Results 1 to 10 of 10

Thread: Secured freeNX using custom keys. But ssh now open

  1. #1
    Join Date
    Jan 2008
    Beans
    219

    Secured freeNX using custom keys. But ssh now open

    Hi all,

    Quick question.
    I just installed freeNX so i could graphically access my own computer from work. I also created and installed the custom keys (as per instructions in ubuntu howto:
    https://help.ubuntu.com/community/Fr...m%20SSH%20keys

    And that works great. I can't log in until i've installed the client key on the client. Exactly what I want.

    But, in installing the freenx server i've installed the dependency 'sshd'.
    And, I can now connect to my computer using ssh. AND it does NOT require any key. Just the usual username password pair. This is a bit insecure, and to my mind, makes useless the whole process I just went to in making the freenx more secure by using custom keys there.

    What is the best solution to this?

    Can I Secure SSH server with Public/Private key authentification?
    as per website instruction here:
    http://www.debuntu.org/ssh-key-based-authentication
    But then, wouldn't that somehow break the authentication process for freeNX?

    What should I do? I would rather the ssh also have the combination key + user/password authentication as does the freeNX!

    Thanks in advance for all replies and advice.

  2. #2
    Join Date
    Sep 2007
    Beans
    17
    Distro
    Ubuntu 9.04 Jaunty Jackalope

    Re: Secured freeNX using custom keys. But ssh now open

    I've just installed freeNX as I tried using VNC over ssh but it was slow.

    The nx protocol uses ssh to encrypt traffic between your remote machine and your client.

    In order to do that it needs to have the sshd daemon running.

    There are a couple of things that I have done to try and make this as secure as possible.

    Run your sshd on a non standard port. When I had port 22 open on my home router, I was getting loads of failed connections in my auth.log. Since I've moved it to a non standard port. Nada, Zilch. As a lot of these attacks are scripted they only really go for the standard ports.

    You can change the port that ssh listens to in /etc/ssh/sshd_config
    You also need to add this port in /etc/nxserver/node.conf

    You can also add 'AllowUsers' in sshd_config, so that ssh will ONLY let those users appempt to log in using ssh. (If you're going to add AllowUsers then user nx needs to be included so that freenx works, it took me a couple of hours of gnashing of teeth and banging my head against the wall to work that one out!! )

    Hope this helps

  3. #3
    Join Date
    Jan 2008
    Beans
    219

    Re: Secured freeNX using custom keys. But ssh now open

    Hi, and thanks for your reply!

    The port change sounds like a good idea! I will do that. I didn't yet as i expected those doing an attack would do a port scan and find it anyway. But if the most of these are scripted then, as you say. It will help alot.

    As for the AllowUsers option. This would only restrict the number of user names a hacker could try, correct? So it wouldn't increase the security 'that' much then would it?

    Code:
    scenario before using AllowUsers:
    system users: mark, mary jane, admin
    hacker can try to log in using any of these users
    
    scenario after using AllowUsers (AllowUsers admin)
    hacker must try to login using only admin acccount by guess admin password.

    Do you think it affects the setup of freenx (and the ability of clients to connect) if i setup sshd to use key based authentication?

    Is it possible to setup sshd to use both key based authentication AND username password?

    thanks again!

  4. #4
    Join Date
    Apr 2006
    Beans
    132

    Re: Secured freeNX using custom keys. But ssh now open

    Quote Originally Posted by svaens View Post
    Hi all,

    Quick question.
    I just installed freeNX so i could graphically access my own computer from work. I also created and installed the custom keys (as per instructions in ubuntu howto:
    https://help.ubuntu.com/community/Fr...m%20SSH%20keys

    And that works great. I can't log in until i've installed the client key on the client. Exactly what I want.

    But, in installing the freenx server i've installed the dependency 'sshd'.
    And, I can now connect to my computer using ssh. AND it does NOT require any key. Just the usual username password pair. This is a bit insecure, and to my mind, makes useless the whole process I just went to in making the freenx more secure by using custom keys there.

    What is the best solution to this?

    Can I Secure SSH server with Public/Private key authentification?
    as per website instruction here:
    http://www.debuntu.org/ssh-key-based-authentication
    But then, wouldn't that somehow break the authentication process for freeNX?

    What should I do? I would rather the ssh also have the combination key + user/password authentication as does the freeNX!

    Thanks in advance for all replies and advice.
    Same issue here. I really like FreeNX and it makes you wonder why vnc still exists. But not having key authentication with ssh is a showstopper. One look at auth.log is enough to realize this is important.
    I guess this should be simple to solve but can't find a solution...

    I was about to write a new post about this, but i guess it is better to bump this one.

  5. #5
    Join Date
    Apr 2006
    Beans
    132

    Re: Secured freeNX using custom keys. But ssh now open

    Quote Originally Posted by joris1977 View Post
    Same issue here. I really like FreeNX and it makes you wonder why vnc still exists. But not having key authentication with ssh is a showstopper. One look at auth.log is enough to realize this is important.
    I guess this should be simple to solve but can't find a solution...

    I was about to write a new post about this, but i guess it is better to bump this one.

    Seems I fixed it!

    WARNING: I am new to linux and feel uncomfortable efiting config files I don't totally understand. As far I can understand it seems safe what I have done and is safer than a ssh setup without key authentification but try at your own risk.

    This two links putted me on the right path:
    http://wiki.centos.org/HowTos/FreeNX
    http://linuxgazette.net/135/knaggs.html

    Steps to take

    Install ssh. I followed this tutorial:
    http://www.debuntu.org/ssh-key-based-authentication

    Install freeNX I followed this tutorial:
    https://help.ubuntu.com/community/FreeNX

    So now you have a secure ssh setup with key authentification but cannot login to NX over ssh

    Edit the /etc/ssh/sshd_config file and change/add the following lines:
    Code:
    AllowUsers nx
    AllowUsers (your user name)
    UsePAM yes
    Don't forget to restart the sshd daemon after making that change:

    Code:
    sudo /etc/init.d/ssh restart
    Next step is to copy the /var/lib/nxserver/home/.ssh/client.id_dsa.key to your client machine. (You probably already did this following the freenx howto)

    But you need to copy the key on the client machine to .ssh and rename it.

    like this:

    Code:
    cp $HOME/client.id_dsa.key $HOME/.ssh/id_dsa
    By now, you should be ready to login to the nx server over ssh

    You can try this with:

    Code:
    ssh nx@remote-server
    It will respond with
    HELLO NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
    NX> 105

    Works? Good. Let's go on. By default, if you try to connect to the NX server, it will use the nx account for the ssh connection (with key authentication) but it will try also to connect in ssh with your own username/password to the host you're trying to reach. Because you've disabled the PasswordAuthentication over ssh, you have to use the NX Database to allow pass-through authentication. Be sure that /etc/nxserver/node.conf file contains the following line :

    Code:
    ENABLE_PASSDB_AUTHENTICATION="1"
    I am not sure if it is really necessary but I guess it can do no harm to restart to freenx server at this point.

    Code:
    sudo nxserver --restart
    Last step is to create a account on the NX server.

    Code:
    sudo nxserver --adduser (yourusername)
    NX server will reply with:

    NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
    NX> 1000 NXNODE - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
    NX> 716 Public key added to: /home/yourusername/.ssh/authorized_keys2
    NX> 1001 Bye.
    NX> 999 Bye

    and add a password

    Code:
    sudo nxserver --passwd (yourusername)
    NX> 100 NXSERVER - Version 3.2.0-74-SVN OS (GPL, using backend: 3.3.0)
    New password:
    Password changed.
    NX> 999 Bye

    That's it, now you should be able to do a secure login with the NoMachine NX client for linux using key authentification

    Works for me and should work for you.



    Please comment if you think this setup is not secure or unwise for some reason. There is already too much misinformation around.
    Last edited by joris1977; June 12th, 2009 at 12:37 PM. Reason: some lay-out

  6. #6
    Join Date
    Dec 2008
    Beans
    4

    Re: Secured freeNX using custom keys. But ssh now open

    Works for me too (and I am an amateur). Only slight hiccup was that I had to change the permissions of ~/.ssh/id_dsa before ssh would allow me to use it.

    Cheers, Tim

  7. #7
    Join Date
    Aug 2007
    Beans
    24

    Re: Secured freeNX using custom keys. But ssh now open

    change this setting

    #PasswordAuthentication yes

    to

    PasswordAuthentication no

    in

    /etc/ssh/sshd_config

    and that's it. Only key-based logins will now be allowed.

  8. #8
    Join Date
    Apr 2005
    Beans
    18

    Re: Secured freeNX using custom keys. But ssh now open

    Not sure if this is a better or easier way, but I finally got mine working the way I wanted it by doing the following. I think I tried the above, but it only worked when logging in as user nx. I was unable to ssh as a regular user. So I banged my head enough and came up with this.

    1. Reconfigure freenx to use custom keys
    Code:
    sudo dpkg-reconfigure freenx-server
    -select custom keys and SSH

    2. Copy generated key to client machine. On my machine key was located in
    Code:
    /var/lib/nxserver/home/.ssh/client.id_dsa.key
    3. When you configure your nx session on the client, import the key that you just copied over. Press Configure on main screen and then there is a key button under the server panel on the 'General' tab.

    3. Edit sshd_config to use nxserver's keys

    -change
    Code:
    AuthorizedKeysFile ...
    to
    Code:
    AuthorizedKeysFile /var/lib/nxserver/home/.ssh/authorized_keys2
    4. Restart sshd.

    At this point you should be able to connect to server using the nx client. But at this point, I was unable to ssh using command line or putty (windows) since the only keys it was seeing were the keys in the nxserver's authorized_keys2 file.

    I tried adding keys to this file, but it would only let me connect as user nx. I'm assuming due to permission issues on the authorized_keys2 file. I didn't want to mess with the permissions on this file, so in order to resolve the issue, I took advantage of the sshd_config value AuthorizedKeysFile2.

    5. Add the following line to sshd_config

    Code:
    AuthorizedKeysFile2 /home/<user>/.ssh/authorized_keys
    where <user> is your regular user.

    6. Add public keys to user's authorized_keys files as usual.

    This setup allows me to connect remotely via NX and via regular ssh sessions.

    Let me know if this helps or not or if you have any questions.

  9. #9
    Join Date
    Oct 2012
    Beans
    1

    Re: Secured freeNX using custom keys. But ssh now open

    This thread has been helpful to me today, so thanks to all you contributors.

    Another note on the AllowUsers configuration, I read from the link below that in addition to specifying the user name in AllowUsers you can also specify an IP address such as

    Code:
    AllowUsers wilson@127.0.0.1
    AllowUsers wilson@192.168.*
    AllowUsers wilson@123.222.111.1
    So that would require the attacker to not only be using the right account and guessing the credential, but also they would need to somehow fake the right ip address.

    Reference: http://notepad2.blogspot.com/2010/11...verclient.html

  10. #10
    Join Date
    Feb 2008
    Location
    Texas
    Beans
    15,665
    Distro
    Ubuntu 14.04 Trusty Tahr

    Re: Secured freeNX using custom keys. But ssh now open

    Thanks for sharing and please do not post in threads that have not had activity for a year or longer, since this is an old thread it has been closed.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •