NX-Client
From OptionC
| Table of contents |
Introduction
One of the ways to connect to a Xen virtual machine is through the use of NX Server and NX Client from NoMachine (http://nomachine.com/). We use FreeNX on our virtual machines.
Installation
Debian Install
Add the following line to the /etc/apt/sources.list:
deb http://kanotix.com/files/debian/ ./
Refresh the packaging database and then install freenx:
# apt-get update # apt-get install freenx
[To be completed]
Mandrake Install
[To be completed]
Security
There is a default key pair used by NX Client and FreeNX in order to connect the client to the server. However, some packages of FreeNX use their own default key pair.
I decided that I wanted my own key pair for use on any NX server. My preference would be one with a passphrase but that's not currently possible. Somebody wrote (http://www.cs.uwaterloo.ca/cscf/howto/ssh/public_key/) that the passphrase is like a PIN on a debit card. If someone steals your debit card they still have to guess the PIN before they can use it. If someone steals your credit card they can use it straight away.
With version 1.5 of NX client (recently released) you can have individual keys assigned to individual sessions.
Here are the steps I took:
1. generate a key pair on the client machine:
$ ssh-keygen -t dsa -C "NX key pair"
Generating public/private dsa key pair.
Enter file in which to save the key (/home/blahblah/.ssh/id_dsa): /home/blahblah/.ssh/nx_id_dsa
Enter passphrase (empty for no passphrase): {no passphrase}
Enter same passphrase again: {again, no passphrase}
Your identification has been saved in /home/blahblah/.ssh/nx_id_dsa.
Your public key has been saved in /home/blahblah/.ssh/nx_id_dsa.pub.
The key fingerprint is:
3c:34:58:62:a8:ff:99:66:34:53:23:34:1d:ac:55:b9 blahblah@somemachine
2. On the server side, find the location of the NX home directory and its .ssh subdirectory. (On Debian this is /var/lib/nxserver/home/.ssh. With the Mandrake package I used it was /var/lib/nxserver/nxhome/.ssh.)
Append the public key you just created (ns_id_dsa.pub) to the authorized_keys file (this might be authorized_keys2, again depending upon the package). Make sure the permissions on the authorized_keys file are 0600 (read-write only by owner) and the owner is nx.
# chown nx authorized_keys # chmod 600 authorized_keys
3. On the client side test the connection to the NX user (replace {server} with whatever you called the server):
ssh -i /home/blahblah/.ssh/nx_id_dsa -l nx {server}
This should get you connected without a password. You should see something like the following:
HELLO NXSERVER - Version 1.4.0-03 OS (GPL) NX> 105
If not, check the logs on the server side to see why you're not connecting. One possible reason is the NX user is locked -- i.e., no password and simply turned off so that ordinary logins can't occur. Use "passwd -S nx" to check it. To fix that you'll need to unlock it ("passwd -u nx") and assign a password (it can be nonsensical and something you'll never remember; you're not going to use it directly).
4. With NX Client 1.5 you simply import your private key in the configuration dialog. On the first tab in the Server section there is a button which says "Key...". Simply cut and paste your private key from nx_id_dsa into this box and save it. With older versions of NX Client you had to set up a script to swap the client keys in /usr/NX/share/, or copy your nx_id_dsa file to /usr/NX/share/client.id_dsa.key.
5. It should now work.
References
- Home of NX (http://www.nomachine.com)
- SSH and Public Keys (http://www.cs.uwaterloo.ca/cscf/howto/ssh/public_key/)
