Bug 770814

Summary: Can't log in to freenx-server due to permissions on authorised keys file
Product: [Fedora] Fedora Reporter: Philip Allison <mangobrain>
Component: freenx-serverAssignee: Axel Thimm <axel.thimm>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: axel.thimm, gwync, ville.skytta
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: 0.7.3-24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-31 10:26:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Philip Allison 2011-12-29 10:23:10 UTC 
Description of problem:

Cannot log in to freenx-server because the file /etc/nxserver/server.id_dsa.pub.key is not readable by the nx user.

Version-Release number of selected component (if applicable):

0.7.3-23.fc16

How reproducible:

Very

Steps to Reproduce:
1. Install freenx-server on a clean box
2. systemctl load freenx-server.service
3. systemctl start freenx-server.service
4. Copy /etc/nxserver/client.id_dsa.key to the client machine, and configure a session in nxclient using it as the server key
5. Try and connect with nxclient
  
Actual results:

Client does not connect.  Log reveals public key authentication failure for user nx.  Running sshd in debug mode on the server reveals that it cannot read /var/lib/nxserver/home/.ssh/authorized_keys2 (which is a symlink to /etc/nxserver/server.id_dsa.pub.key).

Expected results:

Client connects.

Additional info:

The symlink /var/lib/nxserver/home/.ssh/authorized_keys2 has ownership nx:root, but the file it links to is root:root and not world readable.  Changing the ownership of /etc/nxserver/server.id_dsa.pub.key to nx:root resolves the issue.
Comment 1 Ville Skyttä 2011-12-30 20:20:19 UTC 
The mentioned steps to reproduce don't even result in creation of the /var/lib/nxserver/home/.ssh dir nor obviously the symlink in it -- did you omit a step?

Anyway, as mentioned in the freenx-server upstream documentation "nxsetup --install" should be run to complete the server setup before trying to connect, among other things that'll set the correct permissions in /etc/nxserver.

http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_Installation#Installing_the_FreeNX_Server

Granted, this is fairly non-obvious.  Maybe the package should be improved to ship a "installed" setup by default...?
Comment 2 Ville Skyttä 2011-12-30 20:37:22 UTC 
(In reply to comment #1)
> The mentioned steps to reproduce don't even result in creation of the
> /var/lib/nxserver/home/.ssh dir nor obviously the symlink in it

Eh, something went wrong with the tests I made, so ignore the above, but "nxsetup --install" should still be run before connecting at least for now.
Comment 3 Ville Skyttä 2011-12-31 10:26:00 UTC 
0.7.3-24 tries to detect if nxsetup --install has been run, and refuses to start if not.