Hi All, it is done. it is released. FreeNX 0.7.3 is released and I am proud to present lots of nice new features and especially I hunted the bug list down (BerliOS Project Page) and got them all. Including the dreaded "Resume fails with Negotiating Link Parameters and nxssh.exe still running.". Perhaps the two biggest new features are full shadow support and the overhaul of the usermode. I am grateful to Amin Shehata here for his work and motivation on the shadow mode and Mr. N. Bartos, who did present me with a complete changeset for the usermode. I also made the VNC shadowing behave the exact same as the normal shadow mode. SHADOWING VIA NX AND VNC Resume ======================== Shadowing (also other users) works in three steps: 1. Saving the shadow cookie (obviously not needed for same user) First, when a session is started or resumed nxshadowacl is asked, if this user should be allowed to be shadowed. This way in nxshadowacl there could be a line like: # Deny admin and boss to be shadowed [ "$1" = "admin" -o "$1" = "boss" ] && exit 1 # Allow all others to be shadowed exit 0 I did use this approach as the nxserver is storing the shadowcookie in the session file if nxshadowacl allows shadowing. This is a possible security issue, so its not enabled by default. To enable shadowing other users beside the own user copy nxshadowacl.sample to $PATH_BIN/nxshadowacl and add your rules here. 2. Selecting which sessions are shadowable So now shadowacl.sample gets another argument. That one of the user, which is trying to shadow the session. Let me give you another example: # Deny admin and boss to be shadowed [ "$1" = "admin" -o "$1" = "boss" ] && exit 1 # Don't let boss shadow the auditors [ "$1" = "auditor" -a "$2" = "boss" ] && exit 1 # Allow all others to be shadowed exit 0 I think you can come up with countless possibilities yourself. Speaking of that, has anyone made any great nxacl scripts, yet? If so: Please share. 3. Asking the user for permission and setting the view mode This is for now controlled by the global variables that are known from !M NX Server. If ENABLE_SESSION_SHADOWING_AUTHORIZATION is set to "1", the user is asked before the cookie is transmitted, if he wants his session to be shared. After a timeout of 60 (AGENT_STARTUP_TIMEOUT) the dialog is closed again and the operation deemed a failure. The ENABLE_INTERACTIVE_SESSION_SHADOWING is directly given as -viewonly or -shadowmode to x11vnc / nxagent -S. However if you find this too restrictive for admin to not be able to help others without their confirmation and only view what is happening, you can use a custom admin.node.conf configuration file with custom shadow mode settings. Usermode and SUID Wrapper ================== We are now very close to login directly with users and I also heard of a C program, which can be seamlessly put between nxclient and nxssh. So with client support we now have three alternatives: 1. Login as user via ssh and connect to server with ssh command on server again. 2. Login as user and use usermode to save all sessions locally for each user. 3. Use a SUID nx (not root!) wrapper to startup a new "trusted" session. One is error prone, two is good, but looses the central structure, three is best of both worlds and with being suid nx also has the most advantages, however not the dreaded public key problems. _Yes_, this means if you use the suid wrapper, you still need the nx user, but you can remove the public keys and it'll still work. The SUID wrapper is a part from the work of the redesign and thanks goes to Alistair Riddoch from Google here. So how do I enable it on a new installation? - sudo make install - nxsetup # note: No setup nomachine key here! - # Uncomment the suid_install line in Makefile - sudo make install - # Done. Now you just need one of the wrapper functions from SVN (nxssh) and nbartos also said he had a nice C program, so I hope he publishes it. The wrapper is doing the first part of the authentication, logging the user in via ssh, then the following command is started: $PATH_BIN/nxserver-suid And voila the user is logged in! The same goes for usermode, to enable the usermode with a central installation is now much easier: - Login - Run $PATH_BIN/nxserver-usermode Also each user can track his own sessions this way: - $PATH_BIN/nxserver-usermode --list So this features enable you to finally remove the dreaded public key setup part (using a warpper of course) and all problems that come with it. Whatever way you choose ... And as that is still quite some work, I have prepared and uploaded a ready made tarball for you! It is available from: http://download.berlios.de/freenx/NX4U.tar.gz And I even made it so that this can be unpacked whereever you want and it'll automatically find all binaries. And this is not limited to user mode, but all normal FreeNX features are supported. So for example unpack in /opt/NX4U/, run /opt/NX4U/nxsetup --install --setup-nomachine-key and you are ready to go. However if you use the usermode, not even that is needed! Okay, I said you need a wrapper? You are extremely lucky, I now wrote one in C, which I also already cross-compiled for you for Windows! == NX Client Wrapper == The wrapper is very very powerfull and all options can be choosen in NX Client. How to use it? Download: http://download.berlios.de/freenx/nxssh or http://download.berlios.de/freenx/nxssh.exe Rename nxssh(.exe) from !M NX Client to mxssh(.exe). Put new nxssh(.exe) into place. Make it executable if you are on linux. (chmod a+x nxssh) Done. Now you can either wrap all connections by exporting the environment variable NXWRAP=1 before starting nxclient. Or you can instead of hostname use: @hostname and set "Enable SSL Encryption" to "yes". Now its wrapped and the password put into the nxclient dialog is _automatically_ used for authentication of the user. So, you (on linux) want to use your public key setup instead? No problem, just use as username: @username So, I want to connect with my private key to host big-machine, I would then put into NX Client: Host: @big-machine User: @ff And your normal ssh options + ssh-askpass are used. Note: By default SSH_ASKPASS environment variable is set to /usr/bin/ssh-askpass. If you have something different, you need to export that _before_ starting nxclient. There is also nxssh-wrapper available in SVN (from which nxssh-4US was converted) if you prefer to edit a shell script. (http://svn.berlios.de/svnroot/repos/freenx/trunk/freenx-utils/nxpublickey/nxssh-wrapper) Sooo! But now you want to use usermode and not suid mode or you have installed NX4U in a non-standard location. The wrapper knows it all. It searches first for a suitable nxserver-suid program, then for nxserver-usermode and lastly fails. And it searches in a long PATH ... ~/bin:~/NX4U/:/usr/NX/bin:/opt/NX/bin:/opt/NX4U/bin/:/usr/NX4U/bin:/usr/local/NX4U/bin:/usr/lib/nx/bi n If however you want to user usermode and not suid mode or vice versa you can use the following syntax: user@U for usermode (or @user@U) or: user@S for suid mode (or @user@S) And you can even specify a compeltely different binary path with a ':' So: [@]user[@[:path-to-command]] is the full syntax! Example for installation in /tmp/NX4U/ with public key usage. @ff@U:/tmp/NX4U/bin/nxserver-usermode And it all works! So, now NX installation really is as simple as untaring, changing client to use wrapper and BAM! running! Okay, after this much features and me working since days on the RL announcement ( I _had_ to make that wrapper!) lets take a small look at the other changes! - Failed login attempts are now logged to syslog(3). - nxagent has -nolisten tcp by default set as EXTRA_OPTIONS_X: Note in a load balancing + shadow mode case it might be wanted that nxagent is callable via remote. - Bash is used for all tasks as sh is dash on ubuntu. - mv was not working for failed or terminated sessions due to a typo. (YEAH! Finally found the bug!) - I found a very old patch (2005), which enables connection from 32 bit to 24 bit and vice-versa. Ooops, I forgot that one, I think ... - 3.2.0 support! - The Makefile now actually stops on errors. Thanks goes to: Hai Zaar - I disabled the PASSDB auth mode as always people find old tutorials and think its necessary, while its not. I also added a nice notice. If you had used it before and want to continue using it, be sure to reenable it in nxloadconfig / node.conf. - Lots of rdekstop fixes by the Community were included including that run application now actually works! - I added the ConsoleKit application by Ubuntu team, though I think I might still be missing something for full integration. This someone needs to explain to me ;-). - The slave mode now actually is the default as I got no reports that it did not work and it did work for me always since last release, so tiem to give it to a wider audience. (Also its needed for nxserver-suid). If you have any problems with it, disable it in node.conf. And here is the full changelog! 18.08.2008 FreeNX 0.7.3 "Priscilla One Year Edition" * Opened the 0.7.3 development. * Added logging of failed authentication attempts to auth.log via syslog (3). This can be disabled by setting ENABLE_LOG_FAILED_LOGINS="0". (fabianx@bat.berlios.de) * Added -nolisten tcp to nxagent invocation. (fabianx@bat.berlios.de, idea by pappy- (Gentoo)) * Used bash for all tasks as 'sh' might be not what we want on standard ubuntu. (fabianx@bat.berlios.de, thx to tan (IRC)) * Finally fixed mv not working for failed or terminated sessions. (fabianx@bat.berlios.de, Terje Andersen ) * Added patch from 2005 to enable reconnect to 24-bit display via 32-bit or vice versa. Oops :) (Sunil ) * Added 3.2.0 as a backend version for nxloadconfig. (fabianx@bat.berlios.de) * Added configuration key ENABLE_SOURCE_BASH_PROFILE for toggling of sourcing ~/.bash_profile. (fabianx@bat.berlios.de) * Added /usr/bin/xauth as default key and used /usr/X11R6/bin/xauth as fallback. (fabianx@bat.berlios.de) * Fixed Makefile to stop on all errors. (Idea by Hai Zaar , fabianx@bat.berlios.de) * Changed the default for ENABLE_PASSDB_AUTHENTICATION. If you had added a user with different password via --adduser consider re-activating this option in node.conf. (fabianx@bat.berlios.de) * Added constraints for passdb based commands. They are only available when ENABLE_PASSDB_AUTHENTICATION="1" else a friendly error message is shown. This should help with users using old tutorials. (fabianx@bat.berlios.de) * Added unix-console patch. Added default handler as unix-default with a fallback to xterm, (Idea by Jens Hatlak , fabianx@bat.berlios.de) * Fixed external rdesktop keyboards: A "$" was missing. (Bug by Phil Stricker , fabianx@bat.berlios.de) * Added workaround for "ch" keyboard layout to nxdesktop_helper, which NXClient 3.2.0 means as de-ch. (Bug by Phil Stricker , fabianx@bat.berlios.de) * Added clean target to Makefile. (Based on patch by Ubuntu FreeNX-Team, fabianx@bat.berlios.de) * Use :0.0 if mirrorhost is 127.0.0.1 and add -localhost for enhanced security. Also increase sleep timeout for slow machines. (Based on Patch by Jeremy Wilkins , fabianx@bat.berlios.de) * Allow RDP "Run application" sessions to work correctly. (David Corral < davefury@gmail.com > & the Silice Telecom staff, fabianx@bat.berlios.de) * Merge Xresources on startup of session. (Jeremy Wilkins ) * Added nx-session-launcher from Ubuntu FreeNX-Team to use FreeNX with ConsoleKit. (marceloshima@gmail.com, fabianx@bat.berlios.de) * Moved logging functions to a more appropriate place. (fabianx@bat.berlios.de) * Finally fixed the bug when NX Client was stopped on "Negotiating link parameters" and failed session after first session suspend. (fabianx@bat.berlios.de) * Fixed missing "fi" statement. In fact it was a missing ";;". (fabianx@bat.berlios.de) * Used source instead of "." for Makefile. (Closes: #13954) (fabianx@bat.berlios.de) * Allow passwords with '\' by changing read -s to read -r -s. (Closes: #10699) (Patch by rpfuller@bat.berlios.de, fabianx@bat.berlios.de) * Allow passwords with special chars by using new url_decode on agent_password. (Closes: #10248) (fabianx@bat.berlios.de) * Fixed start/stop exit codes. (Patch by Gentoo Portage, fabianx@bat.berlios.de) * Finally checked for all service ports. (cups, media, samba) and also checked it on the host where the load balancing actually leads to. (fabianx@bat.berlios.de) * Fixed broken fallback logic if SSH_CLIENT variables cannot be read correctly. (fabianx@bat.berlios.de) * Overhauled the usermode: * There are now two modes of operation. - One statically setting the ENABLE_USERMODE_AUTHENTICATION key in node.conf. (old behavior) - Or using nxserver-usermode as startup binary, which directly goes into the 103 stage. * Fixed using commandline parameters like --cleanup for static usermode. * Enabled the root commandline parameters in usermode. * Fixed usage of "nx" user as normal user in usermode. * Disabled slave mode and load balancing for usermode. * Fixed creation of the logfile directory. * Fixed nxnode usage of SSH_CLIENT using fallback mechanism. (Patch by nbartos@bat.berlios.de, fabianx@bat.berlios.de) * Added disabled nxserver-suid wrapper with help from Google. To enable it uncomment the suid_install target in Makefile. ( Alistair Riddoch , fabianx@bat.berlios.de) * Automatically disabled slave mode, when load balancing is activated. (fabianx@bat.berlios.de) * Made ENABLE_SLAVE_MODE="1" the new default as its faster and more reliable. If you encounter any problems with it, disable it in node.conf. (fabianx@bat.berlios.de) * Changed type for external agents to windows-helper or vnc-helper so that those sessions can be mirrored / shadowed as well. (fabianx@bat.berlios.de) * Added nxshadowacl.sample component to be able to shadow foreign sessions. (fabianx@bat.berlios.de) * Prepared shadowing foreign users for VNC-shadowing. (fabianx@bat.berlios.de) * Added shadow support to --listsession command. (fabianx@bat.berlios.de) * Added shadow mode as nxagent target. (fabianx@bat.berlios.de) * Fixed shadow mode and made it usable. (Patch by Amin Shehata , fabianx@bat.berlios.de) It was a great time with you community, I loved and integrated all patches that I could find, I have now finally taken the step to do not only a source release, but a binary release as well! With the new wrappers I think its possible to finally circumvent the whole things of public key problems and tune to what is really needed. The "nx" user is stiill needed for the suid case, however an installation not using ssh public key auth via nx user could look like: # cd ~ # wget http://download.berlios.de/freenx/NX4U.tar.gz # cd /opt # tar xzf ~/NX4U.tar.gz # /opt/NX4U/bin/nxsetup --install # /opt/NX4U/bin/nxserver --stop # remove public key # chown nx /opt/NX4U/bin/nxserver-suid # chmod u+s /opt/NX4U/bin/nxserver-suid I also have started to integrate things like the suid wrapper from the freenx-redesign branch. Enjoy the release and grab it from: http://download.berlios.de/freenx/freenx-server-0.7.3.tar.gz Best Wishes and May the Sun shine on You, Fabian PS: Addendum for manual installation of NX Usermode: If you want to run from $HOME, you can change nxloadconfig to have: - patch -p0 < gentoo-nomachine.diff - # edit nxloadconfig and set NX_DIR=$HOME/NX4U/ - perl -pi -e 's,NX_DIR=.*,NX_DIR=\$HOME/NX4U/,' nxloadconfig - # edit nxloadconfig and set CUPS_BACKEND="$HOME/NX4U/cups/" so Makefile does - # not complain - perl -pi -e 's,CUPS_BACKEND=.*,CUPS_BACKEND="\$HOME/NX4U/cups/backend/",' nxloadconfig - # in place fix Makefile - perl -pi -e 's,NX_VERSION,NX_VERSION NX_ETC_DIR,' Makefile - # install it! - make && make install - Now either compile and install the binaries for yourself or copy only nxagent and the libs from !M tarball. ________________________________________________________________ Were you helped on this list with your FreeNX problem? Then please write up the solution in the FreeNX Wiki/FAQ: http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ Don't forget to check the NX Knowledge Base: http://www.nomachine.com/kb/ ________________________________________________________________ FreeNX-kNX mailing list --- FreeNX-kNX@kde.org https://mail.kde.org/mailman/listinfo/freenx-knx ________________________________________________________________