NX authentication error

Craig White craigwhite at azapple.com
Tue Jun 30 01:28:52 UTC 2009 

On Tue, 2009-06-30 at 09:26 +1000, L wrote:
> On Tue, Jun 30, 2009 at 6:49 AM, Craig White<craigwhite at azapple.com> wrote:
> > On Mon, 2009-06-29 at 15:20 +1000, L wrote:
> >> On Mon, Jun 29, 2009 at 11:11 AM, Craig White<craigwhite at azapple.com> wrote:
> >> > On Mon, 2009-06-29 at 10:33 +1000, L wrote:
> >> >> On Mon, Jun 29, 2009 at 10:18 AM, Craig White<craigwhite at azapple.com> wrote:
> >> >> > On Mon, 2009-06-29 at 10:03 +1000, L wrote:
> >> >> >> I I set up a nxserver at remote PC (F10 2.6.27.25-170.2.72.fc10.i686),
> >> >> >> followed all steps, shipped key from server to client. tried login
> >> >> >> from client to sever as
> >> >> >>
> >> >> >>
> >> >> >> ssh -i /usr/NX/share/keys/user.id_dsa.key nx at server
> >> >> >> ssh -l USER1 server
> >> >> >>
> >> >> >> all work.
> >> >> >>
> >> >> >> when I login via nxclient, after pass steps Connected, download
> >> >> >> session, it failed with errors:
> >> >> > ----
> >> >> > problem is with USER1 account.
> >> >> >
> >> >> > nxuser only creates an ssh tunnel. Once that tunnel is created another
> >> >> > connection for nxsession is started and this user must exist on the
> >> >> > system and the password must be correct. I am not aware that this user
> >> >> > can use a public key authentication.
> >> >> >
> >> >> > Craig
> >> >>
> >> >> thanks for your reply, as you see, USER1 can login via ssh to server.
> >> >> the pssword for users must be right.
> >> >>
> >> >> where should I look for error to fix it?
> >> > ----
> >> > I would start with the suggestions given in your own error report...
> >> >
> >> > NX> 502 ERROR: Public key authentication failed
> >> > NX> 502 ERROR: NX server was unable to login as user: USER1
> >> > NX> 502 ERROR: Please check that the account is enabled to login,
> >> > NX> 502 ERROR: the user's home directory, the directory ~/.ssh
> >> > NX> 502 ERROR: and the file ~/.ssh/authorized_keys2 have correct
> >> > NX> 502 ERROR: permissions setting according to the StrictModes
> >> > NX> 502 ERROR: of your SSHD configuration.
> >> >
> >> > make sure that /home/USER1/.ssh/authorized_keys2 is 600 permissions
> >> > and /home/USER1/.ssh is 755 but I if I were to guess, USER1 does not
> >> > have a valid shell
> >> >
> >> > Craig
> >>
> >> thanks, after change permissions on them, the error message change to
> >>
> >> Authentication to NX node failed.
> >>
> >> see below
> >>
> >> NX> 203 NXSSH running with pid: 13927
> >> NX> 285 Enabling check on switch command
> >> NX> 285 Enabling skip of SSH config files
> >> NX> 285 Setting the preferred NX options
> >> NX> 200 Connected to address: 202.118.163.85 on port: 22
> >> NX> 202 Authenticating user: nx
> >> NX> 208 Using auth method: publickey
> >> HELLO NXSERVER - Version 3.3.0-22 - LFE
> >> NX> 105 Hello NXCLIENT - Version 3.3.0
> >> NX> 134 Accepted protocol: 3.3.0
> >> NX> 105 Set shell_mode: shell
> >> NX> 105 Set auth_mode: password
> >> NX> 105 Login
> >> NX> 101 User: test
> >> NX> 102 Password: ****
> >> NX> 103 Welcome to: localhost.localdomain user: test
> >> NX> 105 Listsession --user="test" --status="suspended\054running"
> >> --geometry="1280x1024x24+render" --type="unix-application"
> >> NX> 127 Available sessions:
> >>
> >> Display Type             Session ID                       Options
> >> Depth Screen         Status      Session Name
> >> ------- ---------------- -------------------------------- --------
> >> ----- -------------- ----------- ------------------------------
> >>
> >> NX> 148 Server capacity: not reached for user: test
> >> NX> 105 Start session with: --rootless="1" --virtualdesktop="0"
> >> --application="xterm" --link="adsl" --backingstore="1" --cache="16M"
> >> --images="64M" --shmem="1" --shpix="1" --strict="0" --composite="1"
> >> --media="0" --session="neau" --type="unix-application"
> >> --client="linux" --keyboard="pc105\057us"
> >> --screeninfo="1280x1024x24+render"
> >> NX> 596 ERROR: Authentication to NX node failed.
> >> NX> 280 Exiting on signal: 15
> > ----
> > OK, now you have changed from USER1 to test
> >
> > That is OK but what is shell for test?
> 
> >
> 
> let stay with USER1, user test was newly created to check if a new
> user can login
> 
> the shell for USER1 is bash
> 
> line from /etc/passwd
> 
> USER1:x:503:504::/home/USER1:/bin/bash
> 
> > grep test /etc/passwd
> 
> 
> >
> > is it /bin/sh or /bin/bash?
> >
> > Can user 'test' login at the console?
> 
> YES, USERs can login.
> 
> Here are section  of  /var/log/secure
> 
> part for ssh login
> 

> Jun 30 07:12:54 localhost sshd[31675]: debug2: input_userauth_request:
> try method password
> Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: initializing for "USER1"
> Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: setting PAM_RHOST
> to "localhost.localdomain"
> Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: setting PAM_TTY to "ssh"
> Jun 30 07:12:54 localhost sshd[31674]: debug2: monitor_read: 46 used
> once, disabling now
> Jun 30 07:12:54 localhost sshd[31674]: debug2: monitor_read: 3 used
> once, disabling now
> Jun 30 07:12:54 localhost sshd[31674]: debug2: monitor_read: 4 used
> once, disabling now
> Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: password
> authentication accepted for USER1
> Jun 30 07:12:54 localhost sshd[31674]: debug1: do_pam_account: called
> Jun 30 07:12:54 localhost sshd[31674]: Accepted password for USER1
> from 127.0.0.1 port 52180 ssh2
> Jun 30 07:12:54 localhost sshd[31674]: debug1: monitor_child_preauth:
> USER1 has been authenticated by privileged process
> Jun 30 07:12:54 localhost sshd[31674]: debug2: mac_setup: found hmac-md5
> Jun 30 07:12:54 localhost sshd[31674]: debug2: mac_setup: found hmac-md5
> Jun 30 07:12:54 localhost sshd[31674]: debug1: temporarily_use_uid:
> 503/504 (e=0/0)
> Jun 30 07:12:54 localhost sshd[31674]: debug1: ssh_gssapi_storecreds:
> Not a GSSAPI mechanism
> Jun 30 07:12:54 localhost sshd[31674]: debug1: restore_uid: 0/0
> Jun 30 07:12:54 localhost sshd[31674]: debug1: SELinux support disabled
> Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: establishing credentials
> Jun 30 07:12:54 localhost sshd[31674]: pam_unix(sshd:session): session
> opened for user USER1 by (uid=0)
> Jun 30 07:12:54 localhost sshd[31676]: debug1: PAM: establishing credentials
> Jun 30 07:12:54 localhost sshd[31676]: debug1: permanently_set_uid: 503/504
> Jun 30 07:12:54 localhost sshd[31676]: debug2: set_newkeys: mode 0
> Jun 30 07:12:54 localhost sshd[31676]: debug2: set_newkeys: mode 1
> Jun 30 07:12:54 localhost sshd[31676]: debug1: Entering interactive
> session for SSH2.
> Jun 30 07:12:54 localhost sshd[31676]: debug2: fd 4 setting O_NONBLOCK
> Jun 30 07:12:54 localhost sshd[31676]: debug2: fd 6 setting O_NONBLOCK
> Jun 30 07:12:54 localhost sshd[31676]: debug1: server_init_dispatch_20
> Jun 30 07:12:54 localhost sshd[31674]: User child is on pid 31676
> Jun 30 07:12:54 localhost sshd[31676]: Connection closed by 127.0.0.1
> Jun 30 07:12:54 localhost sshd[31676]: debug1: do_cleanup
> Jun 30 07:12:54 localhost sshd[31676]: Transferred: sent 1768,
> received 1184 bytes
> Jun 30 07:12:54 localhost sshd[31676]: Closing connection to 127.0.0.1
> port 52180
> Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: cleanup
> Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: deleting credentials
> Jun 30 07:12:54 localhost sshd[31674]: debug1: PAM: closing session
> Jun 30 07:12:54 localhost sshd[31674]: pam_unix(sshd:session): session
> closed for user USER1
> 
> part for NX login
> 
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: read<=0 rfd 11 len 0
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: read failed
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: close_read
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: input open -> drain
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: ibuf_empty
> delayed efd 13/(0)
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: read 0 from efd 13
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: closing read-efd 13
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: ibuf empty
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: send eof
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: input drain -> closed
> Jun 30 07:12:58 localhost sshd[31631]: debug1: Received SIGCHLD.
> Jun 30 07:12:58 localhost sshd[31631]: debug1: session_by_pid: pid 31632
> Jun 30 07:12:58 localhost sshd[31631]: debug1: session_exit_message:
> session 0 channel 0 pid 31632
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: request
> exit-status confirm 0
> Jun 30 07:12:58 localhost sshd[31631]: debug1: session_exit_message:
> release channel 0
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: write failed
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: close_write
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: send eow
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: output open -> closed
> Jun 30 07:12:58 localhost sshd[31631]: debug2: channel 0: send close
> Jun 30 07:12:58 localhost sshd[31631]: debug2: notify_done: reading
> Jun 30 07:12:58 localhost sshd[31631]: Connection closed by xx.xx.xx.xx
> Jun 30 07:12:58 localhost sshd[31631]: debug1: channel 0: free:
> server-session, nchannels 3
> Jun 30 07:12:58 localhost sshd[31631]: debug1: channel 1: free: X11
> inet listener, nchannels 2
> Jun 30 07:12:58 localhost sshd[31631]: debug1: channel 2: free: X11
> inet listener, nchannels 1
> Jun 30 07:12:58 localhost sshd[31631]: debug1: session_close: session 0 pid 0
> Jun 30 07:12:58 localhost sshd[31631]: debug1: do_cleanup
> Jun 30 07:12:58 localhost sshd[31631]: Transferred: sent 3768,
> received 2432 bytes
> Jun 30 07:12:58 localhost sshd[31631]: Closing connection to
> xx.xx.xx.xx port 54515
> Jun 30 07:12:58 localhost sshd[31628]: debug1: PAM: cleanup
> Jun 30 07:12:58 localhost sshd[31628]: debug1: PAM: deleting credentials
> Jun 30 07:12:59 localhost sshd[31628]: debug1: PAM: closing session
> Jun 30 07:12:59 localhost sshd[31628]: pam_unix(sshd:session): session
> closed for user nx
----
both ssh and nx sessions seem to do the same thing, sucessfully login
and then disconnect immediately which always suggests to me that there
is a problem with the login shell.

seriously though, I think you believe you know what you are doing but I
find your postings narrow and confused.

1 - I do not know if nxusers can actually use an authorized key to
connect. It seems reasonable but I have never done this so I do not
know.

2 - When you switched from USER1 to the test in the next mail back to
USER1 in the next mail, I am starting to lose confidence that the
conditions too aren't also changing as well.

3 - the sequence of events is consistent, nxuser creates the initial
connection via sshd/pre-shared key and once the nxuser has connected, an
attempt is made by another 'user' who must authenticate using his own
username & password. As I said above and in my first post, I don't know
if this user can use a public key for authentication.

4 - everything you show in logs makes me think that the user
simultaneously authenticates and then disconnects which always suggests
to me a non-valid shell but it could be something like SELinux or
similar too.

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the fedora-list mailing list