Answering my own question / update:
I believe I was confusing ssh keys and nxserver keys. One can generate keys for ssh (and use a passphrase if you so desire) via
and generate a nxserver keyset (no passphrase possible) via
ssh-keygen -t rsa (for an RSA keyset; conduct on the CLIENT)
with the nxserver keyset automatically replacing the/any existing key located at "/var/lib/nxserver/home/.ssh/client.id_dsa.key" (and backing up existing key automatically). The nxserver keyset appears to have no impact on the RSA keyset.
I have not figured out how to have nxserver generate an RSA key rather than a DSA key, it generates a DSA key by default (and 'man nxkeygen' provided no help); but, it is a custom key, not a default keyset.
Wishing not to use PasswordAuthentication for ssh authorization, I disabled in /etc/sshd_conf; however, before I can do so, I need to establish/register the key with the server, which will require me to temporarily allow password authentication for ssh authentication. I also made sure my nonstandard port was being used in /etc/sshd_config:
What I fail to understand is:
where/how the registration takes place; I realize that it modifies certain files such as "authrozied_keys" or "authorized_keys2", but at which location "/var/lib/nxserver/home/.ssh"? Other files? In otherwords, if I were to cleanup my files, eliminate all but a given ssh key and ensure that it is being used and is authorized, how to do so? Any help clearing this up would be appreciated, as understanding this would permit me to manage it better in the future.)
I ended up with the following in my /etc/sshd_conf file:
I wanted additional security for the nxserver; I am not sure how secure this is, but I finally decided to use PassDB authentication as I could not get it work otherwise, and becuse when I tried to addusers to nxserver, I obtained the following: "Most probably your FreeNX setup will work out of the box without this functionality and you've been misleaded by an old tutorial or old documentation to do this step. If however you really need this functionality, just set ENABLE_PASSDB_AUTHENTICATION="1" in node.conf."
AuthorizedKeysFile %h/.ssh/authorized_keys2 (although removing %h works too)
AllowUsers nx myusername
I am wondering:
if I had chosen SSH rather than PassDB for nxserver authentication, would I be required to have both the nxkey and the sshkey, and if/how the sshkey would request the passphrase?! This would be preferred for security, but would be a little bit of pain to install keys on a Client if I wish to connect to the host, but what is the issue with installing 2nd key rather than a single key, ~ same effort for much higher security - assuming I don' misplace my keys and secure them properly on the Client machine(s)). THIS IS A BIG QUESTION FOR ME - any input would be appreciated!
As my nxserver keyset is custom, then any user will need to have the private key "client.id_dsa.key' and import it into NX Client's configuration (as the content of 'client.id._dsa.key' hold the text "-----BEGIN DSA PRIVATE KEY-----" and end with "-----END DSA PRIVATE KEY-----". Furthermore, using the PassDB, I established myself as a user with a password. So, not only will someone need to obtain my private key, they will also need to obtain my password and username.
Am I understanding this properly, I read some posts that say this is the public key, but clearly when it is imported into the NX Client it indicates that it is a private key...
I made sure that ENABLE_PASSDB_AUTHENTICATION="1" in node.conf as well as setting the nonstandard port Port=XXXXX.
I also ran the following script to ensure that the configuration of freenx was consistent with my approach:
selecting 'Custom Keys' on the first screen, and 'PassDB' on the second. Of course, restart both ssh and nxservers via:
sudo dpkg-reconfigure freenx-server
I am nearly there, but would appreciate any assistance on the "?"s above.
sudo restart ssh
sudo nxserver --restart