Hello.
Following your method ( Setting up NX server ( Part I : Freenx )) . I could not connect ( nx user get authentication ; and normal user and root can connect with ssh with authentication key-pair)
Any idea ?
SUSE Paste ( sshd logs )
SUSE Paste ( nxserver logs )
SUSE Paste ( sshd_config )
SUSE Paste ( node.conf )
I don’t seem to have problems here - installed 3 servers yesterday with freenx-setup. I just tested different logins: kde, gnome, lxde, xdm. Everything seems to work. Notice that gnome/xfce/lxde login is not going to work with your node.conf under 12.2 unless you uncomment this line:
#AGENT_EXTRA_OPTIONS_X="-norender"
I know it’s not related to your authentication problem. What does nxsetup --test say? Here’s what I got under 12.2 (don’t have access to 12.1 servers right now, dont have 11.4 anymore).
# nxsetup --test
----> Testing your nxserver configuration ...
<---- done
----> Testing your nxserver connection ...
HELLO NXSERVER - Version 3.2.0-73 OS (GPL, using backend: 3.5.0)
<--- done
It means that it just works. :\
Hello.
I am sure that it should work.
As I am digging around, just a remark.
As I am not an expert I have try this :
/usr/bin/nomachine-setup --client -p 12345
And it is a bad idea and I gopt new errors that is not relative to my error loging.
Using -p force that another patch is made on node.conf after running nomachine-setup --client -p 12345 :
The new patch give me new error relative to NX/ nxserver ( not FREENX nxserver )
ENABLE_NOMACHINE_FORWARD_PORT="1"
NOMACHINE_FORWARD_PORT="12345"
NOMACHINE_SERVER="/usr/NX/bin/nxserver"
NOMACHINE_NX_HOME_DIR="/usr/NX/home/nx"
It is not clear in the document that -p 12345 option in nomachine-setup is for server only
Therefore for configuring only the client it is forbiden to use this parameter.
Should help non-expert user if documentation and nomachine-setup --help give that information.
I have a dummy question.
What key priv/pub nx user is expected to use
1°) the one build during install process for freenx usage :
Setting up /etc/nxserver ...done
Generating public/private dsa key pair.
Your identification has been saved in /etc/nxserver/users.id_dsa.
Your public key has been saved in /etc/nxserver/users.id_dsa.pub.
2°)The one created for all users :
Adding user "nx" to group "utmp" ...done
Setting up known_hosts and authorized_keys2 ...Unique key generated; your users must install
/var/lib/nxserver/home/.ssh/client.id_dsa.key
on their computers.
done
This the following of the previous thread. Have missclicked
THis is what nxsetup complain about :
- Make sure "nx" is one of the AllowUsers in sshd_config. --> YES
(or that the line is outcommented/not there)
- Make sure "nx" is one of the AllowGroups in sshd_config. --> Not There
(or that the line is outcommented/not there)
- Make sure your sshd allows public key authentication. --> By default ( not set to NO )
- Make sure your sshd is really running on port 11945. --> YES
- Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2. --> not set use default authorized_keys --> sshd is searching in both
(this should be a filename not a pathname+filename)
- Make sure you allow ssh on localhost, this could come from some
restriction of:
-the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
sshd : 192.168.130. : allow
sshd : 127.0.0. : allow
sshd : ALL : deny
-the iptables. add to it: --> No firewall on this segment
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -o lo -j ACCEPT
Effectively the problem come from the key pair that must use the user nx.
Which one I have to use ? and put in authorized_keys.
Here a part of sshd debug log
debug1: userauth-request for user nx service ssh-connection method publickey
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method publickey
debug3: mm_key_allowed entering
debug3: mm_request_send entering: type 20
debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED
debug3: mm_request_receive_expect entering: type 21
debug3: mm_request_receive entering
debug3: monitor_read: checking request 45
debug1: PAM: initializing for "nx"
debug1: PAM: setting PAM_RHOST to "localhost.localdomain"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 45 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 3
debug3: mm_answer_authserv: service=ssh-connection, style=
debug2: monitor_read: 3 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 20
debug3: mm_answer_keyallowed entering
debug3: mm_answer_keyallowed: key_from_blob: 0x7f84969697f0
debug1: temporarily_use_uid: 150/140 (e=0/0)
debug1: trying public key file /var/lib/nxserver/home/.ssh/authorized_keys
debug1: Could not open authorized keys '/var/lib/nxserver/home/.ssh/authorized_keys': No such file or directory
debug1: restore_uid: 0/0
debug1: temporarily_use_uid: 150/140 (e=0/0)
debug1: trying public key file /var/lib/nxserver/home/.ssh/authorized_keys2
debug1: Could not open authorized keys '/var/lib/nxserver/home/.ssh/authorized_keys2': No such file or directory
debug1: restore_uid: 0/0
Failed publickey for nx from 127.0.0.1 port 49354 ssh2
debug3: mm_answer_keyallowed: key 0x7f84969697f0 is not allowed
debug3: mm_request_send entering: type 21
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
debug3: mm_request_receive entering
Connection closed by 127.0.0.1
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering
I will try both key and give news as soon as possible.
Thank you for taking time to help me.
It means that connections to port 12345 will be redirected to the NoMachine NX server, so you can have both. But FreeNX is still doing the authentication. It should also have enabled port 12345 in sshd_config and opened this port in the firewall. You should disable and close this port if it is not desired.
Yeah … I understand. These two options are not related, just like Posix compliant otions you can use in any order.
# /usr/bin/nomachine-setup --client
will install (opr update) NoMachine client only. It actually means “do not install the server”. All other options are for the server. If you want to setup the client to connect to a given port, you should set this port in NoMachine client. And actually are you doing that? With your setup, you need to tell NoMachine client to connect on port 11945. I’m not 100% because it is the only port that your sshd is listen to (well, not anymore: it should listen to port 12345 too now) , but I would assume that NoMachine client will try port 22 if nothing else is specified.
The second one. But if you used freenx-setup, it should have created a .nx file with the name of the server in /var/lib/nxserver/home. You can just copy this file to the ~/.nx/config on the clients. It will be used when you select this connection in NoMachine client and should already include the correct port and the correct key.
Make sure at least one of these files exists, is owned by nx user and doesn’t have the extension “.disabled”. I’m not sure how the service renames this file. It might be a little bug in the service at this point indeed - at least it is not totally clear to me either. I usually create a hardlink, so authorized_keys2 and authorized_keys are the same file. The latest sshd default will only check authorized_keys, but it’s not the case here. This issue has been discussed in other threads.
Hello.
I finaly got it to work, but not in the way I wanted it to be.
When using FREENX, you cannot configure ssh for authentication by key-pair only.
My problem come from these three parameters :
As I have made so many change and add so many “echo …” , I am restarting from bare metal.
I will give the last info tonight.
Unrelated… but you might want to update the NX agent (zypper up) . I made a new build yesterday using nx-agent-3.5.0-9 (it was using 3.5.0-7 before). It is supposed to solve some fonts rendering issues. See this bug report: https://bugzilla.novell.com/show_bug.cgi?id=787775.
I confirm please_try_again](http://forums.opensuse.org/members/please_try_again.html) article do the job.
http://forums.opensuse.org/content/125-setting-up-nx-server-part-i-freenx.html
And to be a little more precise for beginners like me ,( If you are only using FREENX server and NoMachine NX Client ) :
1°) Have a workable ssh running install
2°) Be sure to remove previous FREENX / NX instal
3°) Install FREENX from please_try_again](http://forums.opensuse.org/members/please_try_again.html) repos
4°) Run /usr/bin/freenx-setup -p xxxxx ( where xxxxx is port number assign to sshd in your sshd_config filre).
5°) Run /usr/bin/nomachine-setup --client
Hope that could help someone.
This thread is closed.
Thank you for taking time to help me.
sshd_config :
SUSE Paste
node.conf
SUSE Paste
SSHD_CONFIG 1 -------------
CONNEXION result ----------------
user : user_bidon not in allowed user ==> Failed
Always failed in all test due to not belong to AllowUsers parameter
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SSHD_CONFIG 2 -------------
PubkeyAuthentication no
================================
CONNEXION result ----------------
user : user_test in AllowUsers ==> Failed
user : root in AllowUsers ==> Failed
Every thing fails due to “PubkeyAuthentication no”
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SSHD_CONFIG 3 -------------
PubkeyAuthentication yes yes yes PermitRootLogin yes without-password no PasswordAuthentication yes yes yes ChallengeResponseAuthentication yes yes yes
user : user_test in AllowUsers Success Success Success user : root in AllowUsers Success Failed Failed
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SSHD_CONFIG 4 --------------
PubkeyAuthentication yes yes yes PermitRootLogin yes without-password no PasswordAuthentication no no no ChallengeResponseAuthentication yes yes yes
user : user_test in AllowUsers Success Success Success user : root in AllowUsers Success Failed Failed
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SSHD_CONFIG 5 -------------
PubkeyAuthentication yes yes yes PermitRootLogin yes without-password no PasswordAuthentication yes yes yes ChallengeResponseAuthentication no no no
user : user_test in AllowUsers Success Success Success user : root in AllowUsers Success Failed Failed
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SSHD_CONFIG 6 -------------
PubkeyAuthentication yes yes yes PermitRootLogin yes without-password no PasswordAuthentication no no no ChallengeResponseAuthentication no no no
user : user_test in AllowUsers Failed Failed Failed user : root in AllowUsers Failed Failed Failed