Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 262496 - net-misc/nxserver-freenx: User nx not allowed because account is locked
Summary: net-misc/nxserver-freenx: User nx not allowed because account is locked
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo NX Server project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-03-15 01:18 UTC by Joseph
Modified: 2009-04-20 15:20 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Joseph 2009-03-15 01:18:54 UTC
I just installed nxserver-freenx and when I try to set it up:
nxsetup --install --setup-nomachine-key --clean --purge
...

----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.

Please check your ssh setup:

The following are _examples_ of what you might need to check.

        - Make sure "nx" is one of the AllowUsers in sshd_config.
    (or that the line is outcommented/not there)
        - Make sure "nx" is one of the AllowGroups in sshd_config.
    (or that the line is outcommented/not there)
        - Make sure your sshd allows public key authentication.
        - Make sure your sshd is really running on port 22.
        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2.
    (this should be a filename not a pathname+filename)
  - Make sure you allow ssh on localhost, this could come from some
    restriction of:
      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
      -the iptables. add to it:
         $ iptables -A INPUT  -i lo -j ACCEPT
         $ iptables -A OUTPUT -o lo -j ACCEPT

my sshd.conf
Protocol 2
PermitRootLogin no
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys2
PasswordAuthentication no
UsePAM no
Subsystem       sftp    /usr/lib/misc/sftp-server

and in log/messages I get:
User nx not allowed because account is locked

Reproducible: Always



Expected Results:  
emerge --info
Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8 i686)
=================================================================
System uname: Linux-2.6.27-gentoo-r8-i686-AMD_Athlon-TM-_XP_2500+-with-glibc2.0
Timestamp of tree: Thu, 12 Mar 2009 04:30:01 +0000
distcc 3.0 i686-pc-linux-gnu [disabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p39
dev-java/java-config: 1.3.7-r1, 2.1.7
dev-lang/python:     2.5.2-r7
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.63
sys-devel/automake:  1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/fax /usr/share/config /var/lib/hsqldb /var/spool/fax/etc"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="ccache collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch"
GENTOO_MIRRORS="http://distro.ibidio.org/pub/linux/distributions/gentoo/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://gentoo.osuosl.org/ http://mirror.datapipe.net/gentoo http://gentoo.binarycompass.org"
LANG="en_US.UTF-8"
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en en_US"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage/layman/voip /usr/local/portage/layman/ltsp"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox foomaticdb fortran gdbm gif gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kpathsea ldap libnotify mad midi mikmod mp3 mpeg mudflap mysql ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support quicktime readline reflection scanner sdl session spell spl ssl startup-notification svg sysfs tcpd tetex tiff truetype type1 unicode usb vorbis win32codecs x86 xml xorg xulrunner xv zlib" ALSA_CARDS="via82xx" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" USERLAND="GNU" VIDEO_CARDS="nv vesa fbdev"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2009-03-15 12:24:18 UTC
Did you try to solve this with the following command?
  usermod -U nx
Comment 2 Joseph 2009-03-15 15:47:52 UTC
Yes, I tried it already:

usermod -U nx
usermod: unlocking the user would result in a passwordless account.
You should set password with usermod -p to unlock this user account.

If I try this sequence:
usermod -p 123456 nx
usermod -U nx

works, no message pops up; but as soon as I run the setup script:
nxsetup --install --setup-nomachine-key --clean --purge
...
Setting up /var/log/nxserver.log ...done
Setting up special user "nx" ...passwd: unlocking the user would result in a passwordless account.
You should set a password with usermod -p to unlock this user account.
Password changed.
done.
...
----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.

Please check your ssh setup:

The following are _examples_ of what you might need to check.

        - Make sure "nx" is one of the AllowUsers in sshd_config.
    (or that the line is outcommented/not there)
        - Make sure "nx" is one of the AllowGroups in sshd_config.
    (or that the line is outcommented/not there)
        - Make sure your sshd allows public key authentication.
        - Make sure your sshd is really running on port 22.
        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set
to authorized_keys2.
    (this should be a filename not a pathname+filename)
  - Make sure you allow ssh on localhost, this could come from some
    restriction of:
      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
      -the iptables. add to it:
         $ iptables -A INPUT  -i lo -j ACCEPT
         $ iptables -A OUTPUT -o lo -j ACCEPT


So at this point I'm back to square one in log/messages I get:
User nx not allowed because account is locked
 


Comment 3 Bernard Cafarelli gentoo-dev 2009-03-19 16:26:44 UTC
Which nxserver-freenx version do you have installed?

Also, a user reported once he had missing files in the ~nx folder (mostly the allowed keys), completely removing the nx user (and personal folder) and remerging nxserver-freenx did the trick for him. If you want to try this, can you post the output of `ls -la ~nx/ ~nx/.ssh/` before?
Comment 4 Joseph 2009-03-19 19:06:01 UTC
I have nxserver-freenx-0.7.3-r2

ls -la ~nax/ ~nx/.ssh/
ls: cannot access ~nax/: No such file or directory
/var/lib/nxserver/home/.ssh/:
total 20
drwx------ 2 nx root 4096 2009-03-19 11:55 .
drwx------ 3 nx root 4096 2009-03-19 11:55 ..
-rw------- 1 nx root  669 2009-03-19 11:55 authorized_keys2
-rw------- 1 nx root  668 2009-03-19 11:55 client.id_dsa.key
-rw-r--r-- 1 nx root  232 2009-03-19 11:55 known_hosts

I've removed user and group "nx" re-emerge the above version but still no luck :-/
the same problem 

nxsetup --install --setup-nomachine-key --clean --purge
Removing special user "nx" ...done
Removing session database ...done
Removing logfile ...done
Removing home directory of special user "nx" ...done
Removing configuration files ...done
Setting up /etc/nxserver ...done
Generating public/private dsa key pair.
Your identification has been saved in /etc/nxserver/users.id_dsa.
Your public key has been saved in /etc/nxserver/users.id_dsa.pub.
The key fingerprint is:
93:77:08:0d:c0:00:7a:0f:a7:da:68:ce:26:e4:4a:7e root@syscon2
The key's randomart image is:
+--[ DSA 1024]----+
|  ...o...        |
| .    .  o       |
|. o .   . .      |
| . =     o .     |
|  . .   S o .    |
| =       o .     |
|=o.              |
|Bo E             |
|=+.              |
+-----------------+
Setting up /var/lib/nxserver/db ...done
Setting up /var/log/nxserver.log ...done
Setting up special user "nx" ...passwd: unlocking the user would result in a passwordless account.
You should set a password with usermod -p to unlock this user account.
Password changed.
done
Adding user "nx" to group "utmp" ...done
Setting up known_hosts and authorized_keys2 ...done
Setting up permissions ...done
Setting up cups nxipp backend ...done

----> Testing your nxserver configuration ...
Warning: Could not find nxdesktop in /usr/bin. RDP sessions won't work.
Warning: Could not find nxviewer in /usr/bin. VNC sessions won't work.
Warning: Invalid value "COMMAND_START_KDE=startkde"
         Users will not be able to request a KDE session.
Warning: Invalid value "COMMAND_START_GNOME=gnome-session"
         Users will not be able to request a Gnome session.
Warning: Invalid value "COMMAND_START_CDE=cdwm"
         Users will not be able to request a CDE session.
Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version 1.2.
         Users will not be able to enable printing.

  Warnings occured during config check.
  To enable these features please correct the configuration file.

<---- done

----> Testing your nxserver connection ...
Permission denied (publickey,keyboard-interactive).
Fatal error: Could not connect to NX Server.

Please check your ssh setup:

The following are _examples_ of what you might need to check.

        - Make sure "nx" is one of the AllowUsers in sshd_config.
    (or that the line is outcommented/not there)
        - Make sure "nx" is one of the AllowGroups in sshd_config.
    (or that the line is outcommented/not there)
        - Make sure your sshd allows public key authentication.
        - Make sure your sshd is really running on port 22.
        - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2.
    (this should be a filename not a pathname+filename)
  - Make sure you allow ssh on localhost, this could come from some
    restriction of:
      -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost
      -the iptables. add to it:
         $ iptables -A INPUT  -i lo -j ACCEPT
         $ iptables -A OUTPUT -o lo -j ACCEPT

Was the fix applied to ver. 0.7.3_p102 ?
Comment 5 Bernard Cafarelli gentoo-dev 2009-04-08 16:16:27 UTC
OK, I never saw the problem because I have UsePAM enabled (from USE=pam openssh).

So this does not work without pam, let me check where the problem lies...

Comment 6 Bernard Cafarelli gentoo-dev 2009-04-20 14:28:27 UTC
OK, from what I've read (until an openssh expert contradicts me), you can not login via public key with a locked (passwordless) account, when not using PAM

So the only workaround I see is to set a password for the nx user, and run this nxsetup line (which will be the recommended on in freenx ebuilds from now on):
"nxsetup --install --setup-nomachine-key" (without clean or purge, this will leave the nx user as it is on your system).

This will be in nxserver-freenx-0.7.3_p104 ebuild, that I'll add to portage after fixing bug #266572
Comment 7 Bernard Cafarelli gentoo-dev 2009-04-20 15:20:59 UTC
nxserver-freenx-0.7.3_p104 in portage now, updated as detailed in previous comment

Thanks for the report and suggestions!