[gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

[-- Attachment #1: Type: text/plain, Size: 2550 bytes --]

I have exactly the same problem mentioned in this thread. I think something changed and broke the authentication during an update. i found this message by Googling and just joined the mail list to ask for help. I have done everything mentioned in the thread, and here's where I'm at: (it worked fine before some regular update broke it)
Thanks!
[root@tiger ssh]# nxsetup --test
----> Testing your nxserver configuration ...Warning: Invalid value "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libXext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/lib64/nx/libXrender.so.1". /usr/lib64/nx/libX11.so.6 could not be found. Users will not be able to run a single application in non-rootless mode.Warning: Invalid value "COMMAND_START_CDE=cdwm"         Users will not be able to request a CDE session.Warning: Invalid value "COMMAND_SMBMOUNT=smbmount". You'll not be able to use SAMBA.Warning: Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not be able to use SAMBA.Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version 1.2.         Users will not be able to enable printing. Ignore if you use cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 or 3.[012345].0 version string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012345].0 backend is needed for this version of FreeNX.
  Warnings occured during config check.  To enable these features please correct the configuration file.
<---- done
----> Testing your nxserver connection ...Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not connect to NX Server.
Please check your ssh setup:
The following are _examples_ of what you might need to check.
        - Make sure "nx" is one of the AllowUsers in sshd_config.    (or that the line is outcommented/not there)        - Make sure "nx" is one of the AllowGroups in sshd_config.    (or that the line is outcommented/not there)        - Make sure your sshd allows public key authentication.        - Make sure your sshd is really running on port 22.        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys.    (this should be a filename not a pathname+filename)  - Make sure you allow ssh on localhost, this could come from some    restriction of:      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost      -the iptables. add to it:         $ iptables -A INPUT  -i lo -j ACCEPT         $ iptables -A OUTPUT -o lo -j ACCEPT[root@tiger ssh]#

[-- Attachment #2: Type: text/html, Size: 6409 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[thelma]

On 11/25/2015 11:50 AM, Bill Damage wrote:
> I have exactly the same problem mentioned in this thread. I think something changed and broke the authentication during an update. i found this message by Googling and just joined the mail list to ask for help. I have done everything mentioned in the thread, and here's where I'm at: (it worked fine before some regular update broke it)
> Thanks!
> [root@tiger ssh]# nxsetup --test
> ----> Testing your nxserver configuration ...Warning: Invalid value "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libXext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/lib64/nx/libXrender.so.1". /usr/lib64/nx/libX11.so.6 could not be found. Users will not be able to run a single application in non-rootless mode.Warning: Invalid value "COMMAND_START_CDE=cdwm"         Users will not be able to request a CDE session.Warning: Invalid value "COMMAND_SMBMOUNT=smbmount". You'll not be able to use SAMBA.Warning: Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not be able to use SAMBA.Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version 1.2.         Users will not be able to enable printing. Ignore if you use cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 or 3.[012345].0 version string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012345].0 backend is needed for this version of FreeNX.
>   Warnings occured during config check.  To enable these features please correct the configuration file.
> <---- done
> ----> Testing your nxserver connection ...Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not connect to NX Server.
> Please check your ssh setup:
> The following are _examples_ of what you might need to check.
>         - Make sure "nx" is one of the AllowUsers in sshd_config.    (or that the line is outcommented/not there)        - Make sure "nx" is one of the AllowGroups in sshd_config.    (or that the line is outcommented/not there)        - Make sure your sshd allows public key authentication.        - Make sure your sshd is really running on port 22.        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys.    (this should be a filename not a pathname+filename)  - Make sure you allow ssh on localhost, this could come from some    restriction of:      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost      -the iptables. add to it:         $ iptables -A INPUT  -i lo -j ACCEPT         $ iptables -A OUTPUT -o lo -j ACCEPT[root@tiger ssh]#
> 

I had the same problem.
openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
nxserver is using).
Trying to enable the "ssh-dss" via sshd_config does not work!

So the only way to go about it is to downgrade to openssh-6.xxx

--
Thelma

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 699 bytes --]

On Wed, 25 Nov 2015 11:58:47 -0700, thelma@sys-concept.com wrote:

> I had the same problem.
> openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
> nxserver is using).

That's not what the error message you posted said.

> Trying to enable the "ssh-dss" via sshd_config does not work!

Which you would expect if that was not the problem. From memory, I think
your problem was caused by password logins as root being disabled. That
was another change for 7.0 and my only comment on that is "why the hell
did they wait until version 7.0 before getting rid of such and insecure
default?".


-- 
Neil Bothwick

Age and treachery will always overcome youth and skill.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[thelma]

On 11/25/2015 12:31 PM, Neil Bothwick wrote:
> On Wed, 25 Nov 2015 11:58:47 -0700, thelma@sys-concept.com wrote:
> 
>> I had the same problem.
>> openssh-7.xxx (screwed up) by disabling ssh-dss key (that is what
>> nxserver is using).
> 
> That's not what the error message you posted said.
> 
>> Trying to enable the "ssh-dss" via sshd_config does not work!
> 
> Which you would expect if that was not the problem. From memory, I think
> your problem was caused by password logins as root being disabled. That
> was another change for 7.0 and my only comment on that is "why the hell
> did they wait until version 7.0 before getting rid of such and insecure
> default?".
> 
> 
in sshd_config

#PermitRootLogin yes
or
#PermitRootLogin no

I can connect using openssh-6 but not 7-xx

Thelma

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 800 bytes --]

On Wed, 25 Nov 2015 12:55:43 -0700, thelma@sys-concept.com wrote:

> > Which you would expect if that was not the problem. From memory, I
> > think your problem was caused by password logins as root being
> > disabled. That was another change for 7.0 and my only comment on that
> > is "why the hell did they wait until version 7.0 before getting rid
> > of such and insecure default?".
> > 
> >   
> in sshd_config
> 
> #PermitRootLogin yes
> or
> #PermitRootLogin no
> 
> I can connect using openssh-6 but not 7-xx

Because the setting is commented out so it falls back to the default,
which is yes in 6 and no in 7. Set it to what you need instead of relying
on defaults which can change.


-- 
Neil Bothwick

The people who are wrapped up in themselves are overdressed.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 976 bytes --]

On Wednesday 25 Nov 2015 20:04:14 Neil Bothwick wrote:
> On Wed, 25 Nov 2015 12:55:43 -0700, thelma@sys-concept.com wrote:
> > > Which you would expect if that was not the problem. From memory, I
> > > think your problem was caused by password logins as root being
> > > disabled. That was another change for 7.0 and my only comment on that
> > > is "why the hell did they wait until version 7.0 before getting rid
> > > of such and insecure default?".
> > 
> > in sshd_config
> > 
> > #PermitRootLogin yes
> > or
> > #PermitRootLogin no
> > 
> > I can connect using openssh-6 but not 7-xx
> 
> Because the setting is commented out so it falls back to the default,
> which is yes in 6 and no in 7. Set it to what you need instead of relying
> on defaults which can change.

Also, check your *uncommented* setting for PermitEmptyPasswords, if for some 
reason you have not set up a password for your NX account.  The default is no.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[thelma]

On 11/25/2015 01:04 PM, Neil Bothwick wrote:
> On Wed, 25 Nov 2015 12:55:43 -0700, thelma@sys-concept.com wrote:
> 
>>> Which you would expect if that was not the problem. From memory, I
>>> think your problem was caused by password logins as root being
>>> disabled. That was another change for 7.0 and my only comment on that
>>> is "why the hell did they wait until version 7.0 before getting rid
>>> of such and insecure default?".
>>>
>>>   
>> in sshd_config
>>
>> #PermitRootLogin yes
>> or
>> #PermitRootLogin no
>>
>> I can connect using openssh-6 but not 7-xx
> 
> Because the setting is commented out so it falls back to the default,
> which is yes in 6 and no in 7. Set it to what you need instead of relying
> on defaults which can change.

Yes, nxserver works with openssh-7; I don't know why I couldn't make it
to work during upgrade few weeks ago :-/

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

[-- Attachment #1: Type: text/plain, Size: 1344 bytes --]

Thanks, but either way I'm still getting nowhere:
NX> 203 NXSSH running with pid: 9904NX> 285 Enabling check on switch commandNX> 285 Enabling skip of SSH config filesNX> 285 Setting the preferred NX optionsNX> 200 Connected to address: 192.168.62.4 on port: 22NX> 202 Authenticating user: nxNX> 208 Using auth method: publickeyNX> 204 Authentication failed.
I take it to try this you edit /etc/sshd_config then restart the sshd service?
 


    On Wednesday, 25 November 2015, 20:04, Neil Bothwick <neil@digimed.co.uk> wrote:
 

 On Wed, 25 Nov 2015 12:55:43 -0700, thelma@sys-concept.com wrote:

> > Which you would expect if that was not the problem. From memory, I
> > think your problem was caused by password logins as root being
> > disabled. That was another change for 7.0 and my only comment on that
> > is "why the hell did they wait until version 7.0 before getting rid
> > of such and insecure default?".
> > 
> >  
> in sshd_config
> 
> #PermitRootLogin yes
> or
> #PermitRootLogin no
> 
> I can connect using openssh-6 but not 7-xx

Because the setting is commented out so it falls back to the default,
which is yes in 6 and no in 7. Set it to what you need instead of relying
on defaults which can change.


-- 
Neil Bothwick

The people who are wrapped up in themselves are overdressed.

  

[-- Attachment #2: Type: text/html, Size: 3078 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

[-- Attachment #1: Type: text/plain, Size: 366 bytes --]

Somehow the details of my message wasn't posted:
NX> 203 NXSSH running with pid: 10200NX> 285 Enabling check on switch commandNX> 285 Enabling skip of SSH config filesNX> 285 Setting the preferred NX optionsNX> 200 Connected to address: 192.168.62.4 on port: 22NX> 202 Authenticating user: nxNX> 208 Using auth method: publickeyNX> 204 Authentication failed.




   

[-- Attachment #2: Type: text/html, Size: 1726 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 565 bytes --]

On Thu, 26 Nov 2015 09:07:07 +0000 (UTC), Bill Damage wrote:

> NX> 203 NXSSH running with pid: 10200NX> 285 Enabling check on switch
> NX> commandNX> 285 Enabling skip of SSH config filesNX> 285 Setting the
> NX> commandNX> preferred NX optionsNX> 200 Connected to address:
> NX> commandNX> 192.168.62.4 on port: 22NX> 202 Authenticating user:
> NX> commandNX> nxNX> 208 Using auth method: publickeyNX> 204
> NX> commandNX> nxNX> Authentication failed.  

What does the log on the server say?


-- 
Neil Bothwick

Accordion: a bagpipe with pleats.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Peter Humphrey]

I would need a magnifying glass to read this. Please don't use HTML on this 
list.

On Wednesday 25 November 2015 18:50:14 Bill Damage wrote:
> I have exactly the same problem mentioned in this thread. I think
> something changed and broke the authentication during an update. i found
> this message by Googling and just joined the mail list to ask for help. I
> have done everything mentioned in the thread, and here's where I'm at:
> (it worked fine before some regular update broke it) Thanks!
> [root@tiger ssh]# nxsetup --test
> ----> Testing your nxserver configuration ...Warning: Invalid value
> "APPLICATION_LIBRARY_PRELOAD=/usr/lib64/nx/libX11.so.6:/usr/lib64/nx/libX
> ext.so.6:/usr/lib64/nx/libXcomp.so.3:/usr/lib64/nx/libXcompext.so.3:/usr/l
> ib64/nx/libXrender.so.1". /usr/lib64/nx/libX11.so.6 could not be found.
> Users will not be able to run a single application in non-rootless
> mode.Warning: Invalid value "COMMAND_START_CDE=cdwm"         Users 
will
> not be able to request a CDE session.Warning: Invalid value
> "COMMAND_SMBMOUNT=smbmount". You'll not be able to use 
SAMBA.Warning:
> Invalid value "COMMAND_SMBUMOUNT=smbumount". You'll not be able to use
> SAMBA.Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version
> 1.2.         Users will not be able to enable printing. Ignore if you use
> cups > 1.2Error: Could not find 1.5.0 or 2.[01].0 or 3.[012345].0 version
> string in nxagent. NX 1.5.0 or 2.[01].0 or 3.[012345].0 backend is needed
> for this version of FreeNX. Warnings occured during config check.  To
> enable these features please correct the configuration file. <---- done
> ----> Testing your nxserver connection ...Permission denied
> (publickey,gssapi-keyex,gssapi-with-mic,password).Fatal error: Could not
> connect to NX Server. Please check your ssh setup:
> The following are _examples_ of what you might need to check.
>         - Make sure "nx" is one of the AllowUsers in sshd_config.    (or
> that the line is outcommented/not there)        - Make sure "nx" is one
> of the AllowGroups in sshd_config.    (or that the line is
> outcommented/not there)        - Make sure your sshd allows public key
> authentication.        - Make sure your sshd is really running on port
> 22.        - Make sure your sshd_config AuthorizedKeysFile in sshd_config
> is set to authorized_keys.    (this should be a filename not a
> pathname+filename)  - Make sure you allow ssh on localhost, this could
> come from some    restriction of:      -the tcp wrapper. Then add in
> /etc/hosts.allow: ALL:localhost      -the iptables. add to it:         $
> iptables -A INPUT  -i lo -j ACCEPT         $ iptables -A OUTPUT -o lo -j
> ACCEPT[root@tiger ssh]#

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

On Thursday, 26 November 2015, 9:51, Peter Humphrey <peter@prh.myzen.co.uk> wrote:

I would need a magnifying glass to read this. Please don't use HTML on this 
list.



It's damn Yahoos webmail, I switched to plain text maybe it's better now?

Anyway the log at /var/log/nx/nxserver.log is always 0 bytes.

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

Is this better? Damn Yahoo webmail...
My /var/log/nx/nxserver.log remains at 0 bytes even though in node.conf I set NX_LOG_LEVEL to 6 from 0. 

Anyway, I will dump my sshd_config for completeness:

[root@example~]# cat /etc/ssh/sshd_config 
#       $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $ 

# This is the sshd server system-wide configuration file.  See 
# sshd_config(5) for more information. 

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin 

# The strategy used for options in the default sshd_config shipped with 
# OpenSSH is to specify options with their default value where 
# possible, but leave them commented.  Uncommented options override the 
# default value. 

#Port 22 
#AddressFamily any 
#ListenAddress 0.0.0.0 
#ListenAddress :: 

# The default requires explicit activation of protocol 1 
#Protocol 2 

# HostKey for protocol version 1 
#HostKey /etc/ssh/ssh_host_key 
# HostKeys for protocol version 2 
#HostKey /etc/ssh/ssh_host_rsa_key 
#HostKey /etc/ssh/ssh_host_dsa_key 
#HostKey /etc/ssh/ssh_host_ecdsa_key 

# Lifetime and size of ephemeral version 1 server key 
#KeyRegenerationInterval 1h 
#ServerKeyBits 1024 

# Logging 
# obsoletes QuietMode and FascistLogging 
#SyslogFacility AUTH 
SyslogFacility AUTHPRIV 
#LogLevel INFO 

# Authentication: 

#LoginGraceTime 2m 
PermitRootLogin yes 
#StrictModes yes 
#MaxAuthTries 6 
#MaxSessions 10 

#RSAAuthentication yes 
#PubkeyAuthentication yes 

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 
# but this is overridden so installations will only check .ssh/authorized_keys 
#AuthorizedKeysFile     .ssh/authorized_keys 

#AuthorizedKeysCommand none 
#AuthorizedKeysCommandRunAs nobody 

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts 
#RhostsRSAAuthentication no 
# similar for protocol version 2 
#HostbasedAuthentication no 
# Change to yes if you don't trust ~/.ssh/known_hosts for 
# RhostsRSAAuthentication and HostbasedAuthentication 
#IgnoreUserKnownHosts no 
# Don't read the user's ~/.rhosts and ~/.shosts files 
#IgnoreRhosts yes 

# To disable tunneled clear text passwords, change to no here! 
#PasswordAuthentication yes 
#PermitEmptyPasswords no 
PasswordAuthentication yes 

# Change to no to disable s/key passwords 
#ChallengeResponseAuthentication yes 
ChallengeResponseAuthentication no 

# Kerberos options 
#KerberosAuthentication no 
#KerberosOrLocalPasswd yes 
#KerberosTicketCleanup yes 
#KerberosGetAFSToken no 
#KerberosUseKuserok yes 

# GSSAPI options 
#GSSAPIAuthentication no 
GSSAPIAuthentication yes 
#GSSAPICleanupCredentials yes 
GSSAPICleanupCredentials yes 
#GSSAPIStrictAcceptorCheck yes 
#GSSAPIKeyExchange no 

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and 
# PasswordAuthentication.  Depending on your PAM configuration, 
# PAM authentication via ChallengeResponseAuthentication may bypass 
# the setting of "PermitRootLogin without-password". 
# If you just want the PAM account and session checks to run without 
# PAM authentication, then enable this but set PasswordAuthentication 
# and ChallengeResponseAuthentication to 'no'. 
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several 
# problems. 
#UsePAM no 
UsePAM yes 

#AllowAgentForwarding yes 
#AllowTcpForwarding yes 
#GatewayPorts no 
#X11Forwarding no 
X11Forwarding yes 
#X11DisplayOffset 10 
#X11UseLocalhost yes 
#PrintMotd yes 
#PrintLastLog yes 
#TCPKeepAlive yes 
#UseLogin no 
#UsePrivilegeSeparation yes 
#PermitUserEnvironment no 
#Compression delayed 
#ClientAliveInterval 0 
#ClientAliveCountMax 3 
#ShowPatchLevel no 
#UseDNS yes 
#PidFile /var/run/sshd.pid 
#MaxStartups 10 
#PermitTunnel no 
#ChrootDirectory none 

# no default banner path 
#Banner none 

# Accept locale-related environment variables 
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES 
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE 
AcceptEnv XMODIFIERS 

# override default of no subsystems 
Subsystem       sftp    /usr/libexec/openssh/sftp-server 

# Uncomment this if you want to use .local domain 
#Host *.local 
#       CheckHostIP no 

# Example of overriding settings on a per-user basis 
#Match User anoncvs 
#       X11Forwarding no 
#       AllowTcpForwarding no 
#       ForceCommand cvs server 

#http://www.gossamer-threads.com/lists/gentoo/user/308350?page=last 
PubkeyAcceptedKeyTypes=+ssh-dss 
PermitRootLogin without-password

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 323 bytes --]

On Thu, 26 Nov 2015 21:39:57 +0000 (UTC), Bill Damage wrote:

> PermitRootLogin yes 
[snip]
> PermitRootLogin without-password

You have specified this option twice, with different values. Pick the one
you want and remove or comment out the other.


-- 
Neil Bothwick

Top Oxymorons Number 39: Almost exactly

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

Thanks.
I want root to be able to SSH in, so I commented out the "without-password" one, but it made no difference.



On Thursday, 26 November 2015, 23:59, Neil Bothwick <neil@digimed.co.uk> wrote:
On Thu, 26 Nov 2015 21:39:57 +0000 (UTC), Bill Damage wrote:

> PermitRootLogin yes 
[snip]

> PermitRootLogin without-password

You have specified this option twice, with different values. Pick the one
you want and remove or comment out the other.


-- 
Neil Bothwick

Top Oxymorons Number 39: Almost exactly 

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Peter Humphrey]

On Thursday 26 November 2015 21:39:57 Bill Damage wrote:
> Is this better? Damn Yahoo webmail...

Yes, it's fine.

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

The log I see says its not using the password but the key. I have regenerated the key but it didn't help. This setup has been fine for years. Could there be key *types* which became invalid, or now need special configuration, which was caused by the OpenSSL update?

NX> 203 NXSSH running with pid: 3708 
NX> 285 Enabling check on switch command 
NX> 285 Enabling skip of SSH config files 
NX> 285 Setting the preferred NX options 
NX> 200 Connected to address: 192.168.62.4 on port: 22 
NX> 202 Authenticating user: nx 
NX> 208 Using auth method: publickey 
NX> 204 Authentication failed.




On Friday, 27 November 2015, 9:10, Peter Humphrey <peter@prh.myzen.co.uk> wrote:
On Thursday 26 November 2015 21:39:57 Bill Damage wrote:

> Is this better? Damn Yahoo webmail...

Yes, it's fine.

-- 
Rgds
Peter

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 1049 bytes --]

On Sat, 28 Nov 2015 10:24:32 +0000 (UTC), Bill Damage wrote:

> The log I see says its not using the password but the key. I have
> regenerated the key but it didn't help. This setup has been fine for
> years. Could there be key *types* which became invalid, or now need
> special configuration, which was caused by the OpenSSL update?

Yes, DSS keys are now disabled by default, but can be re-enabled if
really needed. See http://www.openssh.com/legacy.html

> NX> 203 NXSSH running with pid: 3708 
> NX> 285 Enabling check on switch command 
> NX> 285 Enabling skip of SSH config files 

However, if nx is ignoring your SSH config, I'm not sure how you can tell
it to use 
> NX> 285 Setting the preferred NX options 
> NX> 200 Connected to address: 192.168.62.4 on port: 22 
> NX> 202 Authenticating user: nx 
> NX> 208 Using auth method: publickey 
> NX> 204 Authentication failed.  
 
Where is the information from the *server* log.


-- 
Neil Bothwick

Earlier, I didn't have time to finish anything. This time I w

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

Thanks for your hep and patience!
I want to report the full log.
I see the log file at /var/log/nx/nxserver.log is always 0 bytes. 
To try to enable it I changed the entry in /etc/nxserver/node.conf NX_LOG_LEVEL=0 to NX_LOG_LEVEL=6 but it still creates the 0 length log file.



On Saturday, 28 November 2015, 12:33, Neil Bothwick <neil@digimed.co.uk> wrote:
On Sat, 28 Nov 2015 10:24:32 +0000 (UTC), Bill Damage wrote:

> The log I see says its not using the password but the key. I have
> regenerated the key but it didn't help. This setup has been fine for
> years. Could there be key *types* which became invalid, or now need
> special configuration, which was caused by the OpenSSL update?

Yes, DSS keys are now disabled by default, but can be re-enabled if
really needed. See http://www.openssh.com/legacy.html

> NX> 203 NXSSH running with pid: 3708 
> NX> 285 Enabling check on switch command 
> NX> 285 Enabling skip of SSH config files 

However, if nx is ignoring your SSH config, I'm not sure how you can tell
it to use 

> NX> 285 Setting the preferred NX options 
> NX> 200 Connected to address: 192.168.62.4 on port: 22 
> NX> 202 Authenticating user: nx 
> NX> 208 Using auth method: publickey 
> NX> 204 Authentication failed.  

Where is the information from the *server* log.


-- 
Neil Bothwick

Earlier, I didn't have time to finish anything. This time I w 

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 604 bytes --]

On Sat, 28 Nov 2015 20:31:43 +0000 (UTC), Bill Damage wrote:

Please don't top post.

> Thanks for your hep and patience!
> I want to report the full log.
> I see the log file at /var/log/nx/nxserver.log is always 0 bytes. 
> To try to enable it I changed the entry in /etc/nxserver/node.conf
> NX_LOG_LEVEL=0 to NX_LOG_LEVEL=6 but it still creates the 0 length log
> file.

I meant the log for the SSH server, on the machine you are trying to
connect to, not the nx log. On the SSH server, run

grep sshd /var/log/messages


-- 
Neil Bothwick

Why is the word abbreviation so long?

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

I meant the log for the SSH server, on the machine you are trying to

connect to, not the nx log. On the SSH server, run

grep sshd /var/log/messages


Here it is:

Nov 29 11:07:18 tiger kernel: audit: type=1109 audit(1448795238.479:333395): pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/sbin/sshd" hostname=192.168.62.40 addr=192.168.62.40 terminal=ssh res=failed' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:c8:65:0c:ad:44:4d:7e:a3:b7:1b:2a:34:5f:a6:a9:61:16:26:21:8d:20:de:80:27:ce:50:dc:6c:ed:8d:c9:f8 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:59:9f:43:66:77:9e:77:a7:66:77:71:0c:8c:0c:aa:28:61:b4:69:be:ec:77:ed:46:7f:eb:3f:eb:e7:b0:de:7e direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:b9:48:9f:4f:b7:bd:63:39:b5:49:e9:41:89:0b:64:b2:6a:6a:6d:03:2e:b1:ae:49:9d:9f:89:18:02:28:b3:8c direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: CRYPTO_KEY_USER pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=destroy kind=server fp=SHA256:3a:ae:49:b7:b1:94:f6:b3:a4:88:62:45:b3:36:5d:1f:46:9d:c9:9d:e2:a7:1b:23:94:c2:f9:1b:a4:0e:46:99 direction=? spid=12140 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=? res=success' 
Nov 29 11:07:18 tiger audit: USER_LOGIN pid=12140 uid=0 auid=4294967295 ses=4294967295 msg='op=login acct="nx" exe="/usr/sbin/sshd" hostname=? addr=192.168.62.40 terminal=ssh res=failed' 
[root@tiger ~]# 


-- 
Neil Bothwick

Why is the word abbreviation so long? 

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

I also read the link you sent which prompted me to run the query: 

~]# ssh -G nx 
user root 
hostname nx 
port 22 
addressfamily any 
batchmode no 
canonicalizefallbacklocal yes 
canonicalizehostname false 
challengeresponseauthentication yes 
checkhostip yes 
compression no 
controlmaster false 
enablesshkeysign no 
exitonforwardfailure no 
forwardagent no 
forwardx11 no 
forwardx11trusted yes 
gatewayports no 
gssapiauthentication yes 
gssapidelegatecredentials no 
hashknownhosts no 
hostbasedauthentication no 
identitiesonly no 
kbdinteractiveauthentication yes 
nohostauthenticationforlocalhost no 
passwordauthentication yes 
permitlocalcommand no 
protocol 2 
proxyusefdpass no 
pubkeyauthentication yes 
requesttty auto 
rhostsrsaauthentication no 
rsaauthentication yes 
streamlocalbindunlink no 
stricthostkeychecking ask 
tcpkeepalive yes 
tunnel false 
useprivilegedport no 
verifyhostkeydns false 
visualhostkey no 
updatehostkeys false 
canonicalizemaxdots 1 
compressionlevel 6 
connectionattempts 1 
forwardx11timeout 1200 
numberofpasswordprompts 3 
serveralivecountmax 3 
serveraliveinterval 0 
ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se 
hostkeyalgorithms ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa 
hostbasedkeytypes ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa 
kexalgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 
loglevel INFO 
macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96 
xauthlocation /usr/bin/xauth 
identityfile ~/.ssh/id_rsa 
identityfile ~/.ssh/id_dsa 
identityfile ~/.ssh/id_ecdsa 
identityfile ~/.ssh/id_ed25519 
canonicaldomains 
globalknownhostsfile /etc/ssh/ssh_known_hosts /etc/ssh/ssh_known_hosts2 
userknownhostsfile ~/.ssh/known_hosts ~/.ssh/known_hosts2 
sendenv LANG 
sendenv LC_CTYPE 
sendenv LC_NUMERIC 
sendenv LC_TIME 
sendenv LC_COLLATE 
sendenv LC_MONETARY 
sendenv LC_MESSAGES 
sendenv LC_PAPER 
sendenv LC_NAME 
sendenv LC_ADDRESS 
sendenv LC_TELEPHONE 
sendenv LC_MEASUREMENT 
sendenv LC_IDENTIFICATION 
sendenv LC_ALL 
sendenv LANGUAGE 
sendenv XMODIFIERS 
fingerprinthash SHA256 MD5 
connecttimeout none 
tunneldevice any:any 
controlpersist no 
escapechar ~ 
ipqos lowdelay throughput 
rekeylimit 0 0 
streamlocalbindmask 0177

Re: [gentoo-user] openssh-7.1_p1-r2 won't allow "nxserver" to connect [continued]

[Bill Damage]

>On Monday, 30 November 2015, 8:17, Bill Damage <bill.damage@yahoo.com> wrote:


Sorry to be a pain here but this is still broken. Any more ideas for info I can supply please?