1 |
On Thu, Mar 19, 2009 at 5:29 PM, Joseph <syscon780@×××××.com> wrote: |
2 |
> On 03/19/09 13:07, Paul Hartman wrote: |
3 |
>> |
4 |
>> In my sshd_config I've got: |
5 |
>> |
6 |
>> PermitRootLogin No |
7 |
>> RSAAuthentication no |
8 |
>> PubkeyAuthentication yes |
9 |
>> AuthorizedKeysFile .ssh/authorized_keys |
10 |
>> PasswordAuthentication no |
11 |
>> PermitEmptyPasswords no |
12 |
>> ChallengeResponseAuthentication no |
13 |
>> UsePAM no |
14 |
>> |
15 |
>> Then in /usr/NX/etc/server.cfg I have: |
16 |
>> EnableUserDB = "1" |
17 |
>> EnablePasswordDB = "1" |
18 |
>> |
19 |
>> |
20 |
>> then run "/usr//NX/bin/nxserver --useradd yourusername" which will add |
21 |
>> that user to the NX user database as well as create/add an SSH key to |
22 |
>> that user (which is only used by NX on the local machine, it will SSH |
23 |
>> to itself). The password you create for this user is what you'll use |
24 |
>> in nxclient when connecting to the remote machine, and the SSH key in |
25 |
>> nxclient is the one that user would normally use to login to the box |
26 |
>> with regular SSH. |
27 |
>> |
28 |
>> If you don't use key authentication with SSH, you should be able to |
29 |
>> have the two NX server options above set to 0, and use the user's |
30 |
>> normal password to login. You will still need to put your NX server |
31 |
>> key into nxclient (unless you use the default key which is already in |
32 |
>> there). |
33 |
>> |
34 |
>> It is tricky to set up, but once it works it is awesome. :) It beats |
35 |
>> VNC or RDP easily. |
36 |
>> |
37 |
>> Paul |
38 |
> |
39 |
> I've tried to duplicate this setting but I can only log-in with my username |
40 |
> and password I created from a nxclient when I have in sshd.config |
41 |
> ... |
42 |
> UsePAM yes |
43 |
> |
44 |
> If I set it to no I can not log-in. |
45 |
> In your last section on coping keys, I'm not sure I follow it. |
46 |
> For now I used the default key that the server came with. |
47 |
> |
48 |
> What do you call nxclient? |
49 |
> Is it the user account name on the server I created with "...nxserver |
50 |
> --useradd joseph"? |
51 |
> This command copied the nxserver key to my home ~.ssh/authorized_keys file. |
52 |
|
53 |
In my setup I do not use passwords for SSH, or even allow them at all, |
54 |
I only use the public key auth. So "UsePAM no" and the other options |
55 |
gets rid of the interactive password prompt entirely. |
56 |
|
57 |
Here is my understanding of how the NX bits all fit together: |
58 |
|
59 |
Think of it as a 2-step connection. The first step is connecting from |
60 |
the remote nxclient to the nxserver. For this step, it uses the SSH |
61 |
key that you can put into nxclient. That only authenticates you as |
62 |
being able to connect to the NX server, it doesn't get you into any |
63 |
user files or desktops. By keeping the default NX key, anyone with NX |
64 |
client can connect to your box and get to this point. |
65 |
|
66 |
The second step, now that you are authenticated and connected to the |
67 |
NX server, is connecting to the remote desktop. Only users granted |
68 |
access to NX by --useradd are allowed to proceed past step 1, so even |
69 |
using default NX key won't let someone in any further unless they know |
70 |
your NX user's name and password. In the case of Linux remote desktops |
71 |
(the usual case), the key it installed into your user's |
72 |
authorized_keys is what NX server then uses to make an SSH login to |
73 |
your user's desktop environment. (I believe the NX user's key is set |
74 |
to only work when logging in from localhost). |
75 |
|
76 |
NX can also be used as a proxy to connect to VNC or RDP. When the VNC |
77 |
or RDP machine is on the local network of the NX server, the |
78 |
connection between those two machines is very fast. Then, that VNC/RDP |
79 |
is re-encoded using NX between the server and the client. Since NX's |
80 |
protocol is faster over the internet, you can actually get a faster |
81 |
RDP than if you had connected directly to the Windows machine using |
82 |
rdesktop. |