FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 03-19-2009, 02:03 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Wed, Mar 18, 2009 at 11:35 PM, Joseph <syscon780@gmail.com> wrote:
> Is anybody using nxserver-freenx?
> It compile fine but when I run a setup:
> nxsetup --install --setup-nomachine-key --clean --purge
> I get:
> ----> Testing your nxserver connection ...
> Permission denied (publickey,keyboard-interactive).
> Fatal error: Could not connect to NX Server.
>
> Please check your ssh setup:
>
> The following are _examples_ of what you might need to check.
>
> - Make sure "nx" is one of the AllowUsers in sshd_config.
> (or that the line is outcommented/not there)
> - Make sure "nx" is one of the AllowGroups in sshd_config.
> (or that the line is outcommented/not there)
> - Make sure your sshd allows public key authentication.
> - Make sure your sshd is really running on port 22.
> - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
> to authorized_keys2.
> (this should be a filename not a pathname+filename)
> - Make sure you allow ssh on localhost, this could come from some
> restriction of:
>
>
> log/messages prints:
> user nx not allowed because account is locked
>
> How to unlock the account?

passwd -u nx

I had to do the same thing.

Paul
 
Old 03-19-2009, 02:51 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Thu, Mar 19, 2009 at 10:44 AM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 10:03, Paul Hartman wrote:
> [snip]
>>>
>>> log/messages prints:
>>> user nx not allowed because account is locked
>>>
>>> How to unlock the account?
>>
>> passwd -u nx
>>
>> I had to do the same thing.
>>
>> Paul
>
>
> Yes, I tried it already:
>
> passwd -u nx
> passwd: unlocking the user would result in a passwordless account.
> You should set password with usermod -p to unlock this user account.
> Password changed.
>
> What do you do next?
>
> When I try to run again:
> nxsetup --install --setup-nomachine-key --clean --purge
>
> I get:
> ...
> Setting up /var/log/nxserver.log ...done
> Setting up special user "nx" ...passwd: unlocking the user would result in a
> passwordless account.
> You should set a password with usermod -p to unlock this user account.
> Password changed.
> done.
> ...
> ----> Testing your nxserver connection ...
> Permission denied (publickey,keyboard-interactive).
> Fatal error: Could not connect to NX Server.
>
> Please check your ssh setup:
>
> The following are _examples_ of what you might need to check.
>
> - Make sure "nx" is one of the AllowUsers in sshd_config.
> (or that the line is outcommented/not there)
> - Make sure "nx" is one of the AllowGroups in sshd_config.
> (or that the line is outcommented/not there)
> - Make sure your sshd allows public key authentication.
> - Make sure your sshd is really running on port 22.
> - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
> to authorized_keys2.
> (this should be a filename not a pathname+filename)
> - Make sure you allow ssh on localhost, this could come from some
> restriction of:
> -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
> -the iptables. add to it:
> $ iptables -A INPUT -i lo -j ACCEPT
> $ iptables -A OUTPUT -o lo -j ACCEPT
>
>
> So at this point I'm back to square one in log/messages I get:
> User nx not allowed because account is locked

Oh, try to give user nx a password on your system. It uses ssh keys
to login, so it doesn't even matter what the password is. Just don't
make it something easily guessed/brute-force like "nx" or "1234" or
else you might have some unwanted guests in your system
 
Old 03-19-2009, 02:53 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Thu, Mar 19, 2009 at 10:51 AM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> On Thu, Mar 19, 2009 at 10:44 AM, Joseph <syscon780@gmail.com> wrote:
>> On 03/19/09 10:03, Paul Hartman wrote:
>> [snip]
>>>>
>>>> log/messages prints:
>>>> user nx not allowed because account is locked
>>>>
>>>> How to unlock the account?
>>>
>>> passwd -u nx
>>>
>>> I had to do the same thing.
>>>
>>> Paul
>>
>>
>> Yes, I tried it already:
>>
>> passwd -u nx
>> passwd: unlocking the user would result in a passwordless account.
>> You should set password with usermod -p to unlock this user account.
>> Password changed.
>>
>> What do you do next?
>>
>> When I try to run again:
>> nxsetup --install --setup-nomachine-key --clean --purge
>>
>> I get:
>> ...
>> Setting up /var/log/nxserver.log ...done
>> Setting up special user "nx" ...passwd: unlocking the user would result in a
>> passwordless account.
>> You should set a password with usermod -p to unlock this user account.
>> Password changed.
>> done.
>> ...
>> ----> Testing your nxserver connection ...
>> Permission denied (publickey,keyboard-interactive).
>> Fatal error: Could not connect to NX Server.
>>
>> Please check your ssh setup:
>>
>> The following are _examples_ of what you might need to check.
>>
>> - Make sure "nx" is one of the AllowUsers in sshd_config.
>> (or that the line is outcommented/not there)
>> - Make sure "nx" is one of the AllowGroups in sshd_config.
>> (or that the line is outcommented/not there)
>> - Make sure your sshd allows public key authentication.
>> - Make sure your sshd is really running on port 22.
>> - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
>> to authorized_keys2.
>> (this should be a filename not a pathname+filename)
>> - Make sure you allow ssh on localhost, this could come from some
>> restriction of:
>> -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>> -the iptables. add to it:
>> $ iptables -A INPUT -i lo -j ACCEPT
>> $ iptables -A OUTPUT -o lo -j ACCEPT
>>
>>
>> So at this point I'm back to square one in log/messages I get:
>> User nx not allowed because account is locked
>
> Oh, try to give user nx a password on your system. It uses ssh keys
> to login, so it doesn't even matter what the password is. Just don't
> make it something easily guessed/brute-force like "nx" or "1234" or
> else you might have some unwanted guests in your system
>

Now that I think of it, you might even be able to assign a password,
unlock, and then delete the password with "passwd -d nx".
 
Old 03-19-2009, 03:16 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Thu, Mar 19, 2009 at 11:10 AM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 10:51, Paul Hartman wrote:
>>>
>>> Yes, I tried it already:
>>>
>>> passwd -u nx
>>> passwd: unlocking the user would result in a passwordless account.
>>> You should set password with usermod -p to unlock this user account.
>>> Password changed.
>>>
>>> What do you do next?
>>>
>>> When I try to run again:
>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>
>>> I get:
>>> ...
>>> Setting up /var/log/nxserver.log ...done
>>> Setting up special user "nx" ...passwd: unlocking the user would result
>>> in a
>>> passwordless account.
>>> You should set a password with usermod -p to unlock this user account.
>>> Password changed.
>>> done.
>>> ...
>>> ----> Testing your nxserver connection ...
>>> Permission denied (publickey,keyboard-interactive).
>>> Fatal error: Could not connect to NX Server.
>>>
>>> Please check your ssh setup:
>>>
>>> The following are _examples_ of what you might need to check.
>>>
>>> - Make sure "nx" is one of the AllowUsers in sshd_config.
>>> (or that the line is outcommented/not there)
>>> - Make sure "nx" is one of the AllowGroups in sshd_config.
>>> (or that the line is outcommented/not there)
>>> - Make sure your sshd allows public key authentication.
>>> - Make sure your sshd is really running on port 22.
>>> - Make sure your sshd_config AuthorizedKeysFile in sshd_config is
>>> set
>>> to authorized_keys2.
>>> (this should be a filename not a pathname+filename)
>>> - Make sure you allow ssh on localhost, this could come from some
>>> restriction of:
>>> -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>>> -the iptables. add to it:
>>> $ iptables -A INPUT -i lo -j ACCEPT
>>> $ iptables -A OUTPUT -o lo -j ACCEPT
>>>
>>>
>>> So at this point I'm back to square one in log/messages I get:
>>> User nx not allowed because account is locked
>>
>> Oh, try to give user nx a password on your system. It uses ssh keys
>> to login, so it doesn't even matter what the password is. Just don't
>> make it something easily guessed/brute-force like "nx" or "1234" or
>> else you might have some unwanted guests in your system
>
> I did give it a password usermod -p something nx
>
> it accepted the password, now do I run the setup again:
> nxsetup --install --setup-nomachine-key --clean --purge
>
> If I try to login from another machine do I login as user "nx"?
> When I try to login from another machine on my network I get:
> Your guest account has expired...

The way NX works is it uses the nx user as an intermediate. You need
to login as a normal user, and you need to explicitly give that user
permission to use NX by doing nxserver --useradd yourname (which will
generate NX ssh keys and put them in that user's directory).

If you use interactive/PAM authentication on your system, NX can use
your user's normal system password; if you use key-based
authentication for SSH the only way to make NX work is to use its
internal password database and assing an NX-specific password to that
user. In nxclient, copy the normal SSH key, and then in the nxclient
login box put the NX username and password.
 
Old 03-19-2009, 03:29 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Thu, Mar 19, 2009 at 11:16 AM, Paul Hartman
<paul.hartman+gentoo@gmail.com> wrote:
> On Thu, Mar 19, 2009 at 11:10 AM, Joseph <syscon780@gmail.com> wrote:
>> On 03/19/09 10:51, Paul Hartman wrote:
>>>>
>>>> Yes, I tried it already:
>>>>
>>>> passwd -u nx
>>>> passwd: unlocking the user would result in a passwordless account.
>>>> You should set password with usermod -p to unlock this user account.
>>>> Password changed.
>>>>
>>>> What do you do next?
>>>>
>>>> When I try to run again:
>>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>>
>>>> I get:
>>>> ...
>>>> Setting up /var/log/nxserver.log ...done
>>>> Setting up special user "nx" ...passwd: unlocking the user would result
>>>> in a
>>>> passwordless account.
>>>> You should set a password with usermod -p to unlock this user account.
>>>> Password changed.
>>>> done.
>>>> ...
>>>> ----> Testing your nxserver connection ...
>>>> Permission denied (publickey,keyboard-interactive).
>>>> Fatal error: Could not connect to NX Server.
>>>>
>>>> Please check your ssh setup:
>>>>
>>>> The following are _examples_ of what you might need to check.
>>>>
>>>> - Make sure "nx" is one of the AllowUsers in sshd_config.
>>>> (or that the line is outcommented/not there)
>>>> - Make sure "nx" is one of the AllowGroups in sshd_config.
>>>> (or that the line is outcommented/not there)
>>>> - Make sure your sshd allows public key authentication.
>>>> - Make sure your sshd is really running on port 22.
>>>> - Make sure your sshd_config AuthorizedKeysFile in sshd_config is
>>>> set
>>>> to authorized_keys2.
>>>> (this should be a filename not a pathname+filename)
>>>> - Make sure you allow ssh on localhost, this could come from some
>>>> restriction of:
>>>> -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
>>>> -the iptables. add to it:
>>>> $ iptables -A INPUT -i lo -j ACCEPT
>>>> $ iptables -A OUTPUT -o lo -j ACCEPT
>>>>
>>>>
>>>> So at this point I'm back to square one in log/messages I get:
>>>> User nx not allowed because account is locked
>>>
>>> Oh, try to give user nx a password on your system. It uses ssh keys
>>> to login, so it doesn't even matter what the password is. Just don't
>>> make it something easily guessed/brute-force like "nx" or "1234" or
>>> else you might have some unwanted guests in your system
>>
>> I did give it a password usermod -p something nx
>>
>> it accepted the password, now do I run the setup again:
>> nxsetup --install --setup-nomachine-key --clean --purge
>>
>> If I try to login from another machine do I login as user "nx"?
>> When I try to login from another machine on my network I get:
>> Your guest account has expired...
>
> The way NX works is it uses the nx user as an intermediate. You need
> to login as a normal user, and you need to explicitly give that user
> permission to use NX by doing nxserver --useradd yourname (which will
> generate NX ssh keys and put them in that user's directory).
>
> If you use interactive/PAM authentication on your system, NX can use
> your user's normal system password; if you use key-based
> authentication for SSH the only way to make NX work is to use its
> internal password database and assing an NX-specific password to that
> user. In nxclient, copy the normal SSH key, and then in the nxclient
> login box put the NX username and password.
>

I think the user DB setting is in /usr/NX/etc/server.cfg
 
Old 03-19-2009, 05:07 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Thu, Mar 19, 2009 at 11:38 AM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 11:29, Paul Hartman wrote:
>>>>
>>>> it accepted the password, now do I run the setup again:
>>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>>
>>>> If I try to login from another machine do I login as user "nx"?
>>>> When I try to login from another machine on my network I get:
>>>> Your guest account has expired...
>>>
>>> The way NX works is it uses the nx user as an intermediate. You need
>>> to login as a normal user, and you need to explicitly give that user
>>> permission to use NX by doing nxserver --useradd yourname (which will
>>> generate NX ssh keys and put them in that user's directory).
>>>
>>> If you use interactive/PAM authentication on your system, NX can use
>>> your user's normal system password; if you use key-based
>>> authentication for SSH the only way to make NX work is to use its
>>> internal password database and assing an NX-specific password to that
>>> user. In nxclient, copy the normal SSH key, and then in the nxclient
>>> login box put the NX username and password.
>>>
>>
>> I think the user DB setting is in /usr/NX/etc/server.cfg
>
> No there is no such file or directory on the server; that is why I'm asking
> if after setting the password for user "nx" I should run this command again:
> nxsetup --install --setup-nomachine-key --clean --purge
>
> as it is my impression that the setup was not complete.

Hmm. Okay, I am actually using nxserver-freeedition and not
nxserver-freenx. (I always get those confused).

On my machine I am the only user, so I don't know about multi-user
shared machines. I just want personal access to my home PC.

Here is my config that works for me with nxserver-freeedition with SSH
public key authentication:

In my sshd_config I've got:

PermitRootLogin No
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no

Then in /usr/NX/etc/server.cfg I have:
EnableUserDB = "1"
EnablePasswordDB = "1"


then run "/usr//NX/bin/nxserver --useradd yourusername" which will add
that user to the NX user database as well as create/add an SSH key to
that user (which is only used by NX on the local machine, it will SSH
to itself). The password you create for this user is what you'll use
in nxclient when connecting to the remote machine, and the SSH key in
nxclient is the one that user would normally use to login to the box
with regular SSH.

If you don't use key authentication with SSH, you should be able to
have the two NX server options above set to 0, and use the user's
normal password to login. You will still need to put your NX server
key into nxclient (unless you use the default key which is already in
there).

It is tricky to set up, but once it works it is awesome. It beats
VNC or RDP easily.

Paul
 
Old 03-19-2009, 07:40 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Thu, Mar 19, 2009 at 2:17 PM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 13:07, Paul Hartman wrote:
>>>>
>>>> I think the user DB setting is in /usr/NX/etc/server.cfg
>>>
>>> No there is no such file or directory on the server; that is why I'm
>>> asking
>>> if after setting the password for user "nx" I should run this command
>>> again:
>>> nxsetup --install --setup-nomachine-key --clean --purge
>>>
>>> as it is my impression that the setup was not complete.
>>
>> Hmm. Okay, I am actually using nxserver-freeedition and not
>> nxserver-freenx. (I always get those confused).
>
> Thanks, it is the first time I"m using it.
> What is the actual difference between nxserver-freeedition and
> nxserver-freenx besides the license?
> Maybe I'll try nxserver-freeedition.

I think nxserver-freeedition is an official NX product with a "free
forever" license for a small number of users per machine (2 or 3?),
while freenx is an open-source project making an NX-compatible server
(possibly using released NX sources from some point in time, I don't
really know the whole history).
 
Old 03-19-2009, 09:48 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Thu, Mar 19, 2009 at 5:29 PM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 13:07, Paul Hartman wrote:
>>
>> In my sshd_config I've got:
>>
>> PermitRootLogin No
>> RSAAuthentication no
>> PubkeyAuthentication yes
>> AuthorizedKeysFile .ssh/authorized_keys
>> PasswordAuthentication no
>> PermitEmptyPasswords no
>> ChallengeResponseAuthentication no
>> UsePAM no
>>
>> Then in /usr/NX/etc/server.cfg I have:
>> EnableUserDB = "1"
>> EnablePasswordDB = "1"
>>
>>
>> then run "/usr//NX/bin/nxserver --useradd yourusername" which will add
>> that user to the NX user database as well as create/add an SSH key to
>> that user (which is only used by NX on the local machine, it will SSH
>> to itself). The password you create for this user is what you'll use
>> in nxclient when connecting to the remote machine, and the SSH key in
>> nxclient is the one that user would normally use to login to the box
>> with regular SSH.
>>
>> If you don't use key authentication with SSH, you should be able to
>> have the two NX server options above set to 0, and use the user's
>> normal password to login. You will still need to put your NX server
>> key into nxclient (unless you use the default key which is already in
>> there).
>>
>> It is tricky to set up, but once it works it is awesome. It beats
>> VNC or RDP easily.
>>
>> Paul
>
> I've tried to duplicate this setting but I can only log-in with my username
> and password I created from a nxclient when I have in sshd.config
> ...
> UsePAM yes
>
> If I set it to no I can not log-in.
> In your last section on coping keys, I'm not sure I follow it.
> For now I used the default key that the server came with.
>
> What do you call nxclient?
> Is it the user account name on the server I created with "...nxserver
> --useradd joseph"?
> This command copied the nxserver key to my home ~.ssh/authorized_keys file.

In my setup I do not use passwords for SSH, or even allow them at all,
I only use the public key auth. So "UsePAM no" and the other options
gets rid of the interactive password prompt entirely.

Here is my understanding of how the NX bits all fit together:

Think of it as a 2-step connection. The first step is connecting from
the remote nxclient to the nxserver. For this step, it uses the SSH
key that you can put into nxclient. That only authenticates you as
being able to connect to the NX server, it doesn't get you into any
user files or desktops. By keeping the default NX key, anyone with NX
client can connect to your box and get to this point.

The second step, now that you are authenticated and connected to the
NX server, is connecting to the remote desktop. Only users granted
access to NX by --useradd are allowed to proceed past step 1, so even
using default NX key won't let someone in any further unless they know
your NX user's name and password. In the case of Linux remote desktops
(the usual case), the key it installed into your user's
authorized_keys is what NX server then uses to make an SSH login to
your user's desktop environment. (I believe the NX user's key is set
to only work when logging in from localhost).

NX can also be used as a proxy to connect to VNC or RDP. When the VNC
or RDP machine is on the local network of the NX server, the
connection between those two machines is very fast. Then, that VNC/RDP
is re-encoded using NX between the server and the client. Since NX's
protocol is faster over the internet, you can actually get a faster
RDP than if you had connected directly to the Windows machine using
rdesktop.
 
Old 03-20-2009, 02:07 PM
Paul Hartman
 
Default nxserver-freenx - user nx not allowed because account is locked

On Thu, Mar 19, 2009 at 6:29 PM, Joseph <syscon780@gmail.com> wrote:
> On 03/19/09 17:48, Paul Hartman wrote:
>>
>> Here is my understanding of how the NX bits all fit together:
>>
>> Think of it as a 2-step connection. The first step is connecting from
>> the remote nxclient to the nxserver. For this step, it uses the SSH
>> key that you can put into nxclient. That only authenticates you as
>> being able to connect to the NX server, it doesn't get you into any
>> user files or desktops. By keeping the default NX key, anyone with NX
>> client can connect to your box and get to this point.
>
> I think my ssh-keys might not be correct between the nxclient.
> I've installed on one Linux box:
> net-misc/nxclient
> and the server is running: nxserver-freeedition
>
> maybe the key from nxclient:
> /usr/NX/share/keys/server.id_dsa.key
> is not the correct one, this key is a private key.
> and to my understanding in order to log-in into the server I need to copy
> nxclinet's public key to the serer; but I can not fine one.

Hi,

You need to copy the server's "default" key to the client. Copy
/usr/NX/share/keys/default.id_dsa.key (NOT server.id_dsa.key) from the
server into the nxclient (Configure -> Keys -> Import or paste it in).
 

Thread Tools




All times are GMT. The time now is 10:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org