How to set up a tunneled FreeNX server with only seveas repositories in Feisty Fawn

[kevdog]

For Hardy, Intrepid, Jaunty, and beyond, an updated version of this guide is contained here: https://help.ubuntu.com/community/FreeNX I would suggest users follow the steps to this new guide and use this guide as a reference.

Tutorial inspired by my original post: http://ubuntuforums.org/showthread.php?t=457633 attempting to get working ssh tunneled FreeNX server with only opengl freenx server package supplied by seveas repositories.

There is another how-to guide for setting up FreeNX server under breezy, however installation is with packages supplied by nomachine and to my knowledge are not OpenGL compliant: http://ubuntuforums.org/showthread.p...ghlight=freenx

Quick Overview of Process
1. Modify /etc/apt/sources.list to include seveas repositories
2. Ensure paths to fonts are correct within xorg.conf
3. Download and install seveas packages
4. Perform some key management functions for ssh server and nx user -- copy authorized_keys2 file to authorized_keys
5. (Optional) - Setup ssh port number on router, sshd_config, and node.conf file
6. Verify the nx user can ssh into server
7. Add users to freenx database
8. Perform key management for individual clients - copy authorized_keys2 file to authorized_keys in user personal .ssh directory
9. Restart nx server
10. Setup client

My server client versions:
FreeNx server: Version 1.5.0-60 OS (GPL)
WindowsXP client: NoMachine Nx Client for Windows Version 2.1.0-17

Assumptions
1. U(K)(X)buntu Feisty Fawn 7.04 distribution (likely to work with earlier ubuntu distros -- however this is untested).
2. Installed and functional ssh server
3. Static IP address for server, or a dynamic IP address that is unlikely to change
4. If behind router, ssh port is port forwarded to router
5. Firewall either disabled, or enabled to allow for ssh communication

The seveas repository provides Nx Client for Linux. Windows NoMachine Nx clients may be obtained for free from: http://www.nomachine.com/download.php

1. Modify /etc/apt/sources.list

Code:

gksu gedit /etc/apt/sources.list

Add the following at the bottom of the file:

Code:

#Seveas Repositories https://wiki.ubuntu.com/SeveasPackages
deb http://free.linux.hp.com/~brett/seveas/freenx/ feisty-seveas freenx
deb-src http://free.linux.hp.com/~brett/seveas/freenx/ feisty-seveas freenx

If for some reason, these seveas mirrors are broken additional repositories may be added. List of additional repositories may be found here: http://free.linux.hp.com/~brett/seveas/freenx/

These packages can be authenticated using gpg -- which helps to avoid authentication errors. In order to accomplish this:

Code:

gpg --keyserver subkeys.pgp.net --recv-keys 1135D466
gpg --export --armor 1135D466 | sudo apt-key add -

2. Ensure font paths are correct in xorg.conf
First backup xorg.conf file:

Code:

sudo cp /etc/X11/xorg.conf /etc/X11/xorg.conf.bak

Open, look at, the xorg.conf file

Code:

gksu gedit /etc/X11/xorg.conf

Go to the section entitled "Files" and look at the different Font Paths. You need to ensure that these font paths are correct. When I originally installed from the Edgy Live CD these paths were totally incorrect, but caused no problem until the FreeNx server installation. This was the cause of a lot of headache. My Font Path section is as follows, but rather than blindly copying and pasting, please ensure these are correct for your installation:

Code:

Section "Files"
        FontPath        "/usr/share/fonts/X11/misc"
        FontPath        "/usr/share/fonts/X11/cyrillic"
        FontPath        "/usr/share/fonts/X11/100dpi/:unscaled"
        FontPath        "/usr/share/fonts/X11/75dpi/:unscaled"
        FontPath        "/usr/share/fonts/X11/Type1/"
        FontPath        "/usr/share/fonts/X11/100dpi/"
        FontPath        "/usr/share/fonts/X11/75dpi/"
        FontPath        "/usr/share/fonts/X11/misc/"
        # path to defoma fonts
        FontPath        "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType"
EndSection

3.Download and install the seveas freenx packages

Code:

sudo aptitude update
sudo aptitude install freenx nxclient

The server binaries are installed at: /usr/bin/nxserver
The server configuration files are located at: /etc/nxserver/node.conf
The client binaries are installed at: /usr/NX/bin
The client configuration files are kept at: ~/.nx (This directory will not be created until using the nxclient for the first time).

Installation of the freenx server creates a new user on the server:nx, with home directory of: /var/lib/nxserver/home. Inside this home directory is located a .ssh directory, and within this directory are created an authorized_keys2 and client.id_dsa.key. These keys are setup by the default installation program.

4. Key management for nx server (nx user) - Copy nx server authorized_keys2 file to authorized_keys

For purpose of this guide we are going to be using the default keys created during the installation of the freenx server. If you want to create custom keys (optional step), I would suggest doing this now by:

Code:

sudo dpkg-reconfigure freenx

and choosing custom keys. I have not done this step.

Current ssh servers expect authorization keys to be located in a file known as authorized_keys, and not authorized_keys2. To verify this is the expected file name:

Code:

sudo cat /etc/ssh/sshd_config | grep AuthorizedKeysFile

For the purpose of this guide, I am assuming all private ssh keys are kept in authorized_keys and not authorized_keys2.

Because the default installation places the nx user keys in authorized_keys2, rather than authorized_keys, we need to copy the nx user's authorized_keys2 file to authorized_keys. To do this:

Code:

cd /var/lib/nxserver
sudo su
cd home/.ssh
cp authorized_keys2 authorized_keys
chown nx authorized_keys
exit

5. Set port for ssh, nx server (Applicable only to those who are not running ssh over standard port 22).

By default, both the ssh_server and freenx server are setup to listen on port 22. If you are using a different port number for ssh, you need to ensure the following:
a. The ssh port number is forwarded from router to s/erver
b. The sshd_config file reflects the appropriate port number
Either add extra port number or modify Port statement in sshd_config to reflect appropriate port number
c. Edit /etc/nxserver/node.conf file, and change line where it states #SSHD_PORT=22
to SSHD_PORT=port_number. <--- Insert appropriate number
d. Restart ssh server

Code:

sudo /etc/init.d/ssh restart

6. Verify ssh connection using nx user (DEBUGING STEP)
Although not necessary, this step will ensure that the nx user can use ssh to connect to the server. If this step fails, usage of the freenx server will fail also.

Code:

sudo su
cd /var/lib/nxserver/home/.ssh
ssh -i client.id_dsa.key nx@localhost

Following should result demonstrating that the nx user can log into system via ssh:

Code:

HELLO NXSERVER - Version 1.5.0-60 OS (GPL)
NX> 105

To get back to normal user:

Code:

exit
exit

7. Do not proceed further if step #6 fails Add user to freenx database.

Please note that this user must already have an account on the server.

Code:

sudo nxserver --adduser <user_to_add>
sudo nxserver --passwd <user>

For managing user's in the freenx database the following commands are helpful:
sudo nxserver --help
sudo nxserver --listuser
sudo nxserver --restart

Once user or users are added, restart the nx server:

Code:

sudo nxserver --restart

8. Key management for individual users

Have each user on server append created authorized_keys2 file to authorized_keys.
After adding myself as a user to the freenx server database, an authorized_keys2 file was created in my ~/.ssh directory. Because I already had an authorized_keys file, I needed to append the authorized_keys2 file to my current authorized_keys file:

Code:

cat authorized_keys2 >> authorized_keys

9. Restart nx server
Setup at this point should be complete for the server.
Please restart freenx server:

Code:

sudo nxserver --restart

10. Client Setup
For client setup (for example on windows) you need to download the client. The client needs to be configured to use SSL encryption of all traffic (under Advanced Tab) If you didnt modify the default ssh nxserver keys during the installation, the client by default should have the correct ssh client key already installed (to verify push the key button and ensure the key listed matches the key found at ~/.ssh/client.id_dsa.key). If you modified the installation to use custom keys, you will need to add the modified client key.

If you run into trouble:
1. Enable the debugging log in the server. Modify /etc/nxserver.node.conf to include NX_LOG_LEVEL=3. May change the number up to 7 to receive more information. The logs for each session are kept under ~/.nx and then look for a big long number that represents a directory. Within this directory are kept various logs which may help
2. Even after fixing fonts in the xorg.conf file, I kept getting a font related error. At least on my nxserver, I had to add the following line to the /etc/nxserver/node.conf file:
AGENT_EXTRA_OPTIONS_X="-fp /usr/share/fonts/X11/misc/"

***Thanks to Milamb0r for suggesting changes to the guide

[dfreer]

Thanks for this! As soon as things get less hectic around here, I really want to give this a try!

[Milamb0r]

Hi,

big thanks for the great HOWTO! Just tried it out and it worked well here.

Perhaps you might kill some very small failures, probable typos:

Quote:

Originally Posted by kevdog 7. Do not proceed further if step #6 fails Add user to freenx database. Please note that this user must already have an account on the server. Code: sudo nxserver --adduser sudo nxserver user --passwd

For better understanding it should be:

Code:

sudo nxserver --adduser <user_to_add>
sudo nxserver --passwd <user>

and ..

Quote:

For managing user's in the freenx database the following commands are helpful: sudo freenx --help (lists all commands available) sudo freenx --listuser sudo freenx --restart

These commands should be:

Code:

sudo nxserver --help
sudo nxserver --listuser
sudo nxserver --restart

Quote:

9. Restart nx server Setup at this point should be complete for the server. Please restart freenx server: Code: sudo nxserver -restart

Just forgot a second "-" in front of restart here..

Thanks again, appreciate it!

[kevdog]

Thanks for the suggestions, hopefully the guide is working for you. Havent received much feedback -- it took me days to figure things out on my own!!

[mamnmamn]

I have set up freenx on CENTOS 5 and it is similar to what you have done here. Can I ask, Is it possible to make the users use different ssh keys or do they use the same. Also I have not added seperate nx users and it seems to just be pulling them from the linux logins. Comments on security would be great.

[kevdog]

Im not exactly sure what you are asking. I thought each user had to have an account on the server. Each user is assigned a client_id_dsa.key (public key) along with a correlating dss key that must be put in the authorized key. This combination could in theory be generated randomly for each user.

[RealMabu]

Quote:

Originally Posted by kevdog 6. Verify ssh connection using nx user (DEBUGING STEP) Although not necessary, this step will ensure that the nx user can use ssh to connect to the server. If this step fails, usage of the freenx server will fail also. Code: sudo su cd /var/lib/nxserver/home/.ssh ssh -i client.id_dsa.key nx@localhost Following should result demonstrating that the nx user can log into system via ssh: Code: HELLO NXSERVER - Version 1.5.0-60 OS (GPL) NX> 105 To get back to normal user: Code: exit exit

Hi,
what if I fail step 6?
I have managed to set up ports to 8888 and here is what I get:

Code:

root@...:/var/lib/nxserver/home/.ssh# ssh -i client.id_dsa.key nx@localhost -p 8888
Read from socket failed: Connection reset by peer
root@...:/var/lib/nxserver/home/.ssh#

Checking my config against your steps:
1.Repositories: OK
2.I miss the:

Code:

FontPath        "/usr/share/fonts/X11/misc/"

But i guess this isnt my problem...
3.I miss nxclient but I just need the server on my ubuntu box...
4.I edited /etc/ssh/sshd_config adding the line:

Code:

AuthorizedKeysFile %h/.ssh/authorized_keys2

5.I use SSHD on port 8888 and accomplished this by editing both /etc/ssh/sshd_config:

Code:

Port 8888

and /etc/nxserver/node.conf:

Code:

SSHD_PORT=8888

Any ideas?

P.S. EDIT
I add the verbose output of the debugging ssh command... maybe you guys find it useful...

Code:

root@...:/var/lib/nxserver/home/.ssh# ssh -v -i client.id_dsa.key nx@localhost -p 8888
OpenSSH_4.3p2 Debian-8ubuntu1, OpenSSL 0.9.8c 05 Sep 2006
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 8888.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file client.id_dsa.key type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-8ubuntu1
debug1: match: OpenSSH_4.3p2 Debian-8ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-8ubuntu1
debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: An invalid name was supplied
Configuration file does not specify default realm

debug1: An invalid name was supplied
A parameter was malformed
Validation error

debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer
root@...:/var/lib/nxserver/home/.ssh#

[tekoholix]

kevdog,

You are THE MAN!! I've just spent the last 2 days, trying to get the most recent official releases of nomachine's server/node/client up and running, and could not (due to more errors than I'd care to try to remember), thinking that the official releases might be better than the others...

I finally gave up, came back to your thread and followed your instructions explicitly (just as I had done with their's...), and suddenly IT JUST WORX!!!!!!!

I appreciate ya' greatly, and so will many of my customers, once I can show them this!!

Paul Harmor
Tekoholix.Computer.Services

[kevdog]

RealMabu

Im not exactly sure what your problem is, however it is definitely related to the ssh login process (which isnt exactly related to FreeNx). I would confirm in your sshd_config you are using authorized_keys rather than authorized_keys2 and that inside the nx home directory you have copied authorized_keys2 to authorized_keys.

I dont understand some of the errors you are getting, I would probably google them and see what comes up. Im not an expert in troubleshooting ssh errors


tekoholix

Glad the guide worked for you. Im not getting much feedback about the guide (as you can see). Im glad at least one person can verify the steps I suggested.

[RealMabu]

Kevdog
I got it running at last!
At least in LAN it's working fine.
I copied the auth...keys2 into auth...keys but it continued not to work...
Then I noticed that even if I restarted sshd issuing

Code:

/etc/init.d/ssh restart

as root, the sshd process was owned by my "normal" user...
As if sshd didnt actually restart so I guess it didn't load the new config file.
I killed the process "by hand" and started issuing

Code:

/etc/init.d/ssh start

.
Suddenly FreeNX is working.

Thanks for your guide and your help.

P.S. - re-reading your guide I noticed that in part 2 you have a double line (bold):

Quote:

Code: Section "Files" FontPath "/usr/share/fonts/X11/misc" FontPath "/usr/share/fonts/X11/cyrillic" FontPath "/usr/share/fonts/X11/100dpi/:unscaled" FontPath "/usr/share/fonts/X11/75dpi/:unscaled" FontPath "/usr/share/fonts/X11/Type1/" FontPath "/usr/share/fonts/X11/100dpi/" FontPath "/usr/share/fonts/X11/75dpi/" FontPath "/usr/share/fonts/X11/misc/" # path to defoma fonts FontPath "/var/lib/defoma/x-ttcidfont-conf.d/dirs/TrueType" EndSection

Is that intentional or just a mistake?

Regrards.