LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 02-26-2010, 08:32 AM   #1
crispyleif
Member
 
Registered: Mar 2005
Location: Norway, by the coast
Distribution: Debian and the likes
Posts: 190

Rep: Reputation: 31
FreeNX debug, help with authentication


NX> 203 NXSSH running with pid: 4756
NX> 285 Enabling check on switch command
NX> 285 Enabling skip of SSH config files
NX> 285 Setting the preferred NX options
NX> 200 Connected to address: xxx.xxx.xxx.xxx on port: xxxxx (my edit)
NX> 202 Authenticating user: nx
NX> 208 Using auth method: publickey
HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
NX> 105 hello NXCLIENT - Version 3.2.0
NX> 134 Accepted protocol: 3.2.0
NX> 105 SET SHELL_MODE SHELL
NX> 105 SET AUTH_MODE PASSWORD
NX> 105 login
NX> 101 User: xxx (my edit)
NX> 102 Password:
NX> 103 Welcome to: ubuntu user: xxx (my edit)
NX> 105 listsession --user="xxx" --status="suspended,running" --geometry="1440x900x32+render" --type="unix-kde"
NX> 127 Sessions list of user 'xxx' for reconnect:

Display Type Session ID Options Depth Screen Status Session Name
------- ---------------- -------------------------------- -------- ----- -------------- ----------- ------------------------------


NX> 148 Server capacity: not reached for user: xxx
NX> 105 startsession --link="isdn" --backingstore="1" --encryption="1" --cache="16M" --images="64M" --shmem="1" --shpix="1" --strict="0" --composite="1" --media="0" --session="tt" --type="unix-kde" --geometry="1434x808" --client="winnt" --keyboard="pc102/no" --screeninfo="1434x808x32+render"

Permission denied (publickey).
NX> 280 Exiting on signal: 15


--

Client: NoMachine windows client

Server: Kubuntu 9.10 with freenx installed from ppa repository

Server config:

/etc/ssh/sshd_config:
# Package generated configuration file
# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# AuthorizedKeysFile /var/lib/nxserver/home/.ssh/authorized_keys2

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

AllowUsers nx xxx (edit by me)

UsePAM yes

/etc/nxserver/node.conf - snippet of what I've changed
# Authentication directives

# This adds the usermode to the possible authentication methods
# Usermode means that a user can start the nxserver as his shell
# and connect directly to the right server via a custom client.
#ENABLE_USERMODE_AUTHENTICATION="0"

# This adds the passdb to the possible authentication methods
ENABLE_PASSDB_AUTHENTICATION="1"

# This adds SSH to the possible authentication methods. For it to work sshd
# must be set up at localhost accepting password authentication.
ENABLE_SSH_AUTHENTICATION="0"

# This adds SU to the possible authentication methods. For it to work the
# "nx" user must be in the wheel (RedHat, Fedora) or the users group (SUSE)
# and the user logging in must have a valid shell that accepts the -c
# parameter.
#ENABLE_SU_AUTHENTICATION="0"


--


My SSH key has a passphrase, but I have tried with no passphrase also.

Normal SSH access via putty is working.

Any idea why I can't connect ?
 
Old 02-26-2010, 09:38 AM   #2
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
The permission denied (public key) indicates either a permissions problem with your authorized_keys file OR a mis-match where you don't have the public key installed on the server that the client is trying to authenticate against.

Since you using an ubuntu variant, take a look at the following document at the using custom ssh keys section: https://help.ubuntu.com/community/FreeNX
 
Old 02-26-2010, 01:19 PM   #3
crispyleif
Member
 
Registered: Mar 2005
Location: Norway, by the coast
Distribution: Debian and the likes
Posts: 190

Original Poster
Rep: Reputation: 31
I forgot to mention that I imported the client.id_dsa.key from /var/lib/nxserver/home/.ssh to the client and saved it in C:\program files\nxserver\share.

Thanks for the link, I've read it several times.. been testing/googling alot today

EDIT::It works with default keys now, had to set authentication = SU in /etc/nxserver/node.conf. All other authentication methodes set to "0". Will hopefully get it on with custom keys now.

EDIT2:: Might have found the issue.. I do not have the directory /var/lib/nxserver/home/custom_keys. Many howto's mentions this..strange.

Last edited by crispyleif; 02-27-2010 at 07:26 AM.
 
Old 03-02-2010, 03:38 PM   #4
crispyleif
Member
 
Registered: Mar 2005
Location: Norway, by the coast
Distribution: Debian and the likes
Posts: 190

Original Poster
Rep: Reputation: 31
Finally got it working. Easy enough once you try/fail enough times..
I decided to challenge myself with making a script to automate this, including the ssh-part. This will also make it easy to give remote support to my brother who just starting using Linux (which is how I discovered FreeNX in the first place).

For the guru's out there this might seem bloated and trivial, but judging by the amount of unanswered questions regarding the subject I am sure I'm not alone in struggling with this (well not struggling anymore).

So in case someone out there will benefit, here's my script for automatically setting up OpenSSH + FreeNX with pubkey access from PuTTY and NX client.

Code:
#!/bin/bash
# Script for setting up FreeNX with custom keys, and SSH-server if not running.
# Suitable for non-headless boxes you want access to, else just use ssh.
# SSH-keys are set up for PuTTY import, so pubkey is added to /%h/.ssh/authorized_keys.
# This is, obviously, just my way of doing it, my needs are a Linux server 
# with secure GUI access from work. Feel very free to adjust.
#
# Running this script will result in the following:
# 
# OpenSSH will be installed and configured with key authorization only, using RSA 4096 bit key.
# FreeNX will be installed and configured with custom keys.
# 
# Written by Svein Arne Rĝed. Use at your own risk, there is no guarantee.
# This script is tested working on Kubuntu 9.10.

#####################################################################################################
# Prerequisites (OpenSSH + key and some variables)
#####################################################################################################

# Make sure script is running as root
if [ "$(id -u)" != "0" ]; then
   echo "This script must run as root." 1>&2
   exit 1
fi

if [ "$1" == "" ]; then
	echo -e "\n Usage: sshnx [user] \n"
	exit 1
else
	export USER="$1"
fi

# Adjust if your distro does it another way
export SSHD_CONFIG="/etc/ssh/sshd_config"
export FREENX_CONFIG="/etc/nxserver/node.conf"

# Check for present SSH-server and install if not present
type -P sshd &>/dev/null || { \
echo "No OpenSSH-server found, installing one now."; aptitude install --assume-yes \
openssh-server ssh; } && echo -e "SSH server found, moving on..   \n"
if [ ! -f /home/${USER}/.ssh/id_rsa ]; then
	echo "RSA key not found for user $USER, generating.. ";
    su $USER -c	"ssh-keygen -t rsa -b 4096 -f /home/${USER}/.ssh/id_rsa -N ''";
	su $USER -c "touch /home/${USER}/.ssh/authorized_keys";
	cat /home/${USER}/.ssh/id_rsa.pub >> /home/${USER}/.ssh/authorized_keys
	else
	echo -e "RSA key found for user $USER, I will skip creating in case you \
	want to use the existing one(s). \n"
fi

#####################################################################################################
# Getting FreeNX
#####################################################################################################

type -P nxserver &>/dev/null && echo -e "\nFreeNX server found, moving on \n" || { \
echo -e "\nGetting FreeNX\n"; aptitude install --assume-yes python-software-properties;
add-apt-repository ppa:freenx-team; aptitude update; aptitude install --assume-yes freenx; }

#####################################################################################################
# Configure OpenSSH + FreeNX
#####################################################################################################

echo "# Added by sshnx script" >> ${SSHD_CONFIG}
echo "AllowUsers nx ${USER}" >> ${SSHD_CONFIG}

sed -i 's/PubkeyAuthentication no/PubkeyAuthentication yes/' ${SSHD_CONFIG}
echo "# Made sure that PubkeyAuthentication was set to yes" >> ${SSHD_CONFIG}

sed -i 's/PermitRootLogin yes/PermitRootLogin no/' ${SSHD_CONFIG}
echo "# Made sure that PermitRootLogin was set to no" >> ${SSHD_CONFIG}

sed -i 's/^#[[:space:]]*PasswordAuthentication/PasswordAuthentication/' ${SSHD_CONFIG}
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' ${SSHD_CONFIG}
echo "# Made sure that PasswordAuthentication was set to no" >> ${SSHD_CONFIG}

sed -i 's/StrictModes no/StrictModes yes/' ${SSHD_CONFIG}
echo "# Made sure that StrictModes was set to yes" >> ${SSHD_CONFIG}

sed -i 's/LogLevel INFO/LogLevel VERBOSE/' ${SSHD_CONFIG}
echo "# Made sure that we can log attempted logins (LogLevel VERBOSE)" >> ${SSHD_CONFIG}

sed -i 's/UsePAM no/UsePAM yes/' ${SSHD_CONFIG}
echo "# Made sure that we use PAM" >> ${SSHD_CONFIG}

sed -i 's/^#[[:space:]]*AuthorizedKeys/AuthorizedKeys/' ${SSHD_CONFIG}
echo "# Made sure that AuthorizedKeys file is uncommented" >> ${SSHD_CONFIG}

sed -i 's/X11Forwarding yes/X11Forwarding no/' ${SSHD_CONFIG}
echo "# Made sure that X11Forwarding is set to no" >> ${SSHD_CONFIG}

echo -e "# sshnx script done\n" >> ${SSHD_CONFIG}

# Just to make sure..
chmod 755 /home/${USER}/.ssh
chown ${USER}:${USER} /home/${USER}/.ssh/*
chmod 600/home/${USER}/.ssh/authorized_keys
chmod 600/home/${USER}/.ssh/id_rsa
chmod 644/home/${USER}/.ssh/id_rsa.pub

clear
echo -e "\nATTENTION\n"
read -p "Press 'y' for custom keys when prompted by nxserver installer"
# Run the nxserver installscript
/usr/lib/nx/nxsetup --install

echo "# Added by sshnx script" >> ${FREENX_CONFIG}
sed -i 's/^#[[:space:]]*ENABLE_PASSDB_AUTHENTICATION/ENABLE_PASSDB_AUTHENTICATION/' ${FREENX_CONFIG}
sed -i 's/ENABLE_PASSDB_AUTHENTICATION="1"/ENABLE_PASSDB_AUTHENTICATION="0"/' ${FREENX_CONFIG}

sed -i 's/^#[[:space:]]*ENABLE_USER_AUTHENTICATION/ENABLE_USERDB_AUTHENTICATION/' ${FREENX_CONFIG}
sed -i 's/ENABLE_USERMODE_AUTHENTICATION="1"/ENABLE_USERMODE_AUTHENTICATION="0"/' ${FREENX_CONFIG}

sed -i 's/^#[[:space:]]*ENABLE_SSH_AUTHENTICATION/ENABLE_SSH_AUTHENTICATION/' ${FREENX_CONFIG}
sed -i 's/ENABLE_SSH_AUTHENTICATION="1"/ENABLE_SSH_AUTHENTICATION="0"/' ${FREENX_CONFIG}

sed -i 's/^#[[:space:]]*ENABLE_SU_AUTHENTICATION/ENABLE_SU_AUTHENTICATION/' ${FREENX_CONFIG}
sed -i 's/ENABLE_SU_AUTHENTICATION="0"/ENABLE_SU_AUTHENTICATION="1"/' ${FREENX_CONFIG}
echo "# Made sure that authentication method is SU only" >> ${FREENX_CONFIG}

sed -i 's/^#[[:space:]]*SSHD_PORT=22/SSHD_PORT=22/' ${FREENX_CONFIG}
echo "# Made sure that SSHD_PORT is uncommented" >> ${FREENX_CONFIG}
echo -e "# sshnx script done\n" >> ${FREENX_CONFIG}

cat /var/lib/nxserver/home/.ssh/server.id_dsa.pub.key >> /var/lib/nxserver/home/.ssh/authorized_keys

# Delete default keys
rm /etc/nxserver/user.id_dsa*

/etc/init.d/ssh restart
/etc/init.d/freenx-server restart >&/dev/null

echo -e "\nOpenSSH and FreeNX up and running, only PuTTY and NX client to go."
echo -e "SSH server currently listening on port 22. Remember to open/rewrite router/firewall."
echo -e "\n\nGeneral info: Import private ssh key in /home/${USER}/.ssh/id_rsa in PuTTY(gen)"
echo -e "to generate .ppk keyfile. Authorized_keys file updated with pubkey.\n"
echo "If you didn't have a RSA key the one now present has no passphrase,"
echo "add one with the following command: ssh-keygen -f /home/${USER}/.ssh/id_rsa -p"
echo -e "\nImport /var/lib/nxserver/home/.ssh/client.id_dsa.key in NX client\n\n"

Last edited by crispyleif; 03-02-2010 at 03:46 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
trouble with alien's slackbuild for freenx: cannot stat freenx/build/nomachine.id_dsa BCarey Slackware 2 03-12-2008 09:00 PM
freenx and NoMachine client authentication camorri Linux - Software 1 06-02-2006 01:33 AM
How to debug without having debug section in an executable ? unclesam Linux - Newbie 0 02-02-2006 06:23 AM
FreeNX authentication failed parsek77 Linux - Software 1 07-29-2005 05:49 PM
Freenx Authentication Problem linuxpyro Linux - Software 2 07-29-2005 07:21 AM


All times are GMT -5. The time now is 06:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration