FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 03-19-2009, 02:44 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/19/09 10:03, Paul Hartman wrote:
[snip]

log/messages prints:
user nx not allowed because account is locked

How to unlock the account?


passwd -u nx

I had to do the same thing.

Paul



Yes, I tried it already:

passwd -u nx
passwd: unlocking the user would result in a passwordless account.
You should set password with usermod -p to unlock this user account.
Password changed.

What do you do next?

When I try to run again:
nxsetup --install --setup-nomachine-key --clean --purge

I get:
...
Setting up /var/log/nxserver.log ...done
Setting up special user "nx" ...passwd: unlocking the user would result in a
passwordless account.
You should set a password with usermod -p to unlock this user account.
Password changed.
done.
...
----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.

Please check your ssh setup:

The following are _examples_ of what you might need to check.

- Make sure "nx" is one of the AllowUsers in sshd_config.
(or that the line is outcommented/not there)
- Make sure "nx" is one of the AllowGroups in sshd_config.
(or that the line is outcommented/not there)
- Make sure your sshd allows public key authentication.
- Make sure your sshd is really running on port 22.
- Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
to authorized_keys2.
(this should be a filename not a pathname+filename)
- Make sure you allow ssh on localhost, this could come from some
restriction of:
-the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
-the iptables. add to it:
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -o lo -j ACCEPT


So at this point I'm back to square one in log/messages I get:
User nx not allowed because account is locked

--
#Joseph
GPG KeyID: ED0E1FB7
 
Old 03-19-2009, 03:10 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/19/09 10:51, Paul Hartman wrote:


Yes, I tried it already:

passwd -u nx
passwd: unlocking the user would result in a passwordless account.
You should set password with usermod -p to unlock this user account.
Password changed.

What do you do next?

When I try to run again:
nxsetup --install --setup-nomachine-key --clean --purge

I get:
...
Setting up /var/log/nxserver.log ...done
Setting up special user "nx" ...passwd: unlocking the user would result in a
passwordless account.
You should set a password with usermod -p to unlock this user account.
Password changed.
done.
...
----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.

Please check your ssh setup:

The following are _examples_ of what you might need to check.

- Make sure "nx" is one of the AllowUsers in sshd_config.
(or that the line is outcommented/not there)
- Make sure "nx" is one of the AllowGroups in sshd_config.
(or that the line is outcommented/not there)
- Make sure your sshd allows public key authentication.
- Make sure your sshd is really running on port 22.
- Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
to authorized_keys2.
(this should be a filename not a pathname+filename)
- Make sure you allow ssh on localhost, this could come from some
restriction of:
-the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
-the iptables. add to it:
$ iptables -A INPUT -i lo -j ACCEPT
$ iptables -A OUTPUT -o lo -j ACCEPT


So at this point I'm back to square one in log/messages I get:
User nx not allowed because account is locked


Oh, try to give user nx a password on your system. It uses ssh keys
to login, so it doesn't even matter what the password is. Just don't
make it something easily guessed/brute-force like "nx" or "1234" or
else you might have some unwanted guests in your system


I did give it a password
usermod -p something nx


it accepted the password, now do I run the setup again:
nxsetup --install --setup-nomachine-key --clean --purge

If I try to login from another machine do I login as user "nx"?
When I try to login from another machine on my network I get:
Your guest account has expired...

--
#Joseph
GPG KeyID: ED0E1FB7
 
Old 03-19-2009, 03:15 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/19/09 10:51, Paul Hartman wrote:

So at this point I'm back to square one in log/messages I get:
User nx not allowed because account is locked


Oh, try to give user nx a password on your system. It uses ssh keys
to login, so it doesn't even matter what the password is. Just don't
make it something easily guessed/brute-force like "nx" or "1234" or
else you might have some unwanted guests in your system


I'm a git of confused as to which ssh key is the client using as I did not transfer any ssh public key to the client machine.
(Yes, I know how ssh login works)


Do I need to transfer ssh key from: /etc/nxserver/users.id_dsa.pub
to my client machine?

--
#Joseph
GPG KeyID: ED0E1FB7
 
Old 03-19-2009, 03:34 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/19/09 11:16, Paul Hartman wrote:

it accepted the password, now do I run the setup again:
nxsetup --install --setup-nomachine-key --clean --purge

If I try to login from another machine do I login as user "nx"?
When I try to login from another machine on my network I get:
Your guest account has expired...


The way NX works is it uses the nx user as an intermediate. You need
to login as a normal user, and you need to explicitly give that user
permission to use NX by doing nxserver --useradd yourname (which will
generate NX ssh keys and put them in that user's directory).

If you use interactive/PAM authentication on your system, NX can use
your user's normal system password; if you use key-based
authentication for SSH the only way to make NX work is to use its
internal password database and assing an NX-specific password to that
user. In nxclient, copy the normal SSH key, and then in the nxclient
login box put the NX username and password.


I'm getting something :-/
On the nxserver I set the sshd to "pam yes"
When I try to login from client as user: joseph + my_passowrd I get:

Could not yet established the connection to the remote proxy...

--
#Joseph
GPG KeyID: ED0E1FB7
 
Old 03-19-2009, 03:38 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/19/09 11:29, Paul Hartman wrote:


it accepted the password, now do I run the setup again:
nxsetup --install --setup-nomachine-key --clean --purge

If I try to login from another machine do I login as user "nx"?
When I try to login from another machine on my network I get:
Your guest account has expired...


The way NX works is it uses the nx user as an intermediate. You need
to login as a normal user, and you need to explicitly give that user
permission to use NX by doing nxserver --useradd yourname (which will
generate NX ssh keys and put them in that user's directory).

If you use interactive/PAM authentication on your system, NX can use
your user's normal system password; if you use key-based
authentication for SSH the only way to make NX work is to use its
internal password database and assing an NX-specific password to that
user. In nxclient, copy the normal SSH key, and then in the nxclient
login box put the NX username and password.



I think the user DB setting is in /usr/NX/etc/server.cfg


No there is no such file or directory on the server; that is why I'm asking if after setting the password for user "nx" I should run this command again:
nxsetup --install --setup-nomachine-key --clean --purge

as it is my impression that the setup was not complete.

--
#Joseph
GPG KeyID: ED0E1FB7
 
Old 03-19-2009, 06:17 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/19/09 13:07, Paul Hartman wrote:


I think the user DB setting is in /usr/NX/etc/server.cfg


No there is no such file or directory on the server; that is why I'm asking
if after setting the password for user "nx" I should run this command again:
nxsetup --install --setup-nomachine-key --clean --purge

as it is my impression that the setup was not complete.


Hmm. Okay, I am actually using nxserver-freeedition and not
nxserver-freenx. (I always get those confused).


Thanks, it is the first time I"m using it.
What is the actual difference between nxserver-freeedition and nxserver-freenx besides the license?
Maybe I'll try nxserver-freeedition.

--
#Joseph
GPG KeyID: ED0E1FB7
 
Old 03-19-2009, 09:29 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/19/09 13:07, Paul Hartman wrote:

In my sshd_config I've got:

PermitRootLogin No
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM no

Then in /usr/NX/etc/server.cfg I have:
EnableUserDB = "1"
EnablePasswordDB = "1"


then run "/usr//NX/bin/nxserver --useradd yourusername" which will add
that user to the NX user database as well as create/add an SSH key to
that user (which is only used by NX on the local machine, it will SSH
to itself). The password you create for this user is what you'll use
in nxclient when connecting to the remote machine, and the SSH key in
nxclient is the one that user would normally use to login to the box
with regular SSH.

If you don't use key authentication with SSH, you should be able to
have the two NX server options above set to 0, and use the user's
normal password to login. You will still need to put your NX server
key into nxclient (unless you use the default key which is already in
there).

It is tricky to set up, but once it works it is awesome. It beats
VNC or RDP easily.

Paul


I've tried to duplicate this setting but I can only log-in with my username and password I created from a nxclient when I have in
sshd.config

...
UsePAM yes

If I set it to no I can not log-in.
In your last section on coping keys, I'm not sure I follow it.
For now I used the default key that the server came with.

What do you call nxclient?
Is it the user account name on the server I created with "...nxserver --useradd joseph"?
This command copied the nxserver key to my home ~.ssh/authorized_keys file.

--
#Joseph
GPG KeyID: ED0E1FB7
 
Old 03-19-2009, 10:29 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/19/09 17:48, Paul Hartman wrote:

Here is my understanding of how the NX bits all fit together:

Think of it as a 2-step connection. The first step is connecting from
the remote nxclient to the nxserver. For this step, it uses the SSH
key that you can put into nxclient. That only authenticates you as
being able to connect to the NX server, it doesn't get you into any
user files or desktops. By keeping the default NX key, anyone with NX
client can connect to your box and get to this point.


I think my ssh-keys might not be correct between the nxclient.
I've installed on one Linux box:
net-misc/nxclient
and the server is running: nxserver-freeedition

maybe the key from nxclient:
/usr/NX/share/keys/server.id_dsa.key
is not the correct one, this key is a private key.
and to my understanding in order to log-in into the server I need to copy nxclinet's public key to the serer; but I can not fine one.

--
#Joseph
GPG KeyID: ED0E1FB7
 
Old 03-20-2009, 03:36 PM
Joseph
 
Default nxserver-freenx - user nx not allowed because account is locked

On 03/20/09 10:07, Paul Hartman wrote:

Hi,

You need to copy the server's "default" key to the client. Copy
/usr/NX/share/keys/default.id_dsa.key (NOT server.id_dsa.key) from the
server into the nxclient (Configure -> Keys -> Import or paste it in).


Thank you.
Yes, I had that part correct.
The problem in my case is the nx user password needs to be set to unlock the account.

Now, I'm fighting to connect to Windows XP :-/ running in VirtualBox

--
Joseph
 

Thread Tools




All times are GMT. The time now is 07:56 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org