1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
# Handle the incoming configuration files:
config() {
for infile in $1; do
NEW="$infile"
OLD="`dirname $NEW`/`basename $NEW .new`"
# If there's no config file by that name, mv it over:
if [ ! -r $OLD ]; then
mv $NEW $OLD
elif [ "`cat $OLD | md5sum`" = "`cat $NEW | md5sum`" ]; then
# toss the redundant copy
rm $NEW
fi
# Otherwise, we leave the .new copy for the admin to consider...
done
}
config etc/nxserver/node.conf.new
config etc/rc.d/rc.freenx.new
config etc/logrotate.d/freenx-server.new
# Dream up a random password hash - it will look like an actual password hash
# in /etc/shadow but in fact no cleartext password will correspond to it:
RANDPW=$(date +%s | md5sum | cut -d' ' -f1 | cut -c1-32)
chroot . <<EOCR 2>/dev/null
export \$(grep ^NX_DIR usr/bin/nxloadconfig)
export \$(grep ^NX_HOME_DIR usr/bin/nxloadconfig)
export \$(grep ^NX_SESS_DIR usr/bin/nxloadconfig)
export \$(grep ^NX_ETC_DIR usr/bin/nxloadconfig)
export \$(grep ^NX_LOGFILE usr/bin/nxloadconfig)
export \$(grep ^SSH_AUTHORIZED_KEYS usr/bin/nxloadconfig)
if ! /sbin/pidof sshd >/dev/null ; then
echo ""
echo "WARNING: The SSH daemon is not running, but without SSH, NX will not work."
fi
if ! which nc 1>/dev/null 2>/dev/null ; then
echo ""
echo "WARNING: FreeNX needs the 'netcat' program to be installed."
fi
if ! which expect 1>/dev/null 2>/dev/null ; then
echo ""
echo "WARNING: FreeNX needs the 'expect' program to be installed."
fi
touch \${NX_ETC_DIR}/passwords \${NX_ETC_DIR}/passwords.orig \${NX_LOGFILE}
chmod 600 \${NX_ETC_DIR}/pass* \${NX_LOGFILE}
if [ ! -e \${NX_ETC_DIR}/users.id_dsa ]; then
ssh-keygen -f \${NX_ETC_DIR}/users.id_dsa -t dsa -N "" > /dev/null 2>&1
fi
if ! getent passwd | egrep -q "^nx:"; then
# Create the 'nx' account:
useradd -m -d \${NX_HOME_DIR} -s /usr/bin/nxserver nx
usermod -p "\\\$1\\\$$RANDPW" nx 1>/dev/null
passwd -u nx 1>/dev/null
mkdir -p \${NX_HOME_DIR}/.ssh
chmod 700 \${NX_HOME_DIR}/.ssh
fi
if [ -e \${NX_HOME_DIR}/.ssh/client.id_dsa.key ] && \
[ -e \${NX_HOME_DIR}/.ssh/server.id_dsa.pub.key ]; then
# There is a pre-existing NX installation. We use the ~nx/.ssh files.
echo "Copying existing nx ssh keys to \${NX_ETC_DIR} ."
cp -af \${NX_HOME_DIR}/.ssh/client.id_dsa.key \
\${NX_ETC_DIR}/client.id_dsa.key
cp -af \${NX_HOME_DIR}/.ssh/server.id_dsa.pub.key \
\${NX_ETC_DIR}/server.id_dsa.pub.key
fi
if [ ! -e \${NX_ETC_DIR}/client.id_dsa.key ] || \
[ ! -e \${NX_ETC_DIR}/server.id_dsa.pub.key ]; then
# We are going to create a new SSH key for the FreeNX server.
# The NX client must import this key into it's configuration to be able to
# connect to the FreeNX server.
# If you're security minded, use this key exclusively, and remove the
# NoMachine key from ${NX_HOME_DIR}/.ssh/authorized_keys.
echo "Creating a new SSH key for the FreeNX server."
rm -f \${NX_ETC_DIR}/client.id_dsa.key
rm -f \${NX_ETC_DIR}/server.id_dsa.pub.key
ssh-keygen -q -t dsa -N '' -f \${NX_ETC_DIR}/local.id_dsa
mv \${NX_ETC_DIR}/local.id_dsa \${NX_ETC_DIR}/client.id_dsa.key
mv \${NX_ETC_DIR}/local.id_dsa.pub \${NX_ETC_DIR}/server.id_dsa.pub.key
# Put our fresh key files in place.
cp -f \${NX_ETC_DIR}/client.id_dsa.key \
\${NX_HOME_DIR}/.ssh/client.id_dsa.key
cp -f \${NX_ETC_DIR}/server.id_dsa.pub.key \
\${NX_HOME_DIR}/.ssh/server.id_dsa.pub.key
chmod 600 \
\${NX_ETC_DIR}/client.id_dsa.key \
\${NX_ETC_DIR}/server.id_dsa.pub.key \
\${NX_HOME_DIR}/.ssh/client.id_dsa.key \
\${NX_HOME_DIR}/.ssh/server.id_dsa.pub.key
echo -n "no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command=\"/usr/bin/nxserver\" "\
> \${NX_HOME_DIR}/.ssh/authorized_keys
cat \${NX_HOME_DIR}/.ssh/server.id_dsa.pub.key \
>> \${NX_HOME_DIR}/.ssh/authorized_keys
chmod 640 \${NX_HOME_DIR}/.ssh/authorized_keys
echo -n "127.0.0.1 " > \${NX_HOME_DIR}/.ssh/known_hosts
cat etc/ssh/ssh_host_rsa_key.pub >> \${NX_HOME_DIR}/.ssh/known_hosts
# Add the Nomachine pubkey to ${NX_HOME_DIR}/.ssh/authorized_keys
# This way, any NX client can connect to our FreeNX server without
# having to import our own FreeNX private key.
# If you want an "out-of-the-box" experience, leave the NoMachine key in
# ${NX_HOME_DIR}/.ssh/authorized_keys. If you're paranoid, remove
# this pubkey and accept only clients who have our custom FreeNX key.
cat <<_EOT_ >> \${NX_HOME_DIR}/.ssh/authorized_keys
no-port-forwarding,no-X11-forwarding,no-agent-forwarding,command="/usr/bin/nxserver" ssh-dss AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEaKWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8OSgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoMnGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8= root@nettuno
_EOT_
fi # end "no pre-existing NX ssh keys"
if [ -e var/lib/nxserver/running ]; then
mv var/lib/nxserver/running/* \${NX_SESS_DIR}/running
mv var/lib/nxserver/closed/* \${NX_SESS_DIR}/closed
mv var/lib/nxserver/failed/* \${NX_SESS_DIR}/failed
rm -rf var/lib/nxserver/running
rm -rf var/lib/nxserver/closed
rm -rf var/lib/nxserver/failed
fi
chown -R nx:root var/lib/nxserver
chown -R nx:root \${NX_SESS_DIR}
chown -R nx:root \${NX_ETC_DIR}
chown -R nx:root \${NX_HOME_DIR}
chown nx:root \${NX_LOGFILE}
EOCR
|