| 1 |
On Thu, Mar 19, 2009 at 5:29 PM, Joseph <syscon780@×××××.com> wrote: |
| 2 |
> On 03/19/09 13:07, Paul Hartman wrote: |
| 3 |
>> |
| 4 |
>> In my sshd_config I've got: |
| 5 |
>> |
| 6 |
>> PermitRootLogin No |
| 7 |
>> RSAAuthentication no |
| 8 |
>> PubkeyAuthentication yes |
| 9 |
>> AuthorizedKeysFile .ssh/authorized_keys |
| 10 |
>> PasswordAuthentication no |
| 11 |
>> PermitEmptyPasswords no |
| 12 |
>> ChallengeResponseAuthentication no |
| 13 |
>> UsePAM no |
| 14 |
>> |
| 15 |
>> Then in /usr/NX/etc/server.cfg I have: |
| 16 |
>> EnableUserDB = "1" |
| 17 |
>> EnablePasswordDB = "1" |
| 18 |
>> |
| 19 |
>> |
| 20 |
>> then run "/usr//NX/bin/nxserver --useradd yourusername" which will add |
| 21 |
>> that user to the NX user database as well as create/add an SSH key to |
| 22 |
>> that user (which is only used by NX on the local machine, it will SSH |
| 23 |
>> to itself). The password you create for this user is what you'll use |
| 24 |
>> in nxclient when connecting to the remote machine, and the SSH key in |
| 25 |
>> nxclient is the one that user would normally use to login to the box |
| 26 |
>> with regular SSH. |
| 27 |
>> |
| 28 |
>> If you don't use key authentication with SSH, you should be able to |
| 29 |
>> have the two NX server options above set to 0, and use the user's |
| 30 |
>> normal password to login. You will still need to put your NX server |
| 31 |
>> key into nxclient (unless you use the default key which is already in |
| 32 |
>> there). |
| 33 |
>> |
| 34 |
>> It is tricky to set up, but once it works it is awesome. :) It beats |
| 35 |
>> VNC or RDP easily. |
| 36 |
>> |
| 37 |
>> Paul |
| 38 |
> |
| 39 |
> I've tried to duplicate this setting but I can only log-in with my username |
| 40 |
> and password I created from a nxclient when I have in sshd.config |
| 41 |
> ... |
| 42 |
> UsePAM yes |
| 43 |
> |
| 44 |
> If I set it to no I can not log-in. |
| 45 |
> In your last section on coping keys, I'm not sure I follow it. |
| 46 |
> For now I used the default key that the server came with. |
| 47 |
> |
| 48 |
> What do you call nxclient? |
| 49 |
> Is it the user account name on the server I created with "...nxserver |
| 50 |
> --useradd joseph"? |
| 51 |
> This command copied the nxserver key to my home ~.ssh/authorized_keys file. |
| 52 |
|
| 53 |
In my setup I do not use passwords for SSH, or even allow them at all, |
| 54 |
I only use the public key auth. So "UsePAM no" and the other options |
| 55 |
gets rid of the interactive password prompt entirely. |
| 56 |
|
| 57 |
Here is my understanding of how the NX bits all fit together: |
| 58 |
|
| 59 |
Think of it as a 2-step connection. The first step is connecting from |
| 60 |
the remote nxclient to the nxserver. For this step, it uses the SSH |
| 61 |
key that you can put into nxclient. That only authenticates you as |
| 62 |
being able to connect to the NX server, it doesn't get you into any |
| 63 |
user files or desktops. By keeping the default NX key, anyone with NX |
| 64 |
client can connect to your box and get to this point. |
| 65 |
|
| 66 |
The second step, now that you are authenticated and connected to the |
| 67 |
NX server, is connecting to the remote desktop. Only users granted |
| 68 |
access to NX by --useradd are allowed to proceed past step 1, so even |
| 69 |
using default NX key won't let someone in any further unless they know |
| 70 |
your NX user's name and password. In the case of Linux remote desktops |
| 71 |
(the usual case), the key it installed into your user's |
| 72 |
authorized_keys is what NX server then uses to make an SSH login to |
| 73 |
your user's desktop environment. (I believe the NX user's key is set |
| 74 |
to only work when logging in from localhost). |
| 75 |
|
| 76 |
NX can also be used as a proxy to connect to VNC or RDP. When the VNC |
| 77 |
or RDP machine is on the local network of the NX server, the |
| 78 |
connection between those two machines is very fast. Then, that VNC/RDP |
| 79 |
is re-encoded using NX between the server and the client. Since NX's |
| 80 |
protocol is faster over the internet, you can actually get a faster |
| 81 |
RDP than if you had connected directly to the Windows machine using |
| 82 |
rdesktop. |
Archives