Please add support for usermode authentication

[GoogleCodeExporter]

It would be really spiffy if you could add support for usermode
authentication like freenx has, where the shared nx account is not required.

I'd like to try something cleaner on the backend like neatx, however this
is the one feature that is required in our environment.

Original issue reported on code.google.com by nick%2th...@gtempaccount.com on 1 Aug 2009 at 5:02

[GoogleCodeExporter]

This is already supported. Tell your nxclient to run nxserver-login-wrapper on 
the
server.

Original comment by kormat on 1 Aug 2009 at 5:08

[GoogleCodeExporter]

I tested it but found one issue.  It seems that you still need to issue a 
"login"
command without credentials, even though you are technically already logged in. 
 Can
this requirement be removed?  The clients we are using do not have the ability 
to
send the login which is required.  I will hack at the code myself to see if I 
can get
it working for me, but it would be nice if trunk was updated to support these 
types
of clients.  It would be ideal if the "login" command wasn't required, but was
accepted (no error) to support usermode clients that may do either (not sure 
which
ones you have tested, we are only using a modified version of the closed source 
client).

Right now I got it working by doing this:

# cat /usr/bin/nxserver 
#!/bin/bash

echo login > /tmp/test
cat /tmp/test - | /usr/lib/neatx/nxserver-login-wrapper

Where the nx client is calling "nxserver" in the path.  This works but is a 
complete
hack, just to see if I could get it working at all.

Original comment by nick%2th...@gtempaccount.com on 12 Aug 2009 at 9:14

[GoogleCodeExporter]

Ah. The tricky bit is knowing when the client has finished with the preamble. 
Can you
tell me what commands the client sends up to listsession? Right now, all 
pre-login
commands are handled by nxserver-login. All post-login commands are handled by
nxserver. The standard commercial client sends login when it's transitioning 
between
those two states, and hence we know when to switch ourselves.

Original comment by kormat on 23 Aug 2009 at 4:20

[GoogleCodeExporter]

Essentially the client is a slightly modified version of the NX closed source 
client,
which intercepts the "login" command to get the username so the credentials can 
be
used to login via ssh.  So the behavior is the same as the NX closed source 
client,
with everything up to and including the password missing from the request.  I'll
attach the source of the modifications so you can see the details if necessary. 
 I
believe this was contributed back to the freenx team (along with some other 
patches
to the server side that got included in 0.7.3), however I'm not sure this 
specific
mod ever made it into the freenx distribution.

This was done due to the fact that decent clients with nx usermode auth didn't 
exist
when we did our initial deployment.  Are you aware of any at this time that 
function
well with the way neatx currently does usermode auth?  A possibility for us 
would be
to swap out all the clients with a different version, however it would be an 
extreme
pain due to the fact that hundreds of clients (not all centrally managed) would 
need
to be updated.

Original comment by nick%2th...@gtempaccount.com on 24 Aug 2009 at 3:44

Attachments:

• nxssh-usermode-2007-12-29.tar.bz2

[GoogleCodeExporter]

Ok, given that you are dealing with a known environment (in particular, a known
client etc), it should be easy to make a local modification to neatx to support 
this.
Can you post the session log from the server (/var/log/user.log) of a connection
attempt, up to where nxclient sends listsession (assuming it gets that far)?

Original comment by kormat on 30 Aug 2009 at 12:55

[GoogleCodeExporter]

Here is what happens in /var/log/user.log in a connection attempt (where
/usr/bin/nxserver is symlinked to /usr/lib/neatx/nxserver-login-wrapper, and
"nxserver" is what the client is calling):

Aug 30 08:34:00 moo nxserver[23476]: Started
Aug 30 08:34:00 moo nxserver-login[23485]: DEBUG protocol:172 >>> 'HELLO 
NXSERVER -
Version 3.3.0 - GPL\n'
Aug 30 08:34:00 moo nxserver-login[23485]: DEBUG protocol:172 >>> 'NX> 105 '
Aug 30 08:35:00 moo nxserver-login[23485]: DEBUG protocol:227 <<< ''
Aug 30 08:35:00 moo nxserver-login[23485]: DEBUG protocol:172 >>> 'NX> 999 
Bye.\n'
Aug 30 08:35:00 moo nxserver-login[23485]: ERROR cli:68 Caught exception
Aug 30 08:35:00 moo nxserver-login[23485]: Traceback (most recent call last):
Aug 30 08:35:00 moo nxserver-login[23485]:   File
"/usr/lib/python2.6/dist-packages/neatx/cli.py", line 62, in Main
Aug 30 08:35:00 moo nxserver-login[23485]:     self.Run()
Aug 30 08:35:00 moo nxserver-login[23485]:   File
"/usr/lib/python2.6/dist-packages/neatx/app/nxserver_login.py", line 289, in Run
Aug 30 08:35:00 moo nxserver-login[23485]:     LoginServer(self.cfg).Start()
Aug 30 08:35:00 moo nxserver-login[23485]:   File
"/usr/lib/python2.6/dist-packages/neatx/protocol.py", line 156, in Start
Aug 30 08:35:00 moo nxserver-login[23485]:     self.Write(999, "Bye.")
Aug 30 08:35:00 moo nxserver-login[23485]:   File
"/usr/lib/python2.6/dist-packages/neatx/protocol.py", line 204, in Write
Aug 30 08:35:00 moo nxserver-login[23485]:     self._Write(prompt)
Aug 30 08:35:00 moo nxserver-login[23485]:   File
"/usr/lib/python2.6/dist-packages/neatx/protocol.py", line 176, in _Write
Aug 30 08:35:00 moo nxserver-login[23485]:     self._output.flush()
Aug 30 08:35:00 moo nxserver-login[23485]: IOError: [Errno 32] Broken pipe
Aug 30 08:35:00 moo nxserver[23476]: EOF on stderr, exiting

I believe the client may be waiting for the server to send "NX> 103 Welcome to: 
...",
which never happens.

Original comment by nick%2th...@gtempaccount.com on 30 Aug 2009 at 3:42

[GoogleCodeExporter]

Ok, that's simple to fix. I'm attaching a patch which should do the job.

Original comment by kormat on 8 Sep 2009 at 5:35

• Changed state: Started

Attachments:

• issue20.patch

[GoogleCodeExporter]

Yup that works!  Can that patch be added to trunk?

Also in trying the patch I found out another small issue.  I see that when I 
have an
ssh key already configured, nxssh doesn't use the password on stdin and instead
passes it to the server as a command.  When using freenx, bad commands were 
ignored.
 However in neatx invalid commands generate an error, e.g. "undefined command
'my-password'".  I believe I can update the clients to fix this, but I was also
wondering if there was an easy way to make neatx ignore invalid commands 
instead of
erroring.  I realize the proper thing is to error, it's just biting me in this 
case...

Original comment by nick%2th...@gtempaccount.com on 9 Sep 2009 at 12:38

[GoogleCodeExporter]

The problem with adding that patch to trunk is that it will break things for 
everyone
who is using the standard NoMachine nxclient. In theory, it could be made
configurable, but given it's very limited applicability, i'm reluctant to 
introduce
it into svn.

Re: error reporting, probably commenting out
http://code.google.com/p/neatx/source/browse/trunk/neatx/lib/app/nxserver.py#215
would fix that, though i haven't tried it.

Original comment by kormat on 14 Sep 2009 at 5:22

[GoogleCodeExporter]

Are there any complete (non-hacked) clients that support usermode 
authentication with neatx without this patch?  If not, could we get a 
configurable version of this change checked-in?  It is a pain to keep having to 
patch all of these machines managed by different people because the fix isn't 
upstream in neatx.  Freenx worked fine with usermode authentication after a 
simple configuration change, but we have mostly dumped freenx for neatx because 
neatx seems to be more reliable.

Original comment by nick%2th...@gtempaccount.com on 22 Dec 2010 at 5:59