headers
olaf-linux@gmx.de | 1 Jul 2010 22:19
Picon
Picon

Re: Sabayon/xnest and FreeNX

Hi!

First I want to say "thank you" to all people who help me in this (and
other) issues.

This thread is out-of-date for me because I followed your commendations,
and now I use icewm. It's absolutely great for thinclients with
restricted user-access.

But if someone find and follow this thread in future and have the same
problem with icewm (or icem + thinstation) and a not full functional
desktop, here is the solution:
in the "thinstation.conf.network (or thinstation.conf.WHATEVER) you have
to set
SESSION_0_NX_GENERAL_COMMAND_LINE="icewm-session"

Before that I have
SESSION_0_NX_GENERAL_COMMAND_LINE="icewm"
but than there is no real desktop, so I run in the issues I described
before.

Here my "new" part in the thinstation.conf.network:

SESSION_0_TYPE=nx
SESSION_0_TITLE="icewm"
SESSION_0_NX_ADVANCED_ENABLE_SSL_ENCRYPTION="true"
SESSION_0_NX_GENERAL_ONLY_CONSOLE="false"
SESSION_0_NX_GENERAL_REMOVE_OLD_SESSIONS="true"
SESSION_0_NX_LOGIN_USER="Benutzername"
SESSION_0_NX_GENERAL_COMMAND_LINE="icewm-session"
(Continue reading)

Permalink | Reply | 0 comments |
headers
Freek de Kruijf | 3 Jul 2010 15:34
Picon

Starting a NX-session fails while publickey is OK but still rejected

When I start a NX-session I have enables DEBUG logging in sshd.

Below are the lines in the messages file:
Jul  3 13:29:54 eik113 sshd[4215]: debug1: trying public key file 
/var/lib/nxserver/home/.ssh/authorized_keys2
Jul  3 13:29:54 eik113 sshd[4215]: debug1: fd 4 clearing O_NONBLOCK
Jul  3 13:29:54 eik113 sshd[4215]: debug1: matching key found: file 
/var/lib/nxserver/home/.ssh/authorized_keys2, line 1
Jul  3 13:29:54 eik113 sshd[4215]: Found matching DSA key: 
xx:yy:zz:aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:11:22 <- clobbered
Jul  3 13:29:54 eik113 sshd[4215]: debug1: restore_uid: 0/0
Jul  3 13:29:54 eik113 sshd[4215]: debug1: ssh_dss_verify: signature correct
Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_pam_account: called
Jul  3 13:29:54 eik113 sshd[4215]: Failed publickey for nx from 192.168.1.32 
port 44490 ssh2
Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_cleanup
Jul  3 13:29:54 eik113 sshd[4215]: debug1: PAM: cleanup

I can login from the same machine using publickey access OK.
There is nothing in the file /var/log/nxserver.log; which has the proper 
access rights. Owner is nx.

I make the connection using ssh -i <file with private key> nx <at> <nxserver> which 
gives me the an annoucement and the NX> prompt on a server that works. But I 
get "Connection closed by 192.168.1.33" on the above system.

--

-- 
fr.gr.

Freek de Kruijf
(Continue reading)

Permalink | Reply | 8 comments |
headers
chris | 3 Jul 2010 16:34
Favicon

Re: Starting a NX-session fails while publickey is OK but still rejected



Freek de Kruijf <f.de.kruijf <at> gmail.com> wrote on 03/07/2010 14:34:03:

> When I start a NX-session I have enables DEBUG logging in sshd.
>
> Below are the lines in the messages file:
> Jul  3 13:29:54 eik113 sshd[4215]: debug1: trying public key file
> /var/lib/nxserver/home/.ssh/authorized_keys2
> Jul  3 13:29:54 eik113 sshd[4215]: debug1: fd 4 clearing O_NONBLOCK
> Jul  3 13:29:54 eik113 sshd[4215]: debug1: matching key found: file
> /var/lib/nxserver/home/.ssh/authorized_keys2, line 1
> Jul  3 13:29:54 eik113 sshd[4215]: Found matching DSA key:
> xx:yy:zz:aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:11:22 <- clobbered
> Jul  3 13:29:54 eik113 sshd[4215]: debug1: restore_uid: 0/0
> Jul  3 13:29:54 eik113 sshd[4215]: debug1: ssh_dss_verify: signature correct
> Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_pam_account: called
> Jul  3 13:29:54 eik113 sshd[4215]: Failed publickey for nx from 192.168.1.32
> port 44490 ssh2
> Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_cleanup
> Jul  3 13:29:54 eik113 sshd[4215]: debug1: PAM: cleanup
>
> I can login from the same machine using publickey access OK.
> There is nothing in the file /var/log/nxserver.log; which has the proper
> access rights. Owner is nx.
>
> I make the connection using ssh -i <file with private key>
> nx <at> <nxserver> which
> gives me the an annoucement and the NX> prompt on a server that works. But I
> get "Connection closed by 192.168.1.33" on the above system.
>

Did you copy the private key into your nx client ??

<Configure><General Tab><Server Section><Key>


> --
> fr.gr.
>
> Freek de Kruijf
> ________________________________________________________________
>      Were you helped on this list with your FreeNX problem?
>     Then please write up the solution in the FreeNX Wiki/FAQ:
>
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
>  
>          Don't forget to check the NX Knowledge Base:
>                  http://www.nomachine.com/kb/
>
> ________________________________________________________________
>        FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
>       https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
________________________________________________________________
     Were you helped on this list with your FreeNX problem?
    Then please write up the solution in the FreeNX Wiki/FAQ:

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ

         Don't forget to check the NX Knowledge Base:
                 http://www.nomachine.com/kb/ 

________________________________________________________________
       FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
      https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
Permalink | Reply | 7 comments |
headers
Freek de Kruijf | 3 Jul 2010 17:11
Picon

Re: Starting a NX-session fails while publickey is OK but still rejected

Op zaterdag 3 juli 2010 16:34:20 schreef chris <at> ccburton.com:
> Freek de Kruijf <f.de.kruijf <at> gmail.com> wrote on 03/07/2010 14:34:03:
> > When I start a NX-session I have enables DEBUG logging in sshd.
> > 
> > Below are the lines in the messages file:
> > Jul  3 13:29:54 eik113 sshd[4215]: debug1: trying public key file
> > /var/lib/nxserver/home/.ssh/authorized_keys2
> > Jul  3 13:29:54 eik113 sshd[4215]: debug1: fd 4 clearing O_NONBLOCK
> > Jul  3 13:29:54 eik113 sshd[4215]: debug1: matching key found: file
> > /var/lib/nxserver/home/.ssh/authorized_keys2, line 1
> > Jul  3 13:29:54 eik113 sshd[4215]: Found matching DSA key:
> > xx:yy:zz:aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:11:22 <- clobbered
> > Jul  3 13:29:54 eik113 sshd[4215]: debug1: restore_uid: 0/0
> > Jul  3 13:29:54 eik113 sshd[4215]: debug1: ssh_dss_verify: signature
> 
> correct
> 
> > Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_pam_account: called
> > Jul  3 13:29:54 eik113 sshd[4215]: Failed publickey for nx from
> 
> 192.168.1.32
> 
> > port 44490 ssh2
> > Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_cleanup
> > Jul  3 13:29:54 eik113 sshd[4215]: debug1: PAM: cleanup
> > 
> > I can login from the same machine using publickey access OK.
> > There is nothing in the file /var/log/nxserver.log; which has the proper
> > 
> > access rights. Owner is nx.
> > 
> > I make the connection using ssh -i <file with private key>
> > nx <at> <nxserver> which
> > gives me the an annoucement and the NX> prompt on a server that works.
> 
> But I
> 
> > get "Connection closed by 192.168.1.33" on the above system.
> 
> Did you copy the private key into your nx client ??
> 

I did, but in the above I copied the private key in a separate file and used 
"ssh -i <that-file-name> nx <at> <nxserver>". In the log you can see that the 
publickey was OK, but pam refused the access. The problem is why. Doing the 
same to another nxserver with its own private key, the access was OK. I can't 
find the difference between the two servers, apart from the fact the one which 
gives acces is openSUSE 11.1 and the one with the problem is openSUSE 11.3-
RC1.

--

-- 
vr.gr.

Freek de Kruijf
________________________________________________________________
     Were you helped on this list with your FreeNX problem?
    Then please write up the solution in the FreeNX Wiki/FAQ:

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ

         Don't forget to check the NX Knowledge Base:
                 http://www.nomachine.com/kb/ 

________________________________________________________________
       FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
      https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
Permalink | Reply | 6 comments |
headers
chris | 3 Jul 2010 19:27
Favicon

Re: Initial sshd connection failing for user nx with nxclient, but not with ssh


Freek de Kruijf <f.de.kruijf <at> gmail.com> wrote on 03/07/2010 16:11:26:
[SNIP]
> > > /var/lib/nxserver/home/.ssh/authorized_keys2, line 1
> > > Jul  3 13:29:54 eik113 sshd[4215]: Found matching DSA key:
> > > xx:yy:zz:aa:bb:cc:dd:ee:ff:gg:hh:ii:jj:kk:11:22 <- clobbered
> > > Jul  3 13:29:54 eik113 sshd[4215]: debug1: restore_uid: 0/0
> > > Jul  3 13:29:54 eik113 sshd[4215]: debug1: ssh_dss_verify: signature
>> > correct

Hmm, it's matched keys, gone back to root  . . .

> >
> > > Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_pam_account: called

called pam

> > > Jul  3 13:29:54 eik113 sshd[4215]: Failed publickey for nx from
>> > 192.168.1.32  port 44490 ssh2

and failed

What happens here in DEBUG3 ??

> > > Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_cleanup
> > > Jul  3 13:29:54 eik113 sshd[4215]: debug1: PAM: cleanup
[SNIP]
> "ssh -i <that-file-name> nx <at> <nxserver>". In the log you can see that the
> publickey was OK, but pam refused the access. The problem is why. Doing the
> same to another nxserver with its own private key, the access was OK. I can't
> find the difference between the two servers, apart from the fact theone which
> gives acces is openSUSE 11.1 and the one with the problem is openSUSE 11.3-
> RC1.
Hmmm

you are connecting to the same sshd both times ie. the same port is set in
the nxclient, (or you don't have two sshds running) ??
and
you are connecting from the same workstation both times ?? aren't you

What do you get logged when you run ssh -i file nx <at> server
in the same debug mode ???

>
> --
> vr.gr.
>
> Freek de Kruijf
________________________________________________________________
     Were you helped on this list with your FreeNX problem?
    Then please write up the solution in the FreeNX Wiki/FAQ:

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ

         Don't forget to check the NX Knowledge Base:
                 http://www.nomachine.com/kb/ 

________________________________________________________________
       FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
      https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
Permalink | Reply | 5 comments |
headers
Freek de Kruijf | 3 Jul 2010 22:07
Picon

Re: Initial sshd connection failing for user nx with nxclient, but not with ssh

Op zaterdag 3 juli 2010 19:27:41 schreef chris <at> ccburton.com:
> > > > Jul  3 13:29:54 eik113 sshd[4215]: debug1: do_pam_account: called
> 
> called pam
> 
> > > > Jul  3 13:29:54 eik113 sshd[4215]: Failed publickey for nx from
> >> > 
> >> > 192.168.1.32  port 44490 ssh2
> 
> and failed
> 
> What happens here in DEBUG3 ??
Jul  3 21:53:14 eik113 sshd[5715]: debug1: restore_uid: 0/0
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_answer_keyallowed: key 
0x7f71132f9110 is allowed
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_request_send entering: type 21
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_request_receive entering
Jul  3 21:53:14 eik113 sshd[5715]: debug3: monitor_read: checking request 22
Jul  3 21:53:14 eik113 sshd[5715]: debug1: ssh_dss_verify: signature correct
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_answer_keyverify: key 
0x7f71132f9110 signature verified
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_request_send entering: type 23
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_request_receive_expect entering: 
type 46
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_request_receive entering
Jul  3 21:53:14 eik113 sshd[5715]: debug1: do_pam_account: called
Jul  3 21:53:14 eik113 sshd[5715]: debug3: PAM: do_pam_account pam_acct_mgmt = 
6 (Permission denied)
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_request_send entering: type 47
Jul  3 21:53:14 eik113 sshd[5715]: Failed publickey for nx from 192.168.1.32 
port 47272 ssh2
Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_request_receive entering
Jul  3 21:53:14 eik113 sshd[5715]: debug1: do_cleanup
Jul  3 21:53:14 eik113 sshd[5715]: debug1: PAM: cleanup
Jul  3 21:53:14 eik113 sshd[5715]: debug3: PAM: sshpam_thread_cleanup entering

--

-- 
fr.gr.

Freek de Kruijf
________________________________________________________________
     Were you helped on this list with your FreeNX problem?
    Then please write up the solution in the FreeNX Wiki/FAQ:

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ

         Don't forget to check the NX Knowledge Base:
                 http://www.nomachine.com/kb/ 

________________________________________________________________
       FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
      https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
Permalink | Reply | 0 comments |
headers
Freek de Kruijf | 3 Jul 2010 22:38
Picon

Re: Initial sshd connection failing for user nx with nxclient, but not with ssh

Op zaterdag 3 juli 2010 19:27:41 schreef chris <at> ccburton.com:
> > "ssh -i <that-file-name> nx <at> <nxserver>". In the log you can see that the
> > publickey was OK, but pam refused the access. The problem is why. Doing
> > the same to another nxserver with its own private key, the access was OK.
> > I can't find the difference between the two servers, apart from the fact
> > the one which gives acces is openSUSE 11.1 and the one with the problem is
> > openSUSE 11.3-RC1.
> 
> Hmmm
> 
> you are connecting to the same sshd both times ie. the same port is set in
> the nxclient, (or you don't have two sshds running) ??
> and
> you are connecting from the same workstation both times ?? aren't you

These are two different machines, but I do not use nxclient to connect but
ssh -i <file-with-private-key> nx <at> <nxserver>

> What do you get logged when you run ssh -i file nx <at> server
> in the same debug mode ???
Below is the log when it is OK from the same point in the log as the previous 
message.
Jul  3 22:25:40 ktmhost sshd[9217]: debug1: restore_uid: 0/0
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_answer_keyallowed: key 
0xb7910bb8 is allowed
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_append_debug: Appending debug 
messages for child
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_send entering: type 21
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive entering
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: monitor_read: checking request 22
Jul  3 22:25:40 ktmhost sshd[9217]: debug1: ssh_dss_verify: signature correct
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_answer_keyverify: key 
0xb7910ca8 signature verified
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_send entering: type 23
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive_expect 
entering: type 46
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive entering
Jul  3 22:25:40 ktmhost sshd[9217]: debug1: do_pam_account: called
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: PAM: do_pam_account pam_acct_mgmt 
= 0 (Success)
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_send entering: type 47
Jul  3 22:25:40 ktmhost sshd[9217]: Accepted publickey for nx from 
213.10.98.183 port 61863 ssh2
Jul  3 22:25:40 ktmhost sshd[9217]: debug1: monitor_child_preauth: nx has been 
authenticated by privileged process
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_get_keystate: Waiting for new 
keys
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive_expect 
entering: type 24
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_receive entering
Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_newkeys_from_blob: 
0xb7913178(118)
Jul  3 22:25:40 ktmhost sshd[9217]: debug2: mac_setup: found hmac-md5

The difference is in the do_pam_account: called, in the next line I got a 
succes.

Maybe I have to check for differences in the files in /etc/pam.d/
But I can make ssh calls to other accounts than nx on both machines using 
publickey access. I checked the entries for nx both in /etc/passwd and 
/etc/shadow which are essentially the same in both systems.

--

-- 
fr.gr.

Freek de Kruijf
________________________________________________________________
     Were you helped on this list with your FreeNX problem?
    Then please write up the solution in the FreeNX Wiki/FAQ:

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ

         Don't forget to check the NX Knowledge Base:
                 http://www.nomachine.com/kb/ 

________________________________________________________________
       FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
      https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
Permalink | Reply | 3 comments |
headers
chris | 4 Jul 2010 12:54
Favicon

Re: Initial sshd connection failing for user nx with nxclient, but not with ssh


Freek de Kruijf <f.de.kruijf <at> gmail.com> wrote on 03/07/2010 21:38:50:


> Jul  3 22:25:40 ktmhost sshd[9217]: debug1: do_pam_account: called
> Jul  3 22:25:40 ktmhost sshd[9217]: debug3: PAM: do_pam_account pam_acct_mgmt
> = 0 (Success)
> Jul  3 22:25:40 ktmhost sshd[9217]: debug3: mm_request_send entering: type 47
> Jul  3 22:25:40 ktmhost sshd[9217]: Accepted publickey for nx from
> 213.10.98.183 port 61863 ssh2

> Jul  3 21:53:14 eik113 sshd[5715]: debug1: do_pam_account: called
> Jul  3 21:53:14 eik113 sshd[5715]: debug3: PAM:
> do_pam_account pam_acct_mgmt =  6 (Permission denied)
> Jul  3 21:53:14 eik113 sshd[5715]: debug3: mm_request_send entering: type 47
> Jul  3 21:53:14 eik113 sshd[5715]: Failed publickey for nx from 192.168.1.32
> port 47272 ssh2

You are connecting from different machines (ok, maybe out of a different NIC in the
 same machine ).

You really need to try both methods from the same workstation, so that nothing else
is different ( except the ssh client ) !!

Whilst you're at it try setting

        sudo pam-config -a --pam-debug

first, and tell us what appears in the log.

Are you using an older nxclient ??

This sort of thing has been reported before but I can't see where anyone fixed it
at first glance.

>
>
> --
> fr.gr.
>
> Freek de Kruijf
> ________________________________________________________________
>      Were you helped on this list with your FreeNX problem?
>     Then please write up the solution in the FreeNX Wiki/FAQ:
>
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
>  
>          Don't forget to check the NX Knowledge Base:
>                  http://www.nomachine.com/kb/
>
> ________________________________________________________________
>        FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
>       https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
________________________________________________________________
     Were you helped on this list with your FreeNX problem?
    Then please write up the solution in the FreeNX Wiki/FAQ:

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ

         Don't forget to check the NX Knowledge Base:
                 http://www.nomachine.com/kb/ 

________________________________________________________________
       FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
      https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
Permalink | Reply | 2 comments |
headers
Freek de Kruijf | 4 Jul 2010 15:12
Picon

Re: Initial sshd connection failing for user nx with nxclient, but not with ssh

Op zondag 4 juli 2010 12:54:51 schreef chris <at> ccburton.com:

> 
> You are connecting from different machines (ok, maybe out of a different
> NIC in the same machine ).

No the machine I am connecting from is the same. However I do not use nxclient 
for the tests, but I use "ssh -i <file-with-key> nx <at> <nxserver>

<nxserver> is either a machine in my local network with openSUSE 11.3-RC1 or
a remote machine, which I manage, with openSUSE 11.1.
> 
> You really need to try both methods from the same workstation, so that
> nothing else is different ( except the ssh client ) !!

I am sure the problem is not the client side. It is the server side and I 
found another method for testing. Now I use on the server as root the command 
"su - nx".

This is what I see when it is OK.
ktmhost:~ # su - nx                                                                                             
HELLO NXSERVER - Version 3.2.0-73 OS (GPL, using backend: 3.2.0)                                                
NX> 105 quit                                                                                                    
quit                                                                                                            
Quit                                                                                                            
NX> 999 Bye 

This what I see when it is not OK.
eik113:~ # su - nx
su: wrong password

> Whilst you're at it try setting
> 
>         sudo pam-config -a --pam-debug
> 
> first, and tell us what appears in the log.

This is what I found in the log after giving the above pam-config commands and 
the "su - nx" command.
When OK:
Jul  4 14:26:09 ktmhost su: pam_unix2(su-l:account): pam_sm_acct_mgmt() called
Jul  4 14:26:09 ktmhost su: pam_unix2(su-l:account): username=[nx]
Jul  4 14:26:09 ktmhost su: pam_unix2(su-l:account): expire() returned with 0
Jul  4 14:26:09 ktmhost su: (to nx) freek on /dev/pts/0
Jul  4 14:26:09 ktmhost su: pam_limits(su-l:session): reading settings from 
'/etc/security/limits.conf'
Jul  4 14:26:09 ktmhost su: pam_unix2(su-l:session): session started for user 
nx: service=su-l, tty=pts/0
Jul  4 14:26:13 ktmhost su: pam_unix2(su-l:session): session finished for user 
nx: service=su-l, tty=pts/0

When not OK:
Jul  4 14:27:12 eik113 su: pam_unix2(su-l:account): pam_sm_acct_mgmt() called
Jul  4 14:27:12 eik113 su: pam_unix2(su-l:account): username=[nx]
Jul  4 14:27:12 eik113 su: pam_unix2(su-l:account): expire() returned with 0
Jul  4 14:27:12 eik113 su: pam_unix2(su-l:account): Account is locked for nx
Jul  4 14:27:12 eik113 su: FAILED SU (to nx) root on /dev/pts/0

When I use "passwd -S nx" on both servers, both accounts have LK(=locked) 
displayed, which should be the case (it is locked for password access).

> 
> Are you using an older nxclient ??

In my view this irrelevant at this moment, because it is not used in the above 
tests.

> This sort of thing has been reported before but I can't see where anyone
> fixed it
> at first glance.

I can't think of anything why pam for the account nx returns a locked status.

"pam-config -q --unix2" return the same information on both systems. 

--

-- 
fr.gr.

Freek de Kruijf
________________________________________________________________
     Were you helped on this list with your FreeNX problem?
    Then please write up the solution in the FreeNX Wiki/FAQ:

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ

         Don't forget to check the NX Knowledge Base:
                 http://www.nomachine.com/kb/ 

________________________________________________________________
       FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
      https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
Permalink | Reply | 1 comment |
headers
chris | 4 Jul 2010 16:58
Favicon

Re: Initial sshd connection failing for user nx with nxclient, but not with ssh


Freek de Kruijf <f.de.kruijf <at> gmail.com> wrote on 04/07/2010 14:12:58:

> No the machine I am connecting from is the same. However I do not
> use nxclient for the tests, but I use "ssh -i <file-with-key>
> nx <at> <nxserver>

??? OK, I see where I've been misunderstanding you.

When you said you could log in using ssh, I thought you meant you
couldn't log in on the same machine with the nxclient but you could
using ssh, when in fact you just mean that the nx account is locked
to ssh even though it shouldn't be.

Right, I see you have been comparing two servers, and
nx <at> <nxserver> is the other one.
I didn't spot the host name difference in the your logs even
though I copied entries from the two postings.

Silly me. This is the problem of doing two things at once.

Well

I think they've made a few changes in pam's account locking,
with /etc/nologin.
I think it's moved to account instead of auth though I'm not
sure of the details without looking it up.

Who knows what else has changed . .

On the other hand it could be you found a bug somewhere.

Maybe
        password: nullok
isn't working (if you have it set)

Try giving the nx account a password as a test.

There is also maybe uid >= 500 or some such in the pam.d
files.

Try setting up a new account with no password and see if you
can ssh to it.

> --
> fr.gr.
>
> Freek de Kruijf
> ________________________________________________________________
>      Were you helped on this list with your FreeNX problem?
>     Then please write up the solution in the FreeNX Wiki/FAQ:
>
> http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
>  
>          Don't forget to check the NX Knowledge Base:
>                  http://www.nomachine.com/kb/
>
> ________________________________________________________________
>        FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
>       https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
________________________________________________________________
     Were you helped on this list with your FreeNX problem?
    Then please write up the solution in the FreeNX Wiki/FAQ:

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ

         Don't forget to check the NX Knowledge Base:
                 http://www.nomachine.com/kb/ 

________________________________________________________________
       FreeNX-kNX mailing list --- FreeNX-kNX <at> kde.org
      https://mail.kde.org/mailman/listinfo/freenx-knx
________________________________________________________________
Permalink | Reply | 0 comments |

Gmane