Re: NX authentication error

On Tue, 2009-06-30 at 09:26 +1000, L wrote:
On Tue, Jun 30, 2009 at 6:49 AM, Craig White<craigwhite@xxxxxxxxxxx> wrote:
On Mon, 2009-06-29 at 15:20 +1000, L wrote:
On Mon, Jun 29, 2009 at 11:11 AM, Craig White<craigwhite@xxxxxxxxxxx> wrote:
On Mon, 2009-06-29 at 10:33 +1000, L wrote:
On Mon, Jun 29, 2009 at 10:18 AM, Craig White<craigwhite@xxxxxxxxxxx> wrote:
On Mon, 2009-06-29 at 10:03 +1000, L wrote:
I I set up a nxserver at remote PC (F10 2.6.27.25-170.2.72.fc10.i686),
followed all steps, shipped key from server to client. tried login
from client to sever as


ssh -i /usr/NX/share/keys/user.id_dsa.key nx@server
ssh -l USER1 server

all work.

when I login via nxclient, after pass steps Connected, download
session, it failed with errors:
----
problem is with USER1 account.

nxuser only creates an ssh tunnel. Once that tunnel is created another
connection for nxsession is started and this user must exist on the
system and the password must be correct. I am not aware that this user
can use a public key authentication.

Craig

thanks for your reply, as you see, USER1 can login via ssh to server.
the pssword for users must be right.

where should I look for error to fix it?
----
I would start with the suggestions given in your own error report...

NX> 502 ERROR: Public key authentication failed
NX> 502 ERROR: NX server was unable to login as user: USER1
NX> 502 ERROR: Please check that the account is enabled to login,
NX> 502 ERROR: the user's home directory, the directory ~/.ssh
NX> 502 ERROR: and the file ~/.ssh/authorized_keys2 have correct
NX> 502 ERROR: permissions setting according to the StrictModes
NX> 502 ERROR: of your SSHD configuration.

make sure that /home/USER1/.ssh/authorized_keys2 is 600 permissions
and /home/USER1/.ssh is 755 but I if I were to guess, USER1 does not
have a valid shell

Craig

thanks, after change permissions on them, the error message change to

Authentication to NX node failed.

see below

NX> 203 NXSSH running with pid: 13927
NX> 285 Enabling check on switch command
NX> 285 Enabling skip of SSH config files
NX> 285 Setting the preferred NX options
NX> 200 Connected to address: 202.118.163.85 on port: 22
NX> 202 Authenticating user: nx
NX> 208 Using auth method: publickey
HELLO NXSERVER - Version 3.3.0-22 - LFE
NX> 105 Hello NXCLIENT - Version 3.3.0
NX> 134 Accepted protocol: 3.3.0
NX> 105 Set shell_mode: shell
NX> 105 Set auth_mode: password
NX> 105 Login
NX> 101 User: test
NX> 102 Password: ****
NX> 103 Welcome to: localhost.localdomain user: test
NX> 105 Listsession --user="test" --status="suspended\054running"
--geometry="1280x1024x24+render" --type="unix-application"
NX> 127 Available sessions:

Display Type Session ID Options
Depth Screen Status Session Name
------- ---------------- -------------------------------- --------
----- -------------- ----------- ------------------------------

NX> 148 Server capacity: not reached for user: test
NX> 105 Start session with: --rootless="1" --virtualdesktop="0"
--application="xterm" --link="adsl" --backingstore="1" --cache="16M"
--images="64M" --shmem="1" --shpix="1" --strict="0" --composite="1"
--media="0" --session="neau" --type="unix-application"
--client="linux" --keyboard="pc105\057us"
--screeninfo="1280x1024x24+render"
NX> 596 ERROR: Authentication to NX node failed.
NX> 280 Exiting on signal: 15
----
OK, now you have changed from USER1 to test

That is OK but what is shell for test?



let stay with USER1, user test was newly created to check if a new
user can login

the shell for USER1 is bash

line from /etc/passwd

USER1:x:503:504::/home/USER1:/bin/bash

grep test /etc/passwd



is it /bin/sh or /bin/bash?

Can user 'test' login at the console?

YES, USERs can login.

Here are section of /var/log/secure

part for ssh login


Jun 30 07:12:54 localhost sshd[31675]: debug2: input_userauth_request:
try method password
Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: initializing for "USER1"
Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: setting PAM_RHOST
to "localhost.localdomain"
Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: setting PAM_TTY to "ssh"
Jun 30 07:12:54 localhost sshd[31674]: debug2: monitor_read: 46 used
once, disabling now
Jun 30 07:12:54 localhost sshd[31674]: debug2: monitor_read: 3 used
once, disabling now
Jun 30 07:12:54 localhost sshd[31674]: debug2: monitor_read: 4 used
once, disabling now
Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: password
authentication accepted for USER1
Jun 30 07:12:54 localhost sshd[31674]: debug1: do_pam_account: called
Jun 30 07:12:54 localhost sshd[31674]: Accepted password for USER1
from 127.0.0.1 port 52180 ssh2
Jun 30 07:12:54 localhost sshd[31674]: debug1: monitor_child_preauth:
USER1 has been authenticated by privileged process
Jun 30 07:12:54 localhost sshd[31674]: debug2: mac_setup: found hmac-md5
Jun 30 07:12:54 localhost sshd[31674]: debug2: mac_setup: found hmac-md5
Jun 30 07:12:54 localhost sshd[31674]: debug1: temporarily_use_uid:
503/504 (e=0/0)
Jun 30 07:12:54 localhost sshd[31674]: debug1: ssh_gssapi_storecreds:
Not a GSSAPI mechanism
Jun 30 07:12:54 localhost sshd[31674]: debug1: restore_uid: 0/0
Jun 30 07:12:54 localhost sshd[31674]: debug1: SELinux support disabled
Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: establishing credentials
Jun 30 07:12:54 localhost sshd[31674]: pam_unix(sshd:session): session
opened for user USER1 by (uid=0)
Jun 30 07:12:54 localhost sshd[31676]: debug1: PAM: establishing credentials
Jun 30 07:12:54 localhost sshd[31676]: debug1: permanently_set_uid: 503/504
Jun 30 07:12:54 localhost sshd[31676]: debug2: set_newkeys: mode 0
Jun 30 07:12:54 localhost sshd[31676]: debug2: set_newkeys: mode 1
Jun 30 07:12:54 localhost sshd[31676]: debug1: Entering interactive
session for SSH2.
Jun 30 07:12:54 localhost sshd[31676]: debug2: fd 4 setting O_NONBLOCK
Jun 30 07:12:54 localhost sshd[31676]: debug2: fd 6 setting O_NONBLOCK
Jun 30 07:12:54 localhost sshd[31676]: debug1: server_init_dispatch_20
Jun 30 07:12:54 localhost sshd[31674]: User child is on pid 31676
Jun 30 07:12:54 localhost sshd[31676]: Connection closed by 127.0.0.1
Jun 30 07:12:54 localhost sshd[31676]: debug1: do_cleanup
Jun 30 07:12:54 localhost sshd[31676]: Transferred: sent 1768,
received 1184 bytes
Jun 30 07:12:54 localhost sshd[31676]: Closing connection to 127.0.0.1
port 52180
Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: cleanup
Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: deleting credentials
Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: closing session
Jun 30 07:12:54 localhost sshd[31674]: pam_unix(sshd:session): session
closed for user USER1

part for NX login

Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: read<=0 rfd 11 len 0
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: read failed
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: close_read
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: input open -> drain
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: ibuf_empty
delayed efd 13/(0)
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: read 0 from efd 13
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: closing read-efd 13
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: ibuf empty
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: send eof
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: input drain -> closed
Jun 30 07:12:58 localhost sshd[31631]: debug1: Received SIGCHLD.
Jun 30 07:12:58 localhost sshd[31631]: debug1: session_by_pid: pid 31632
Jun 30 07:12:58 localhost sshd[31631]: debug1: session_exit_message:
session 0 channel 0 pid 31632
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: request
exit-status confirm 0
Jun 30 07:12:58 localhost sshd[31631]: debug1: session_exit_message:
release channel 0
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: write failed
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: close_write
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: send eow
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: output open -> closed
Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: send close
Jun 30 07:12:58 localhost sshd[31631]: debug2: notify_done: reading
Jun 30 07:12:58 localhost sshd[31631]: Connection closed by xx.xx.xx.xx
Jun 30 07:12:58 localhost sshd[31631]: debug1: channel 0: free:
server-session, nchannels 3
Jun 30 07:12:58 localhost sshd[31631]: debug1: channel 1: free: X11
inet listener, nchannels 2
Jun 30 07:12:58 localhost sshd[31631]: debug1: channel 2: free: X11
inet listener, nchannels 1
Jun 30 07:12:58 localhost sshd[31631]: debug1: session_close: session 0 pid 0
Jun 30 07:12:58 localhost sshd[31631]: debug1: do_cleanup
Jun 30 07:12:58 localhost sshd[31631]: Transferred: sent 3768,
received 2432 bytes
Jun 30 07:12:58 localhost sshd[31631]: Closing connection to
xx.xx.xx.xx port 54515
Jun 30 07:12:58 localhost sshd[31628]: debug1: PAM: cleanup
Jun 30 07:12:58 localhost sshd[31628]: debug1: PAM: deleting credentials
Jun 30 07:12:59 localhost sshd[31628]: debug1: PAM: closing session
Jun 30 07:12:59 localhost sshd[31628]: pam_unix(sshd:session): session
closed for user nx
----
both ssh and nx sessions seem to do the same thing, sucessfully login
and then disconnect immediately which always suggests to me that there
is a problem with the login shell.

seriously though, I think you believe you know what you are doing but I
find your postings narrow and confused.

1 - I do not know if nxusers can actually use an authorized key to
connect. It seems reasonable but I have never done this so I do not
know.

2 - When you switched from USER1 to the test in the next mail back to
USER1 in the next mail, I am starting to lose confidence that the
conditions too aren't also changing as well.

3 - the sequence of events is consistent, nxuser creates the initial
connection via sshd/pre-shared key and once the nxuser has connected, an
attempt is made by another 'user' who must authenticate using his own
username & password. As I said above and in my first post, I don't know
if this user can use a public key for authentication.

4 - everything you show in logs makes me think that the user
simultaneously authenticates and then disconnects which always suggests
to me a non-valid shell but it could be something like SELinux or
similar too.

Craig


--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Quantcast