue: http://ubuntuforums.org/archive/index.php/t-449382.html.

Basically uncomment and ensure in /usr/NX/etc/server.cfg that the following *TWO* vars are pointing to your (custom) SSH port. Mine isn't 22.

# Specify the TCP port where the NX server SSHD daemon is running.
#
#SSHDPort = "22"

# Specify the TCP port where the SSHD daemon is running on the NX SSH
# authentication server.
#
#SSHDAuthPort = "22"

Then, you need to ensure /etc/ssh/sshd_config is pointing to the correct authorization file. Mine defaulted to authorized_keys but NX uses authorized_keys2, so I modified the following line.

AuthorizedKeysFile %h/.ssh/authorized_keys2

Be sure to restart the SSHD server to re-read config: sudo service ssh restart
Be sure to restart the NX server to re-read config: sudo /usr/NX/bin/nxserver --restart

MCD555 · 01-18-2011, 04:32 PM

Quote:

Originally Posted by jacklh

I first performed the following command to add my account to NX database.

sudo /usr/NX/bin/nxserver --useradd mylogid --administrative

The following thread then solved my issue: http://ubuntuforums.org/archive/index.php/t-449382.html.

Basically uncomment and ensure in /usr/NX/etc/server.cfg that the following *TWO* vars are pointing to your (custom) SSH port. Mine isn't 22.

# Specify the TCP port where the NX server SSHD daemon is running.
#
#SSHDPort = "22"

# Specify the TCP port where the SSHD daemon is running on the NX SSH
# authentication server.
#
#SSHDAuthPort = "22"

Then, you need to ensure /etc/ssh/sshd_config is pointing to the correct authorization file. Mine defaulted to authorized_keys but NX uses authorized_keys2, so I modified the following line.

AuthorizedKeysFile %h/.ssh/authorized_keys2

Be sure to restart the SSHD server to re-read config: sudo service ssh restart
Be sure to restart the NX server to re-read config: sudo /usr/NX/bin/nxserver --restart

For Ubuntu distros the Bible can be found here:

https://help.ubuntu.com/community/Fr.../stop%20FreeNX

I've tested the procedure with Ubuntu 10.10 (Maverick) that should be the same for Lenny (or viceversa, ;-))!

Once you've got and installed freenx:

-> get nxsetup from here

-> move it in the right position and change the owner to root

Quote:

sudo mv nxsetup /usr/lib/nx/nxsetup
sudo chown root:root /usr/lib/nx/nxsetup

-> perform the installation

Quote:

sudo /usr/lib/nx/nxsetup --install

At this point, to set up the SSH "relationship" just run

Quote:

sudo dpkg-reconfigure freenx-server

to generate a Custom key (the option to choose in the first screen) and SSH as freenx authentication type.
Now you have the key to distributed to the client(s) so you need to:

copy the client key just generated in your home directory:

Quote:

sudo cp /var/lib/nxserver/home/.ssh/client.id_dsa.key ~/

and give it to the client.
The client just need to import it!

This works for me and I hope this works for you!

MCD555 · 02-08-2011, 04:18 PM

Quote:

Originally Posted by MCD555

For Ubuntu distros the Bible can be found here:

https://help.ubuntu.com/community/Fr.../stop%20FreeNX

I've tested the procedure with Ubuntu 10.10 (Maverick) that should be the same for Lenny (or viceversa, ;-))!

Once you've got and installed freenx:

-> get nxsetup from here

-> move it in the right position and change the owner to root

-> perform the installation

At this point, to set up the SSH "relationship" just run

to generate a Custom key (the option to choose in the first screen) and SSH as freenx authentication type.
Now you have the key to distributed to the client(s) so you need to:

copy the client key just generated in your home directory:

and give it to the client.
The client just need to import it!

This works for me and I hope this works for you!

* * * UPDATE * * *

Last days I was unable to access a freenx server due to the following error:

in the directory

Code:

/var/lib/nxserver/home/.ssh

there is the link

Code:

authorized_keys2 -> /etc/nxserver/server.id_dsa.pub.key

to make it works correctly just add

Code:

ln -s /etc/nxserver/server.id_dsa.pub.key authorized_keys

I confirm that to login with freeNX you need your ssh key (usually the one that has the public part saved in the /home/[user_name]/.ssh/authorized_keys) and the private key /etc/nxserver/users.id_dsa !

The freenx server is running on a Fedora 14 64bit.

Hope this help too!!!

rmarsf · 02-29-2012, 05:02 AM

i had exactly the same problem.

root@#####:/usr/NX# ./bin/nxserver --usercheck #####
NX> 900 Verifying public key authentication for NX user: ######.
NX> 900 Adding public key for user: ##### to the authorized keys file.
NX> 716 Public key is already present in: /home/####/.ssh/authorized_keys2.
NX> 900 Verifying public key authentication for NX user: ####.
NX> 500 ERROR: Public key authentication failed
NX> 500 WARNING: NX server was unable to login as user: #####
NX> 500 WARNING: Please check that the account is enabled to login.
NX> 500 WARNING: Also check that user's home directory, the directory
NX> 500 WARNING: ~/.ssh and the file ~/.ssh/authorized_keys2 have
NX> 500 WARNING: correct permissions according to the StrictModes of
NX> 500 WARNING: your SSHD configuration
NX> 999 Bye.

the resolution was as mentioned above. ensuring that in /etc/ssh/sshd_config the one line:
AuthorizedKeysFile %h/.ssh/authorized_keys2

then restart sshd (as root)
/etc/init.d/ssh restart

then it worked
root@#####:/usr/NX# ./bin/nxserver --usercheck ####
NX> 900 Verifying public key authentication for NX user: ####.
NX> 900 Public key authentication succeeded.
NX> 999 Bye.

ronramiro · 12-19-2012, 03:55 PM

I install it on fedora 17. Also have a problem with the key authentication.

I only had to include in /etc/ssh/sshd_config the line
AuthorizedKeysFile %h/.ssh/authorized_keys2

and change the line
AuthorizedKeysFile .ssh/authorized_keys
to
#AuthorizedKeysFile .ssh/authorized_keys

then restart sshd (as root)
/etc/init.d/ssh restart

MCD555 · 12-21-2012, 03:18 AM

Did you try the command:

Quote:

./bin/nxserver --usercheck [Your_USER]

to verify?
Or try to post that output here!