FreeNX on 11 vs 11.1. What's the difference?

Hi all, I’ve been trying to figure out this problem for the past 3 days, and I’ve hit a wall. I’m hoping someone can give me some possible cures. I have a script that basically adds a zypper repo, then proceeds to install and configure FreeNX.

To add the repo:

zypper addrepo [Index of /repositories/X11:/RemoteDesktop/openSUSE_11.1]( RemoteDesktop

To install FreeNX & it’s relevant dependencies:

zypper install FreeNX

To setup and configure FreeNX:

nxsetup --install --setup-nomachine-key --clean --purge
sed -i 's/AllowUsers idcuser/AllowUsers idcuser nx/' /etc/ssh/sshd_config
service sshd reload
nxserver --adduser user1
echo passw0rd | nxserver --passwd user1
nxserver --restart

After completing these steps on version 11, I can immediately open the FreeNX client (windows 7), and connect. On 11.1, at the very end of the FreeNX connect, just after “Dowloading the session information”, I get:

NX> 105 startsession  --link="lan" --backingstore="1" --encryption="1" --cache="16M" --images="64M" --shmem="1" --shpix="1" --strict="0" --composite="1" --media="0" --session="" --type="unix-gnome" --geometry="1274x956" --client="winnt" --keyboard="pc102/en_US" --screeninfo="1274x956x16+render" 

Permission denied (publickey,keyboard-interactive).
NX> 280 Exiting on signal: 15

I’ve googled this to death, and tried a bunch of random changes to both ssh and nxserver, but I can’t seem to get rid of it. What might have changed from 11 to 11.1 that could cause this behavior change? The NXserver seems to be configured and running identical on both systems.

Any input greatly appreicated.

I can not help you, but I read one thing that may need clarification for others. There never was an openSUSE 11. It started with 11.0. Do you mean that one?

Yes, sorry - to be more explicit. 11.0, 32bit.

May I ask if both 11.0 and 11.1 are on the same computer? If so it cannot work in both cases without creating another session on the client or copying the ssh host/rsa and dsa key from the working system to the other one, as well as the keys in /var/lib/nxserver/home/.ssh and the know_hosts file there. Notice that these keys have to belong to user “nx”.

11.0 and 11.1 are on different VM’s.

The permissions seem to be ok.

somehostname:/var/lib/nxserver/home/.ssh # ls -la
total 20
drwx------ 2 nx root 4096 2011-01-13 15:26 .
drwx------ 3 nx root 4096 2011-01-13 15:41 ..
-rw------- 1 nx root  669 2011-01-11 21:57 authorized_keys2
-rw------- 1 nx root  668 2011-01-11 21:57 client.id_dsa.key
-rw-r--r-- 1 nx root  235 2011-01-11 21:57 known_hosts
somehostname:/var/lib/nxserver/home/.ssh #

Ok, I’ve spent some more time investigating and ssh and nxserver are identical between 11 and 11.1, as far as I can tell.

The biggest different I can see is the presence of ACL’s in 11.1 on both /etc/ssh, and /etc/nxserver.
On 11.

some11host:/etc/ssh # ls -la
total 180
drwxr-xr-x   2 root root   4096 2011-01-12 13:54 .
drwxr-xr-x 112 root root  12288 2011-01-12 15:39 ..
-rw-------   1 root root 125811 2009-02-23 15:43 moduli
-rw-r--r--   1 root root   2705 2009-02-23 15:43 ssh_config
-rw-r-----   1 root root   3941 2011-01-12 13:44 sshd_config
-rw-r-----   1 root root   3938 2010-10-27 14:26 sshd_config.bak
-rw-------   1 root root    668 2011-01-12 13:43 ssh_host_dsa_key
-rw-r--r--   1 root root    604 2011-01-12 13:43
-rw-------   1 root root    529 2011-01-12 13:43 ssh_host_key
-rw-r--r--   1 root root    333 2011-01-12 13:43
-rw-------   1 root root    887 2011-01-12 13:43 ssh_host_rsa_key
-rw-r--r--   1 root root    224 2011-01-12 13:43
some11host:/etc/ssh #

On 11.1:

some11_1host:/etc/ssh # ls -la
total 216
drwxr-xr-x+   2 root root   4096 2011-01-18 16:09 .
drwxr-xr-x+ 103 root root  12288 2011-01-18 16:03 ..
-rw-------+   1 root root 125811 2010-05-09 12:15 moduli
-rw-r--r--+   1 root root   2705 2010-05-09 12:15 ssh_config
-rw-r-----    1 root root   3920 2011-01-18 16:03 sshd_config
-rw-------+   1 root root    668 2010-06-17 12:46 ssh_host_dsa_key
-rw-r--r--+   1 root root    605 2010-06-17 12:46
-rw-------+   1 root root    530 2010-06-17 12:46 ssh_host_key
-rw-r--r--+   1 root root    334 2010-06-17 12:46
-rw-------+   1 root root    883 2010-06-17 12:46 ssh_host_rsa_key
-rw-r--r--+   1 root root    225 2010-06-17 12:46
some11_1host:/etc/ssh #

I don’t know much about ACL’s - I tried removing the ACL’s via the setfacl command, but it didn’t seem the have any effect.
Is there a way that I can temporarily disable all ACL’s - just to determine if they are causing an issue? If I can simply determine if this is the root cause, I can work at properly setting ACL’s as necessary to satisfy NX.


Ok, I have it working on 11.1 so I’m posting my resolution for the benefit of others.

It was a permissions problem, but not in the location(s) I mentioned in my previous post. The issue was with the /home/<someuser>/.ssh folder. In 11.0, the permissions for this folder were set to “<someuser>:users” (owner:group). In 11.1, the owner:group was “root:root”. Therefore, when the id was added to passdb via nxserver --adduser, it could not create the authorizedkeys2 for eventual public key authentication.

Once I did a chown on the .ssh folder, and re-ran nxserver --adduser the file was created, and life was good.

Thanks for sharing the solution.

This may have gone wrong by doings things running as root that shouldn’t :wink:

Agreed, however, in my situation I have no choice. Without going into confidential details, this is a cloud based system in which I (as a user) have only a small window or a hook to do customizations during provisioning. I can specify a script to do ‘stuff’ during this window, but not the ID. It appears it runs as root. :slight_smile:

I’m confident I’m one of the few people that will hit this given my unique circumstances.