EditAttachPrintable
r7 - 01 Feb 2006 - 01:04:17 - TimothyLeggeYou are here: TWiki >  Ltsp Web  > FreeNX

Using FreeNX to access an LTSP server

This mechanism allows an NX client to access the LTSP server as an LTSP client. This is not strictly an LTSP feature as it allows other devices that support the NX protocol to access LTSP server resources.

Why would you support this

It is a rare site that is all LTSP/Linux. Many times the site can support a connection from a Windows or Macintosh computer without the computer requiring a full blown Xserver. This allows the use of some Linux programs for all users, Windows and LTSP.

In addition, because protocols used by FreeNX are extremely efficient you can use it to access an LTSP server over a remote WAN access. Some people have also stated that the performance is more than acceptable over dial up.

Disadvantages

Increases the loading on the server as the Xserver for each connection resides on the server. This consumes CPU and, in particular, memory resources.

How does it work

FreeNX is not a service. That is, it is not always running. Instead, it runs only when the nxclient attempts to login.

The NX client connects to the LTSP server using ssh public key authentication. The nx client sends the public key associated with the nx user. Once the client's public key is accepted by the server the NX client opens an ssh tunnel to the server. The user is then authenticated against the ssh daemon listening on 127.0.0.1 on the LTSP server using their LTSP user id and password.

Setup

The setup is failry simple as most recent distirbutions have included prebuilt packages in its extras repository. For detailed instructions see:

http://fedoranews.org/contributors/rick_stout/freenx/

Testing

FIXME

Security Considerations

The security of FreeNX has been of some discussion based on the methods that it uses for authentication. The implementation itself, while unusual seems to be secure. It is unusual becuase it uses a common user nx to create the initial connection to the server. Users are authenticated individually via their user id and password through the initial connection.

There are however a few things that you can do to improve security:

  1. Change the default public key that ships with the NX server and client
  2. Run a second ssh daemon to seperate the public key access for nx server from password authentication for users.

Troubleshooting

Error message Server not installed or NX access disabled

ALERT! You should note that these instructions are for Fedora. The nxhome directory is often just called home on other distributions.

If you see the following error message it means that the nx user's public key was not accepted.: 

NX> 203 NXSSH running with pid: 6721
NX> 285 Enabling check on switch command
NX> 285 Enabling skip of SSH config files
NX> 200 Connected to address: 192.168.2.21 on port: 22
NX> 202 Authenticating user: nx
NX> 208 Using auth method: publickey
NX> 204 Authentication failed.
This can be caused by a couple of things.

  1. the nx user's authorized key file /var/lib/nxserver/nxhome/.ssh/authorized_keys2 is incorectly named. All versions of ssh that I have seen on Ubuntu, Fedora and Redhat/Centos are configured to look for an authoized key file names .ssh/authorized_keys not .ssh/authorized_keys2. You can rename the authorized_keys file but it might be better to reconfigure sshd_config because the nxserver --stop command renames the .ssh/authorized_keys2 to .ssh/authorized_keys2.disabled to prevent access via an nxclient
  2. sshd is not running or is incorrectly configured. At minimum you need PubkeyAuthentication yes in the sshd_config file
  3. The server and client public keys might be different. At install the server and client use a default key which should be changed. You can open /var/lib/nxserver/nxhome/.ssh/authorized_keys and compare its contents to the key stored in the client by:
    1. Open the client tool
    2. Click the Configure button
    3. Click the Key button on the General Tab
    4. Ensure that the key matches the key found in /var/lib/nxserver/nxhome/.ssh/authorized_keys on the server
  4. This issue can also be caused by a locked user account for nx
    1. Check to see if the nx account is locked:
      passwd -S nx
    2. If the password is locked unlock it with:
      passwd -u nx

This is based on the format and content of the VNC page

-- TimothyLegge - 15 Sep 2005

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r7 < r6 < r5 < r4 < r3 | More topic actions
 
Powered by TWiki
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback