[gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

Is anybody using nxserver-freenx?
It compile fine but when I run a setup:
nxsetup --install --setup-nomachine-key --clean --purge 

I get:
----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.

Please check your ssh setup:

The following are _examples_ of what you might need to check.

         - Make sure "nx" is one of the AllowUsers in sshd_config.
     (or that the line is outcommented/not there)
         - Make sure "nx" is one of the AllowGroups in sshd_config.
     (or that the line is outcommented/not there)
         - Make sure your sshd allows public key authentication.
         - Make sure your sshd is really running on port 22.
         - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2.
     (this should be a filename not a pathname+filename)
   - Make sure you allow ssh on localhost, this could come from some
     restriction of:


log/messages prints:
user nx not allowed because account is locked

How to unlock the account?

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Wed, Mar 18, 2009 at 11:35 PM, Joseph <syscon780@gmail.com> wrote:
> Is anybody using nxserver-freenx?
> It compile fine but when I run a setup:
> nxsetup --install --setup-nomachine-key --clean --purge
> I get:
> ----> Testing your nxserver connection ...
> Permission denied (publickey,keyboard-interactive).
> Fatal error: Could not connect to NX Server.
>
> Please check your ssh setup:
>
> The following are _examples_ of what you might need to check.
>
>        - Make sure "nx" is one of the AllowUsers in sshd_config.
>    (or that the line is outcommented/not there)
>        - Make sure "nx" is one of the AllowGroups in sshd_config.
>    (or that the line is outcommented/not there)
>        - Make sure your sshd allows public key authentication.
>        - Make sure your sshd is really running on port 22.
>        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
> to authorized_keys2.
>    (this should be a filename not a pathname+filename)
>  - Make sure you allow ssh on localhost, this could come from some
>    restriction of:
>
>
> log/messages prints:
> user nx not allowed because account is locked
>
> How to unlock the account?

passwd -u nx

I had to do the same thing.

Paul

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/19/09 10:03, Paul Hartman wrote:
[snip]
>> log/messages prints:
>> user nx not allowed because account is locked
>>
>> How to unlock the account?
>
>passwd -u nx
>
>I had to do the same thing.
>
>Paul


Yes, I tried it already:

passwd -u nx
passwd: unlocking the user would result in a passwordless account.
You should set password with usermod -p to unlock this user account.
Password changed.

What do you do next?

When I try to run again:
nxsetup --install --setup-nomachine-key --clean --purge

I get:
...
Setting up /var/log/nxserver.log ...done
Setting up special user "nx" ...passwd: unlocking the user would result in a
passwordless account.
You should set a password with usermod -p to unlock this user account.
Password changed.
done.
...
----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.

Please check your ssh setup:

The following are _examples_ of what you might need to check.

         - Make sure "nx" is one of the AllowUsers in sshd_config.
     (or that the line is outcommented/not there)
         - Make sure "nx" is one of the AllowGroups in sshd_config.
     (or that the line is outcommented/not there)
         - Make sure your sshd allows public key authentication.
         - Make sure your sshd is really running on port 22.
         - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
to authorized_keys2.
     (this should be a filename not a pathname+filename)
   - Make sure you allow ssh on localhost, this could come from some
     restriction of:
       -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
       -the iptables. add to it:
          $ iptables -A INPUT  -i lo -j ACCEPT
          $ iptables -A OUTPUT -o lo -j ACCEPT


So at this point I'm back to square one in log/messages I get:
User nx not allowed because account is locked

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Thu, Mar 19, 2009 at 10:44 AM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 10:03, Paul Hartman wrote:
> [snip]
>>>
>>> log/messages prints:
>>> user nx not allowed because account is locked
>>>
>>> How to unlock the account?
>>
>> passwd -u nx
>>
>> I had to do the same thing.
>>
>> Paul
>
>
> Yes, I tried it already:
>
> passwd -u nx
> passwd: unlocking the user would result in a passwordless account.
> You should set password with usermod -p to unlock this user account.
> Password changed.
>
> What do you do next?
>
> When I try to run again:
> nxsetup --install --setup-nomachine-key --clean --purge
>
> I get:
> ...
> Setting up /var/log/nxserver.log ...done
> Setting up special user "nx" ...passwd: unlocking the user would result in a
> passwordless account.
> You should set a password with usermod -p to unlock this user account.
> Password changed.
> done.
> ...
> ----> Testing your nxserver connection ...
> Permission denied (publickey,keyboard-interactive).
> Fatal error: Could not connect to NX Server.
>
> Please check your ssh setup:
>
> The following are _examples_ of what you might need to check.
>
>        - Make sure "nx" is one of the AllowUsers in sshd_config.
>    (or that the line is outcommented/not there)
>        - Make sure "nx" is one of the AllowGroups in sshd_config.
>    (or that the line is outcommented/not there)
>        - Make sure your sshd allows public key authentication.
>        - Make sure your sshd is really running on port 22.
>        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
> to authorized_keys2.
>    (this should be a filename not a pathname+filename)
>  - Make sure you allow ssh on localhost, this could come from some
>    restriction of:
>      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>      -the iptables. add to it:
>         $ iptables -A INPUT  -i lo -j ACCEPT
>         $ iptables -A OUTPUT -o lo -j ACCEPT
>
>
> So at this point I'm back to square one in log/messages I get:
> User nx not allowed because account is locked

Oh, try  to give user nx a password on your system. It uses ssh keys
to login, so it doesn't even matter what the password is. Just don't
make it something easily guessed/brute-force like "nx" or "1234" or
else you might have some unwanted guests in your system :)

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Thu, Mar 19, 2009 at 10:51 AM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> On Thu, Mar 19, 2009 at 10:44 AM, Joseph <syscon780@gmail.com> wrote:
>> On 03/19/09 10:03, Paul Hartman wrote:
>> [snip]
>>>>
>>>> log/messages prints:
>>>> user nx not allowed because account is locked
>>>>
>>>> How to unlock the account?
>>>
>>> passwd -u nx
>>>
>>> I had to do the same thing.
>>>
>>> Paul
>>
>>
>> Yes, I tried it already:
>>
>> passwd -u nx
>> passwd: unlocking the user would result in a passwordless account.
>> You should set password with usermod -p to unlock this user account.
>> Password changed.
>>
>> What do you do next?
>>
>> When I try to run again:
>> nxsetup --install --setup-nomachine-key --clean --purge
>>
>> I get:
>> ...
>> Setting up /var/log/nxserver.log ...done
>> Setting up special user "nx" ...passwd: unlocking the user would result in a
>> passwordless account.
>> You should set a password with usermod -p to unlock this user account.
>> Password changed.
>> done.
>> ...
>> ----> Testing your nxserver connection ...
>> Permission denied (publickey,keyboard-interactive).
>> Fatal error: Could not connect to NX Server.
>>
>> Please check your ssh setup:
>>
>> The following are _examples_ of what you might need to check.
>>
>>        - Make sure "nx" is one of the AllowUsers in sshd_config.
>>    (or that the line is outcommented/not there)
>>        - Make sure "nx" is one of the AllowGroups in sshd_config.
>>    (or that the line is outcommented/not there)
>>        - Make sure your sshd allows public key authentication.
>>        - Make sure your sshd is really running on port 22.
>>        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
>> to authorized_keys2.
>>    (this should be a filename not a pathname+filename)
>>  - Make sure you allow ssh on localhost, this could come from some
>>    restriction of:
>>      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>>      -the iptables. add to it:
>>         $ iptables -A INPUT  -i lo -j ACCEPT
>>         $ iptables -A OUTPUT -o lo -j ACCEPT
>>
>>
>> So at this point I'm back to square one in log/messages I get:
>> User nx not allowed because account is locked
>
> Oh, try  to give user nx a password on your system. It uses ssh keys
> to login, so it doesn't even matter what the password is. Just don't
> make it something easily guessed/brute-force like "nx" or "1234" or
> else you might have some unwanted guests in your system :)
>

Now that I think of it, you might even be able to assign a password,
unlock, and then delete the password with "passwd -d nx".

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/19/09 10:51, Paul Hartman wrote:
>>
>> Yes, I tried it already:
>>
>> passwd -u nx
>> passwd: unlocking the user would result in a passwordless account.
>> You should set password with usermod -p to unlock this user account.
>> Password changed.
>>
>> What do you do next?
>>
>> When I try to run again:
>> nxsetup --install --setup-nomachine-key --clean --purge
>>
>> I get:
>> ...
>> Setting up /var/log/nxserver.log ...done
>> Setting up special user "nx" ...passwd: unlocking the user would result in a
>> passwordless account.
>> You should set a password with usermod -p to unlock this user account.
>> Password changed.
>> done.
>> ...
>> ----> Testing your nxserver connection ...
>> Permission denied (publickey,keyboard-interactive).
>> Fatal error: Could not connect to NX Server.
>>
>> Please check your ssh setup:
>>
>> The following are _examples_ of what you might need to check.
>>
>>        - Make sure "nx" is one of the AllowUsers in sshd_config.
>>    (or that the line is outcommented/not there)
>>        - Make sure "nx" is one of the AllowGroups in sshd_config.
>>    (or that the line is outcommented/not there)
>>        - Make sure your sshd allows public key authentication.
>>        - Make sure your sshd is really running on port 22.
>>        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
>> to authorized_keys2.
>>    (this should be a filename not a pathname+filename)
>>  - Make sure you allow ssh on localhost, this could come from some
>>    restriction of:
>>      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>>      -the iptables. add to it:
>>         $ iptables -A INPUT  -i lo -j ACCEPT
>>         $ iptables -A OUTPUT -o lo -j ACCEPT
>>
>>
>> So at this point I'm back to square one in log/messages I get:
>> User nx not allowed because account is locked
>
>Oh, try  to give user nx a password on your system. It uses ssh keys
>to login, so it doesn't even matter what the password is. Just don't
>make it something easily guessed/brute-force like "nx" or "1234" or
>else you might have some unwanted guests in your system :)

I did give it a password 
usermod -p something nx

it accepted the password, now do I run the setup again:
nxsetup --install --setup-nomachine-key --clean --purge

If I try to login from another machine do I login as user "nx"?
When I try to login from another machine on my network I get:
Your guest account has expired...

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Thu, Mar 19, 2009 at 11:10 AM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 10:51, Paul Hartman wrote:
>>>
>>> Yes, I tried it already:
>>>
>>> passwd -u nx
>>> passwd: unlocking the user would result in a passwordless account.
>>> You should set password with usermod -p to unlock this user account.
>>> Password changed.
>>>
>>> What do you do next?
>>>
>>> When I try to run again:
>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>
>>> I get:
>>> ...
>>> Setting up /var/log/nxserver.log ...done
>>> Setting up special user "nx" ...passwd: unlocking the user would result
>>> in a
>>> passwordless account.
>>> You should set a password with usermod -p to unlock this user account.
>>> Password changed.
>>> done.
>>> ...
>>> ----> Testing your nxserver connection ...
>>> Permission denied (publickey,keyboard-interactive).
>>> Fatal error: Could not connect to NX Server.
>>>
>>> Please check your ssh setup:
>>>
>>> The following are _examples_ of what you might need to check.
>>>
>>>       - Make sure "nx" is one of the AllowUsers in sshd_config.
>>>   (or that the line is outcommented/not there)
>>>       - Make sure "nx" is one of the AllowGroups in sshd_config.
>>>   (or that the line is outcommented/not there)
>>>       - Make sure your sshd allows public key authentication.
>>>       - Make sure your sshd is really running on port 22.
>>>       - Make sure your sshd_config AuthorizedKeysFile in sshd_config is
>>> set
>>> to authorized_keys2.
>>>   (this should be a filename not a pathname+filename)
>>>  - Make sure you allow ssh on localhost, this could come from some
>>>   restriction of:
>>>     -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>>>     -the iptables. add to it:
>>>        $ iptables -A INPUT  -i lo -j ACCEPT
>>>        $ iptables -A OUTPUT -o lo -j ACCEPT
>>>
>>>
>>> So at this point I'm back to square one in log/messages I get:
>>> User nx not allowed because account is locked
>>
>> Oh, try  to give user nx a password on your system. It uses ssh keys
>> to login, so it doesn't even matter what the password is. Just don't
>> make it something easily guessed/brute-force like "nx" or "1234" or
>> else you might have some unwanted guests in your system :)
>
> I did give it a password usermod -p something nx
>
> it accepted the password, now do I run the setup again:
> nxsetup --install --setup-nomachine-key --clean --purge
>
> If I try to login from another machine do I login as user "nx"?
> When I try to login from another machine on my network I get:
> Your guest account has expired...

The way NX works is it uses the nx user as an intermediate. You need
to login as a normal user, and you need to explicitly give that user
permission to use NX by doing nxserver --useradd yourname (which will
generate NX ssh keys and put them in that user's directory).

If you use interactive/PAM authentication on your system, NX can use
your user's normal system password; if you use key-based
authentication for SSH the only way to make NX work is to use its
internal password database and assing an NX-specific password to that
user. In nxclient, copy the normal SSH key, and then in the nxclient
login box put the NX username and password.

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Thu, Mar 19, 2009 at 11:16 AM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> On Thu, Mar 19, 2009 at 11:10 AM, Joseph <syscon780@gmail.com> wrote:
>> On 03/19/09 10:51, Paul Hartman wrote:
>>>>
>>>> Yes, I tried it already:
>>>>
>>>> passwd -u nx
>>>> passwd: unlocking the user would result in a passwordless account.
>>>> You should set password with usermod -p to unlock this user account.
>>>> Password changed.
>>>>
>>>> What do you do next?
>>>>
>>>> When I try to run again:
>>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>>
>>>> I get:
>>>> ...
>>>> Setting up /var/log/nxserver.log ...done
>>>> Setting up special user "nx" ...passwd: unlocking the user would result
>>>> in a
>>>> passwordless account.
>>>> You should set a password with usermod -p to unlock this user account.
>>>> Password changed.
>>>> done.
>>>> ...
>>>> ----> Testing your nxserver connection ...
>>>> Permission denied (publickey,keyboard-interactive).
>>>> Fatal error: Could not connect to NX Server.
>>>>
>>>> Please check your ssh setup:
>>>>
>>>> The following are _examples_ of what you might need to check.
>>>>
>>>>       - Make sure "nx" is one of the AllowUsers in sshd_config.
>>>>   (or that the line is outcommented/not there)
>>>>       - Make sure "nx" is one of the AllowGroups in sshd_config.
>>>>   (or that the line is outcommented/not there)
>>>>       - Make sure your sshd allows public key authentication.
>>>>       - Make sure your sshd is really running on port 22.
>>>>       - Make sure your sshd_config AuthorizedKeysFile in sshd_config is
>>>> set
>>>> to authorized_keys2.
>>>>   (this should be a filename not a pathname+filename)
>>>>  - Make sure you allow ssh on localhost, this could come from some
>>>>   restriction of:
>>>>     -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>>>>     -the iptables. add to it:
>>>>        $ iptables -A INPUT  -i lo -j ACCEPT
>>>>        $ iptables -A OUTPUT -o lo -j ACCEPT
>>>>
>>>>
>>>> So at this point I'm back to square one in log/messages I get:
>>>> User nx not allowed because account is locked
>>>
>>> Oh, try  to give user nx a password on your system. It uses ssh keys
>>> to login, so it doesn't even matter what the password is. Just don't
>>> make it something easily guessed/brute-force like "nx" or "1234" or
>>> else you might have some unwanted guests in your system :)
>>
>> I did give it a password usermod -p something nx
>>
>> it accepted the password, now do I run the setup again:
>> nxsetup --install --setup-nomachine-key --clean --purge
>>
>> If I try to login from another machine do I login as user "nx"?
>> When I try to login from another machine on my network I get:
>> Your guest account has expired...
>
> The way NX works is it uses the nx user as an intermediate. You need
> to login as a normal user, and you need to explicitly give that user
> permission to use NX by doing nxserver --useradd yourname (which will
> generate NX ssh keys and put them in that user's directory).
>
> If you use interactive/PAM authentication on your system, NX can use
> your user's normal system password; if you use key-based
> authentication for SSH the only way to make NX work is to use its
> internal password database and assing an NX-specific password to that
> user. In nxclient, copy the normal SSH key, and then in the nxclient
> login box put the NX username and password.
>

I think the user DB setting is in /usr/NX/etc/server.cfg

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/19/09 11:29, Paul Hartman wrote:
>>>
>>> it accepted the password, now do I run the setup again:
>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>
>>> If I try to login from another machine do I login as user "nx"?
>>> When I try to login from another machine on my network I get:
>>> Your guest account has expired...
>>
>> The way NX works is it uses the nx user as an intermediate. You need
>> to login as a normal user, and you need to explicitly give that user
>> permission to use NX by doing nxserver --useradd yourname (which will
>> generate NX ssh keys and put them in that user's directory).
>>
>> If you use interactive/PAM authentication on your system, NX can use
>> your user's normal system password; if you use key-based
>> authentication for SSH the only way to make NX work is to use its
>> internal password database and assing an NX-specific password to that
>> user. In nxclient, copy the normal SSH key, and then in the nxclient
>> login box put the NX username and password.
>>
>
>I think the user DB setting is in /usr/NX/etc/server.cfg

No there is no such file or directory on the server; that is why I'm asking if after setting the password for user "nx" I should run this command again:
nxsetup --install --setup-nomachine-key --clean --purge

as it is my impression that the setup was not complete.

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Thu, Mar 19, 2009 at 11:38 AM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 11:29, Paul Hartman wrote:
>>>>
>>>> it accepted the password, now do I run the setup again:
>>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>>
>>>> If I try to login from another machine do I login as user "nx"?
>>>> When I try to login from another machine on my network I get:
>>>> Your guest account has expired...
>>>
>>> The way NX works is it uses the nx user as an intermediate. You need
>>> to login as a normal user, and you need to explicitly give that user
>>> permission to use NX by doing nxserver --useradd yourname (which will
>>> generate NX ssh keys and put them in that user's directory).
>>>
>>> If you use interactive/PAM authentication on your system, NX can use
>>> your user's normal system password; if you use key-based
>>> authentication for SSH the only way to make NX work is to use its
>>> internal password database and assing an NX-specific password to that
>>> user. In nxclient, copy the normal SSH key, and then in the nxclient
>>> login box put the NX username and password.
>>>
>>
>> I think the user DB setting is in /usr/NX/etc/server.cfg
>
> No there is no such file or directory on the server; that is why I'm asking
> if after setting the password for user "nx" I should run this command again:
> nxsetup --install --setup-nomachine-key --clean --purge
>
> as it is my impression that the setup was not complete.

Hmm. Okay, I am actually using nxserver-freeedition and not
nxserver-freenx. (I always get those confused).

On my machine I am the only user, so I don't know about multi-user
shared machines. I just want personal access to my home PC.

Here is my config that works for me with nxserver-freeedition with SSH
public key authentication:

In my sshd_config I've got:

PermitRootLogin No
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no

Then in /usr/NX/etc/server.cfg I have:
EnableUserDB = "1"
EnablePasswordDB = "1"


then run "/usr//NX/bin/nxserver --useradd yourusername" which will add
that user to the NX user database as well as create/add an SSH key to
that user (which is only used by NX on the local machine, it will SSH
to itself). The password you create for this user is what you'll use
in nxclient when connecting to the remote machine, and the SSH key in
nxclient is the one that user would normally use to login to the box
with regular SSH.

If you don't use key authentication with SSH, you should be able to
have the two NX server options above set to 0, and use the user's
normal password to login. You will still need to put your NX server
key into nxclient (unless you use the default key which is already in
there).

It is tricky to set up, but once it works it is awesome. :)  It beats
VNC or RDP easily.

Paul

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/19/09 13:07, Paul Hartman wrote:
>>>
>>> I think the user DB setting is in /usr/NX/etc/server.cfg
>>
>> No there is no such file or directory on the server; that is why I'm asking
>> if after setting the password for user "nx" I should run this command again:
>> nxsetup --install --setup-nomachine-key --clean --purge
>>
>> as it is my impression that the setup was not complete.
>
>Hmm. Okay, I am actually using nxserver-freeedition and not
>nxserver-freenx. (I always get those confused).

Thanks, it is the first time I"m using it.
What is the actual difference between nxserver-freeedition and nxserver-freenx besides the license?
Maybe I'll try nxserver-freeedition.

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Thu, Mar 19, 2009 at 2:17 PM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 13:07, Paul Hartman wrote:
>>>>
>>>> I think the user DB setting is in /usr/NX/etc/server.cfg
>>>
>>> No there is no such file or directory on the server; that is why I'm
>>> asking
>>> if after setting the password for user "nx" I should run this command
>>> again:
>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>
>>> as it is my impression that the setup was not complete.
>>
>> Hmm. Okay, I am actually using nxserver-freeedition and not
>> nxserver-freenx. (I always get those confused).
>
> Thanks, it is the first time I"m using it.
> What is the actual difference between nxserver-freeedition and
> nxserver-freenx besides the license?
> Maybe I'll try nxserver-freeedition.

I think nxserver-freeedition is an official NX product with a "free
forever" license for a small number of users per machine (2 or 3?),
while freenx is an open-source project making an NX-compatible server
(possibly using released NX sources from some point in time, I don't
really know the whole history).

Re: [gentoo-user] nomachine and Windows XP via VirtualBox

[Joseph]

On 03/19/09 15:40, Paul Hartman wrote:
>
>I think nxserver-freeedition is an official NX product with a "free
>forever" license for a small number of users per machine (2 or 3?),
>while freenx is an open-source project making an NX-compatible server
>(possibly using released NX sources from some point in time, I don't
>really know the whole history).

I just tried nxserver-freeedition, it works and nice speed!
I can run VirtuaBoxbox but it might not be what be a solution I'm looking for; or I am implementing it a wrong way.

I'm running Windows XP via VirtualBox and it runs OK but I need to access that Windows XP while it is running from internal network.
Windows XP is running on the same box as nxserver-freeedition and I need to access it from another machine on local lan.

I think I need to establish a connection with Linux via SAMBA to access Windows XP isn't it but I'll not be able to execute any program I think.
How about running nomachine server in Windows XP can I access it from Linux and run Windows programs?

Does anybody have a better idea? 

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nomachine and Windows XP via VirtualBox

[Paul Hartman]

On Thu, Mar 19, 2009 at 5:03 PM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 15:40, Paul Hartman wrote:
>>
>> I think nxserver-freeedition is an official NX product with a "free
>> forever" license for a small number of users per machine (2 or 3?),
>> while freenx is an open-source project making an NX-compatible server
>> (possibly using released NX sources from some point in time, I don't
>> really know the whole history).
>
> I just tried nxserver-freeedition, it works and nice speed!
> I can run VirtuaBoxbox but it might not be what be a solution I'm looking
> for; or I am implementing it a wrong way.
>
> I'm running Windows XP via VirtualBox and it runs OK but I need to access
> that Windows XP while it is running from internal network.
> Windows XP is running on the same box as nxserver-freeedition and I need to
> access it from another machine on local lan.
>
> I think I need to establish a connection with Linux via SAMBA to access
> Windows XP isn't it but I'll not be able to execute any program I think.
> How about running nomachine server in Windows XP can I access it from Linux
> and run Windows programs?
>
> Does anybody have a better idea?

NX can act as a proxy to RDP or VNC. Basically how it works, you make
the NX connection to the Linux box like you have already done, and in
nxclient change desktop from "Unix" to "Windows", then click
"Settings" and put the IP address of the Windows machine (virtual or
otherwise). Basically NX on the remote Linux machine makes RDP
connection (which will be fast since they are on the local
network/same machine in the case of virtualbox). Then it uses NX
protocol between your remote nxclient and the NX server, giving you
the speed of NX while using RDP :)

Same process can be used for VNC to a Mac OS X box.

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/19/09 13:07, Paul Hartman wrote:
>In my sshd_config I've got:
>
>PermitRootLogin No
>RSAAuthentication no
>PubkeyAuthentication yes
>AuthorizedKeysFile      .ssh/authorized_keys
>PasswordAuthentication no
>PermitEmptyPasswords no
>ChallengeResponseAuthentication no
>UsePAM no
>
>Then in /usr/NX/etc/server.cfg I have:
>EnableUserDB = "1"
>EnablePasswordDB = "1"
>
>
>then run "/usr//NX/bin/nxserver --useradd yourusername" which will add
>that user to the NX user database as well as create/add an SSH key to
>that user (which is only used by NX on the local machine, it will SSH
>to itself). The password you create for this user is what you'll use
>in nxclient when connecting to the remote machine, and the SSH key in
>nxclient is the one that user would normally use to login to the box
>with regular SSH.
>
>If you don't use key authentication with SSH, you should be able to
>have the two NX server options above set to 0, and use the user's
>normal password to login. You will still need to put your NX server
>key into nxclient (unless you use the default key which is already in
>there).
>
>It is tricky to set up, but once it works it is awesome. :)  It beats
>VNC or RDP easily.
>
>Paul

I've tried to duplicate this setting but I can only log-in with my username and password I created from a nxclient when I have in 
sshd.config
...
UsePAM yes

If I set it to no I can not log-in.
In your last section on coping keys, I'm not sure I follow it.
For now I used the default key that the server came with.

What do you call nxclient?
Is it the user account name on the server I created with "...nxserver --useradd joseph"?
This command copied the nxserver key to my home ~.ssh/authorized_keys file.

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Thu, Mar 19, 2009 at 5:29 PM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 13:07, Paul Hartman wrote:
>>
>> In my sshd_config I've got:
>>
>> PermitRootLogin No
>> RSAAuthentication no
>> PubkeyAuthentication yes
>> AuthorizedKeysFile      .ssh/authorized_keys
>> PasswordAuthentication no
>> PermitEmptyPasswords no
>> ChallengeResponseAuthentication no
>> UsePAM no
>>
>> Then in /usr/NX/etc/server.cfg I have:
>> EnableUserDB = "1"
>> EnablePasswordDB = "1"
>>
>>
>> then run "/usr//NX/bin/nxserver --useradd yourusername" which will add
>> that user to the NX user database as well as create/add an SSH key to
>> that user (which is only used by NX on the local machine, it will SSH
>> to itself). The password you create for this user is what you'll use
>> in nxclient when connecting to the remote machine, and the SSH key in
>> nxclient is the one that user would normally use to login to the box
>> with regular SSH.
>>
>> If you don't use key authentication with SSH, you should be able to
>> have the two NX server options above set to 0, and use the user's
>> normal password to login. You will still need to put your NX server
>> key into nxclient (unless you use the default key which is already in
>> there).
>>
>> It is tricky to set up, but once it works it is awesome. :)  It beats
>> VNC or RDP easily.
>>
>> Paul
>
> I've tried to duplicate this setting but I can only log-in with my username
> and password I created from a nxclient when I have in sshd.config
> ...
> UsePAM yes
>
> If I set it to no I can not log-in.
> In your last section on coping keys, I'm not sure I follow it.
> For now I used the default key that the server came with.
>
> What do you call nxclient?
> Is it the user account name on the server I created with "...nxserver
> --useradd joseph"?
> This command copied the nxserver key to my home ~.ssh/authorized_keys file.

In my setup I do not use passwords for SSH, or even allow them at all,
I only use the public key auth. So "UsePAM no" and the other options
gets rid of the interactive password prompt entirely.

Here is my understanding of how the NX bits all fit together:

Think of it as a 2-step connection. The first step is connecting from
the remote nxclient to the nxserver. For this step, it uses the SSH
key that you can put into nxclient. That only authenticates you as
being able to connect to the NX server, it doesn't get you into any
user files or desktops. By keeping the default NX key, anyone with NX
client can connect to your box and get to this point.

The second step, now that you are authenticated and connected to the
NX server, is connecting to the remote desktop. Only users granted
access to NX by --useradd are allowed to proceed past step 1, so even
using default NX key won't let someone in any further unless they know
your NX user's name and password. In the case of Linux remote desktops
(the usual case), the key it installed into your user's
authorized_keys is what NX server then uses to make an SSH login to
your user's desktop environment. (I believe the NX user's key is set
to only work when logging in from localhost).

NX can also be used as a proxy to connect to VNC or RDP. When the VNC
or RDP machine is on the local network of the NX server, the
connection between those two machines is very fast. Then, that VNC/RDP
is re-encoded using NX between the server and the client. Since NX's
protocol is faster over the internet, you can actually get a faster
RDP than if you had connected directly to the Windows machine using
rdesktop.

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/19/09 17:48, Paul Hartman wrote:
>Here is my understanding of how the NX bits all fit together:
>
>Think of it as a 2-step connection. The first step is connecting from
>the remote nxclient to the nxserver. For this step, it uses the SSH
>key that you can put into nxclient. That only authenticates you as
>being able to connect to the NX server, it doesn't get you into any
>user files or desktops. By keeping the default NX key, anyone with NX
>client can connect to your box and get to this point.

I think my ssh-keys might not be correct between the nxclient.
I've installed on one Linux box:
net-misc/nxclient
and the server is running: nxserver-freeedition

maybe the key from nxclient:
/usr/NX/share/keys/server.id_dsa.key
is not the correct one, this key is a private key.
and to my understanding in order to log-in into the server I need to copy nxclinet's public key to the serer; but I can not fine one.

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Paul Hartman]

On Thu, Mar 19, 2009 at 6:29 PM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 17:48, Paul Hartman wrote:
>>
>> Here is my understanding of how the NX bits all fit together:
>>
>> Think of it as a 2-step connection. The first step is connecting from
>> the remote nxclient to the nxserver. For this step, it uses the SSH
>> key that you can put into nxclient. That only authenticates you as
>> being able to connect to the NX server, it doesn't get you into any
>> user files or desktops. By keeping the default NX key, anyone with NX
>> client can connect to your box and get to this point.
>
> I think my ssh-keys might not be correct between the nxclient.
> I've installed on one Linux box:
> net-misc/nxclient
> and the server is running: nxserver-freeedition
>
> maybe the key from nxclient:
> /usr/NX/share/keys/server.id_dsa.key
> is not the correct one, this key is a private key.
> and to my understanding in order to log-in into the server I need to copy
> nxclinet's public key to the serer; but I can not fine one.

Hi,

You need to copy the server's "default" key to the client. Copy
/usr/NX/share/keys/default.id_dsa.key (NOT server.id_dsa.key) from the
server into the nxclient (Configure -> Keys -> Import or paste it in).

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/20/09 10:07, Paul Hartman wrote:
>Hi,
>
>You need to copy the server's "default" key to the client. Copy
>/usr/NX/share/keys/default.id_dsa.key (NOT server.id_dsa.key) from the
>server into the nxclient (Configure -> Keys -> Import or paste it in).

Thank you.
Yes, I had that part correct.
The problem in my case is the nx user password needs to be set to unlock the account.

Now, I'm fighting to connect to Windows XP :-/ running in VirtualBox

-- 
Joseph

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/19/09 11:16, Paul Hartman wrote:
>> it accepted the password, now do I run the setup again:
>> nxsetup --install --setup-nomachine-key --clean --purge
>>
>> If I try to login from another machine do I login as user "nx"?
>> When I try to login from another machine on my network I get:
>> Your guest account has expired...
>
>The way NX works is it uses the nx user as an intermediate. You need
>to login as a normal user, and you need to explicitly give that user
>permission to use NX by doing nxserver --useradd yourname (which will
>generate NX ssh keys and put them in that user's directory).
>
>If you use interactive/PAM authentication on your system, NX can use
>your user's normal system password; if you use key-based
>authentication for SSH the only way to make NX work is to use its
>internal password database and assing an NX-specific password to that
>user. In nxclient, copy the normal SSH key, and then in the nxclient
>login box put the NX username and password.

I'm getting something :-/
On the nxserver I set the sshd to "pam yes"
When I try to login from client as user: joseph + my_passowrd I get:

Could not yet established the connection to the remote proxy...

-- 
#Joseph
GPG KeyID: ED0E1FB7

Re: [gentoo-user] nxserver-freenx - user nx not allowed because account is locked

[Joseph]

On 03/19/09 10:51, Paul Hartman wrote:
>> So at this point I'm back to square one in log/messages I get:
>> User nx not allowed because account is locked
>
>Oh, try  to give user nx a password on your system. It uses ssh keys
>to login, so it doesn't even matter what the password is. Just don't
>make it something easily guessed/brute-force like "nx" or "1234" or
>else you might have some unwanted guests in your system :)

I'm a git of confused as to which ssh key is the client using as I did not transfer any ssh public key to the client machine.
(Yes, I know how ssh login works) 

Do I need to transfer ssh key from: /etc/nxserver/users.id_dsa.pub
to my client machine?

-- 
#Joseph
GPG KeyID: ED0E1FB7