NX server auth suggestion… local/passwd auth without allowing passwd auth on public sshd July 21, 2008 at 10:41 pm
I thought this was pretty simple, but after chatting with a few, apparently not a lot have thought of it. If you want to use NX to connect to a server from the internet, but also want more security on that same host by only allowing known rsa/dsa keys the ability to login, and you don’t like the nx passworddb option; you can use the following setup:
- Leave the “public” sshd process listening on port 22, only allowing known keys (and don’t allow root logins IMO).
- Setup a 2nd “local” sshd process listening on another port. My setup is as follows:
- Create /etc/ssh/sshd_config_local, in that file there will be 2 differences…
- Port 222
- UsePAM yes (or set PasswordAuthentication yes if you don’t use PAM).
- For extra super security, also set: ListenAddress 127.0.0.1
- Setup another init script (I just copied sshd to sshd_local) and add the following to the line that spawns the sshd process:
- -f /etc/ssh/sshd_config_local
Setup your links, run chkconfig, whatever your distribution does, and then start the service (sudo su – root -c ‘/etc/init.d/sshd_local start’). You should now have another daemon running that looks like:
/usr/sbin/sshd -f /etc/ssh/sshd_config_local
The only configs needed for nx (I’m using the free nomachine server, not freenx, might be slight differences) are (in /usr/NX/etc/server.cfg):
- SSHDAuthPort to 222
- EnablePasswordDB = 0
..and that’s it. Now connections to the server connect to port 22 as user nx using the key that came with the client (or you can setup a custom key… you figure that out) and then it does the ssh step (to auth/fwd the connection) via basically doing an ‘ssh -p 222 -l $USER localhost’ on the server, so it uses your “local” sshd copy and passwords work.