I just installed nxserver-freenx and when I try to set it up: nxsetup --install --setup-nomachine-key --clean --purge ... ----> Testing your nxserver connection ... Permission denied (publickey,keyboard-interactive). Fatal error: Could not connect to NX Server. Please check your ssh setup: The following are _examples_ of what you might need to check. - Make sure "nx" is one of the AllowUsers in sshd_config. (or that the line is outcommented/not there) - Make sure "nx" is one of the AllowGroups in sshd_config. (or that the line is outcommented/not there) - Make sure your sshd allows public key authentication. - Make sure your sshd is really running on port 22. - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2. (this should be a filename not a pathname+filename) - Make sure you allow ssh on localhost, this could come from some restriction of: -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost -the iptables. add to it: $ iptables -A INPUT -i lo -j ACCEPT $ iptables -A OUTPUT -o lo -j ACCEPT my sshd.conf Protocol 2 PermitRootLogin no PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys2 PasswordAuthentication no UsePAM no Subsystem sftp /usr/lib/misc/sftp-server and in log/messages I get: User nx not allowed because account is locked Reproducible: Always Expected Results: emerge --info Portage 2.1.6.7 (default/linux/x86/2008.0/desktop, gcc-4.1.2, glibc-2.8_p20080602-r1, 2.6.27-gentoo-r8 i686) ================================================================= System uname: Linux-2.6.27-gentoo-r8-i686-AMD_Athlon-TM-_XP_2500+-with-glibc2.0 Timestamp of tree: Thu, 12 Mar 2009 04:30:01 +0000 distcc 3.0 i686-pc-linux-gnu [disabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p39 dev-java/java-config: 1.3.7-r1, 2.1.7 dev-lang/python: 2.5.2-r7 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.63 sys-devel/automake: 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.27-r2 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/fax /usr/share/config /var/lib/hsqldb /var/spool/fax/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d" CXXFLAGS="-O2 -march=athlon-xp -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="ccache collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://distro.ibidio.org/pub/linux/distributions/gentoo/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ http://gentoo.osuosl.org/ http://mirror.datapipe.net/gentoo http://gentoo.binarycompass.org" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1" LINGUAS="en en_US" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/layman/voip /usr/local/portage/layman/ltsp" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X acl acpi alsa apache2 berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo fam firefox foomaticdb fortran gdbm gif gpm gstreamer gtk hal iconv ipv6 isdnlog java jpeg kde kpathsea ldap libnotify mad midi mikmod mp3 mpeg mudflap mysql ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support quicktime readline reflection scanner sdl session spell spl ssl startup-notification svg sysfs tcpd tetex tiff truetype type1 unicode usb vorbis win32codecs x86 xml xorg xulrunner xv zlib" ALSA_CARDS="via82xx" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic auth_digest authn_anon authn_dbd authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock dbd deflate dir disk_cache env expires ext_filter file_cache filter headers ident imagemap include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_http rewrite setenvif so speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_US" USERLAND="GNU" VIDEO_CARDS="nv vesa fbdev" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Did you try to solve this with the following command? usermod -U nx
Yes, I tried it already: usermod -U nx usermod: unlocking the user would result in a passwordless account. You should set password with usermod -p to unlock this user account. If I try this sequence: usermod -p 123456 nx usermod -U nx works, no message pops up; but as soon as I run the setup script: nxsetup --install --setup-nomachine-key --clean --purge ... Setting up /var/log/nxserver.log ...done Setting up special user "nx" ...passwd: unlocking the user would result in a passwordless account. You should set a password with usermod -p to unlock this user account. Password changed. done. ... ----> Testing your nxserver connection ... Permission denied (publickey,keyboard-interactive). Fatal error: Could not connect to NX Server. Please check your ssh setup: The following are _examples_ of what you might need to check. - Make sure "nx" is one of the AllowUsers in sshd_config. (or that the line is outcommented/not there) - Make sure "nx" is one of the AllowGroups in sshd_config. (or that the line is outcommented/not there) - Make sure your sshd allows public key authentication. - Make sure your sshd is really running on port 22. - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2. (this should be a filename not a pathname+filename) - Make sure you allow ssh on localhost, this could come from some restriction of: -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost -the iptables. add to it: $ iptables -A INPUT -i lo -j ACCEPT $ iptables -A OUTPUT -o lo -j ACCEPT So at this point I'm back to square one in log/messages I get: User nx not allowed because account is locked
Which nxserver-freenx version do you have installed? Also, a user reported once he had missing files in the ~nx folder (mostly the allowed keys), completely removing the nx user (and personal folder) and remerging nxserver-freenx did the trick for him. If you want to try this, can you post the output of `ls -la ~nx/ ~nx/.ssh/` before?
I have nxserver-freenx-0.7.3-r2 ls -la ~nax/ ~nx/.ssh/ ls: cannot access ~nax/: No such file or directory /var/lib/nxserver/home/.ssh/: total 20 drwx------ 2 nx root 4096 2009-03-19 11:55 . drwx------ 3 nx root 4096 2009-03-19 11:55 .. -rw------- 1 nx root 669 2009-03-19 11:55 authorized_keys2 -rw------- 1 nx root 668 2009-03-19 11:55 client.id_dsa.key -rw-r--r-- 1 nx root 232 2009-03-19 11:55 known_hosts I've removed user and group "nx" re-emerge the above version but still no luck :-/ the same problem nxsetup --install --setup-nomachine-key --clean --purge Removing special user "nx" ...done Removing session database ...done Removing logfile ...done Removing home directory of special user "nx" ...done Removing configuration files ...done Setting up /etc/nxserver ...done Generating public/private dsa key pair. Your identification has been saved in /etc/nxserver/users.id_dsa. Your public key has been saved in /etc/nxserver/users.id_dsa.pub. The key fingerprint is: 93:77:08:0d:c0:00:7a:0f:a7:da:68:ce:26:e4:4a:7e root@syscon2 The key's randomart image is: +--[ DSA 1024]----+ | ...o... | | . . o | |. o . . . | | . = o . | | . . S o . | | = o . | |=o. | |Bo E | |=+. | +-----------------+ Setting up /var/lib/nxserver/db ...done Setting up /var/log/nxserver.log ...done Setting up special user "nx" ...passwd: unlocking the user would result in a passwordless account. You should set a password with usermod -p to unlock this user account. Password changed. done Adding user "nx" to group "utmp" ...done Setting up known_hosts and authorized_keys2 ...done Setting up permissions ...done Setting up cups nxipp backend ...done ----> Testing your nxserver configuration ... Warning: Could not find nxdesktop in /usr/bin. RDP sessions won't work. Warning: Could not find nxviewer in /usr/bin. VNC sessions won't work. Warning: Invalid value "COMMAND_START_KDE=startkde" Users will not be able to request a KDE session. Warning: Invalid value "COMMAND_START_GNOME=gnome-session" Users will not be able to request a Gnome session. Warning: Invalid value "COMMAND_START_CDE=cdwm" Users will not be able to request a CDE session. Warning: Invalid cupsd version of "/usr/sbin/cupsd". Need version 1.2. Users will not be able to enable printing. Warnings occured during config check. To enable these features please correct the configuration file. <---- done ----> Testing your nxserver connection ... Permission denied (publickey,keyboard-interactive). Fatal error: Could not connect to NX Server. Please check your ssh setup: The following are _examples_ of what you might need to check. - Make sure "nx" is one of the AllowUsers in sshd_config. (or that the line is outcommented/not there) - Make sure "nx" is one of the AllowGroups in sshd_config. (or that the line is outcommented/not there) - Make sure your sshd allows public key authentication. - Make sure your sshd is really running on port 22. - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to authorized_keys2. (this should be a filename not a pathname+filename) - Make sure you allow ssh on localhost, this could come from some restriction of: -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost -the iptables. add to it: $ iptables -A INPUT -i lo -j ACCEPT $ iptables -A OUTPUT -o lo -j ACCEPT Was the fix applied to ver. 0.7.3_p102 ?
OK, I never saw the problem because I have UsePAM enabled (from USE=pam openssh). So this does not work without pam, let me check where the problem lies...
OK, from what I've read (until an openssh expert contradicts me), you can not login via public key with a locked (passwordless) account, when not using PAM So the only workaround I see is to set a password for the nx user, and run this nxsetup line (which will be the recommended on in freenx ebuilds from now on): "nxsetup --install --setup-nomachine-key" (without clean or purge, this will leave the nx user as it is on your system). This will be in nxserver-freenx-0.7.3_p104 ebuild, that I'll add to portage after fixing bug #266572
nxserver-freenx-0.7.3_p104 in portage now, updated as detailed in previous comment Thanks for the report and suggestions!