NX server auth suggestion… local/passwd auth without allowing passwd auth on public sshd July 21, 2008 at 10:41 pm

I thought this was pretty simple, but after chatting with a few, apparently not a lot have thought of it.  If you want to use NX to connect to a server from the internet, but also want more security on that same host by only allowing known rsa/dsa keys the ability to login, and you don’t like the nx passworddb option; you can use the following setup:

  • Leave the “public” sshd process listening on port 22, only allowing known keys (and don’t allow root logins IMO).
  • Setup a 2nd “local” sshd process listening on another port.  My setup is as follows:
    • Create /etc/ssh/sshd_config_local, in that file there will be 2 differences…
    • Port 222
    • UsePAM yes (or set PasswordAuthentication yes if you don’t use PAM).
    • For extra super security, also set: ListenAddress
  • Setup another init script (I just copied sshd to sshd_local) and add the following to the line that spawns the sshd process:
    • -f /etc/ssh/sshd_config_local

Setup your links, run chkconfig, whatever your distribution does, and then start the service (sudo su – root -c ‘/etc/init.d/sshd_local start’).   You should now have another daemon running that looks like:
 /usr/sbin/sshd -f /etc/ssh/sshd_config_local

The only configs needed for nx (I’m using the free nomachine server, not freenx, might be slight differences) are (in /usr/NX/etc/server.cfg):

  • SSHDAuthPort to 222
  • EnablePasswordDB = 0

..and that’s it.  Now connections to the server connect to port 22 as user nx using the key that came with the client (or you can setup a custom key… you figure that out) and then it does the ssh step (to auth/fwd the connection) via basically doing an ‘ssh -p 222 -l $USER localhost’ on the server, so it uses your “local” sshd copy and passwords work.

One Response to “NX server auth suggestion… local/passwd auth without allowing passwd auth on public sshd”

  1. Just making sure comments (which are back on) are working with captcha.

Leave a Reply