[Pkg-nx-commits] r21 - in freenx/trunk: . debian
Stefan Lippers-Hollmann
slh-guest at costa.debian.org
Thu Jul 28 11:31:24 UTC 2005
Author: slh-guest
Date: 2005-07-28 11:31:23 +0000 (Thu, 28 Jul 2005)
New Revision: 21
Modified:
freenx/trunk/ChangeLog
freenx/trunk/debian/changelog
freenx/trunk/gentoo-nomachine.diff
freenx/trunk/node.conf.sample
freenx/trunk/nxloadconfig
freenx/trunk/nxnode
freenx/trunk/nxnode-login
freenx/trunk/nxserver
Log:
switch to 0.4.3 upstream version.
Modified: freenx/trunk/ChangeLog
===================================================================
--- freenx/trunk/ChangeLog 2005-07-28 11:24:24 UTC (rev 20)
+++ freenx/trunk/ChangeLog 2005-07-28 11:31:23 UTC (rev 21)
@@ -1,3 +1,22 @@
+28.07.2005 FreeNX 0.4.3 "NoMachine 1.5.0 Edition"
+ * Fixed reconnection problems with !M 1.5.0 client.
+ * Fixed reconnection problems with !M 1.5.0 backend.
+ * Added evaluation of $NX_ETC_DIR/node.conf.d/* config files.
+ * Fixed a possible security problem. (The client was able
+ to overwrite parameters set by the server)
+ * Added ENABLE_1_5_0_BACKEND configuration directive:
+ * Added support for fake cookie authentication with
+ !M 1.5.0 client and 1.5.0 backend.
+ * Fixed nxagent termination problems with !M 1.5.0
+ backend.
+ * Added RDP highcolor support for !M 1.5.0 client
+ with !M 1.5.0 backend.
+ * Added secure logging - Passwords are no longer shown in log files.
+ * Security: Certain passwords for VNC/RDP could have been visible via
+ `ps aux`.
+ * Added experimental usermode authentication scheme.
+ (Disabled by default)
+
16.07.2005 FreeNX 0.4.2 "Solaris / Bugfix / Linux Infotag Pforzheim Edition"
* Removed forwarding support via "freenx.<user>", because it was
buggy.
Modified: freenx/trunk/debian/changelog
===================================================================
--- freenx/trunk/debian/changelog 2005-07-28 11:24:24 UTC (rev 20)
+++ freenx/trunk/debian/changelog 2005-07-28 11:31:23 UTC (rev 21)
@@ -1,3 +1,10 @@
+freenx (0.4.3-1) UNRELEASED; urgency=low
+
+ * (NOT RELEASED YET) New upstream release
+ * remove previously backported upstream patches.
+
+ -- Stefan Lippers-Hollmann <s.l-h at gmx.de> Thu, 28 Jul 2005 13:24:06 +0200
+
freenx (0.4.2-0) UNRELEASED; urgency=low
* new upstream version.
Modified: freenx/trunk/gentoo-nomachine.diff
===================================================================
--- freenx/trunk/gentoo-nomachine.diff 2005-07-28 11:24:24 UTC (rev 20)
+++ freenx/trunk/gentoo-nomachine.diff 2005-07-28 11:31:23 UTC (rev 21)
@@ -15,5 +15,5 @@
+NX_SESS_DIR=$NX_DIR/var/db
+NX_HOME_DIR=$NX_DIR/home/nx
- # the name of the authorized keys file for ssh
- SSH_AUTHORIZED_KEYS="authorized_keys2"
+ # Advanced users ONLY
+ AGENT_LIBRARY_PATH="" #Calculated
Modified: freenx/trunk/node.conf.sample
===================================================================
--- freenx/trunk/node.conf.sample 2005-07-28 11:24:24 UTC (rev 20)
+++ freenx/trunk/node.conf.sample 2005-07-28 11:31:23 UTC (rev 21)
@@ -37,7 +37,7 @@
#
# https://mail.kde.org/mailman/listinfo/freenx-knx
#
-# CVS: $Id: node.conf.sample,v 1.29 2005/07/05 21:42:57 fabianx Exp $
+# CVS: $Id: node.conf.sample,v 1.32 2005/07/27 16:10:41 fabianx Exp $
#########################################################################
# General FreeNX directives
@@ -56,6 +56,13 @@
#########################################################################
# Authentication directives
+
+# This adds the usermode to the possible authentication methods
+# Usermode means that a user can start the nxserver as his shell
+# and connect directly to the right server via a custom client.
+
+#ENABLE_USERMODE_AUTHENTICATION="0"
+
# This adds the passdb to the possible authentication methods
#ENABLE_PASSDB_AUTHENTICATION="1"
@@ -130,6 +137,9 @@
# 7: stderror of some applications
#NX_LOG_LEVEL=0
+# By setting this to 0 the nxserver might be a bit faster, but passwords can be found in the log files.
+#NX_LOG_SECURE=1
+
# Before turning logging on, please make sure that NX_LOGFILE is
# writeable for the "nx" user
#NX_LOGFILE=/var/log/nxserver.log
@@ -322,6 +332,10 @@
# When set to 1 will start nxagent in rootless mode.
#ENABLE_ROOTLESS_MODE="0"
+# When set to 1 enables fake cookie authentication, when a 1.5.0 client
+# connects.
+#ENABLE_1_5_0_BACKEND="0"
+
# If enabled writes entries via the COMMAND_SESSREG program
# into utmp/wtmp/lastlog database.
# Note: You have to make sure that you add the nx user to the
Modified: freenx/trunk/nxloadconfig
===================================================================
--- freenx/trunk/nxloadconfig 2005-07-28 11:24:24 UTC (rev 20)
+++ freenx/trunk/nxloadconfig 2005-07-28 11:31:23 UTC (rev 21)
@@ -5,7 +5,7 @@
#
# License: GPL, version 2
#
-# CVS: $Id: nxloadconfig,v 1.36 2005/07/16 15:45:36 fabianx Exp $
+# CVS: $Id: nxloadconfig,v 1.40 2005/07/27 16:10:41 fabianx Exp $
#
# ========================================================================
@@ -81,6 +81,7 @@
# Authentication / Security directives
+ENABLE_USERMODE_AUTHENTICATION="0"
ENABLE_PASSDB_AUTHENTICATION="1"
ENABLE_SSH_AUTHENTICATION="1"
ENABLE_SU_AUTHENTICATION="0"
@@ -104,6 +105,7 @@
# Logging directives
NX_LOG_LEVEL=0
+NX_LOG_SECURE=1
NX_LOGFILE=/var/log/nxserver.log
SESSION_LOG_CLEAN=1
SESSION_HISTORY=2592000
@@ -165,6 +167,7 @@
EXPORT_SESSIONID="0"
NODE_AUTOSTART=""
ENABLE_ROOTLESS_MODE="0"
+ENABLE_1_5_0_BACKEND="0"
ENABLE_USESSION="0"
COMMAND_SESSREG="sessreg"
AGENT_EXTRA_OPTIONS_RFB=""
@@ -212,6 +215,14 @@
# node.conf file evaluation
#########################################################################
+if [ -d $NX_ETC_DIR/node.conf.d ]
+then
+ for i in $NX_ETC_DIR/node.conf.d/*
+ do
+ [ -e $i ] && . $i
+ done
+fi
+
[ -e $NX_ETC_DIR/node.conf ] && . $NX_ETC_DIR/node.conf
[ "$USERCONF" = "yes" -a -e $NX_ETC_DIR/$USER.node.conf ] && . $NX_ETC_DIR/$USER.node.conf
Modified: freenx/trunk/nxnode
===================================================================
--- freenx/trunk/nxnode 2005-07-28 11:24:24 UTC (rev 20)
+++ freenx/trunk/nxnode 2005-07-28 11:31:23 UTC (rev 21)
@@ -13,7 +13,7 @@
#
# License: GNU GPL, version 2
#
-# CVS: $Id: nxnode,v 1.67 2005/07/16 15:45:37 fabianx Exp $
+# CVS: $Id: nxnode,v 1.72 2005/07/27 12:50:54 fabianx Exp $
#
# 21.06.2004: - Full reconnection support
@@ -493,10 +493,11 @@
# Session end
#
- if stringinstring "Info: End of session requested by " "$line" && [ "$RECONNECT" = "0" ]
+ if stringinstring "Info: End of session requested by " "$line" && [ "$RECONNECT" = "0" ] && ! stringinstring "'SIGHUP'" "$line"
then
echo "NX> 1009 Session status: terminating"
- kill $PROXY_PID 2>/dev/null
+ [ "$ENABLE_1_5_0_BACKEND" = "1" ] || kill $PROXY_PID 2>/dev/null
+ [ "$ENABLE_1_5_0_BACKEND" = "1" ] && kill -HUP $PROXY_PID 2>/dev/null
fi
TERM=""
@@ -629,6 +630,16 @@
agent_user=$(getparam agent_user)
agent_password=$(getparam agent_password)
+ if [ "$ENABLE_1_5_0_BACKEND" = "1" ]
+ then
+ rdpcolors=$(getparam rdpcolors)
+ rdpcache=$(getparam rdpcache)
+ else
+ unset rdpcolors rdpcache
+ fi
+
+ clientproto=$(getparam clientproto)
+
[ "$EXPORT_USERIP" = "1" ] && export NXUSERIP="$userip"
ssl_tunnel=$(getparam encryption)
@@ -654,6 +665,12 @@
proxy_cookie=$(echo $[$RANDOM*$RANDOM] | md5sum | cut -d" " -f1)
+ if [ "$ENABLE_1_5_0_BACKEND" = "1" -a "$clientproto" = "1.5.0" ]
+ then
+ # enable fake cookie authentication
+ cookie=$proxy_cookie
+ fi
+
# write options file
[ -z "$samba" ] && samba=0
[ -z "$media" ] && media=0
@@ -670,7 +687,7 @@
umask 0077
cat << EOF > $USER_FAKE_HOME/.nx/C-$sess_id/options
-${kbtype:+kbtype=$kbtype,}${CACHE}${IMAGES}${PACK}link=$link,type=$type,cleanup=0,${ACCEPT}cookie=$proxy_cookie,id=$sess_id,samba=$samba,media=$media${sync:+,sync=$sync}${cups:+,cups=$cups}:$display
+${kbtype:+kbtype=$kbtype,}${CACHE}${IMAGES}${PACK}link=$link,type=$type,cleanup=0,${ACCEPT}cookie=$proxy_cookie,id=$sess_id,samba=$samba,media=$media${sync:+,sync=$sync}${cups:+,cups=$cups}${rdpcolors:+,rdpcolors=$rdpcolors}${rdpcache:+,rdpcache=$rdpcache}:$display
EOF
umask $OLD_UMASK
#samba=$samba,
Modified: freenx/trunk/nxnode-login
===================================================================
--- freenx/trunk/nxnode-login 2005-07-28 11:24:24 UTC (rev 20)
+++ freenx/trunk/nxnode-login 2005-07-28 11:31:23 UTC (rev 21)
@@ -3,7 +3,7 @@
# Copyright (c) 2004 by Fabian Franz.
# License: GPL, version 2
#
-# CVS: $Id: nxnode-login,v 1.12 2005/03/21 13:00:21 jonno Exp $
+# CVS: $Id: nxnode-login,v 1.13 2005/07/27 14:34:59 fabianx Exp $
#
# Syntax: nxnode-login {ssh|su} user ssh-port executable command tosend
@@ -14,13 +14,14 @@
set executable [lindex $argv 3]
set command [lindex $argv 4]
set tosend [lindex $argv 5]
+catch {set tosend $env(NXNODE_TOSEND)}
set command_ssh "ssh"
catch {set command_ssh $env(COMMAND_SSH)}
expect_user -re "(.*)\n"
set password $expect_out(1,string)
-set stty_init "raw icrnl"
+set stty_init "raw icrnl -echo"
if { "$auth_method"=="ssh" } {
set pid [spawn -noecho $command_ssh -2 -x -l "$user" "127.0.0.1" -o "NumberOfPasswordPrompts 1" -p "$port" "$executable $command" ]
Modified: freenx/trunk/nxserver
===================================================================
--- freenx/trunk/nxserver 2005-07-28 11:24:24 UTC (rev 20)
+++ freenx/trunk/nxserver 2005-07-28 11:31:23 UTC (rev 21)
@@ -11,7 +11,7 @@
#
# License: GNU GPL, version 2
#
-# CVS: $Id: nxserver,v 1.64 2005/07/16 15:45:37 fabianx Exp $
+# CVS: $Id: nxserver,v 1.69 2005/07/27 16:10:41 fabianx Exp $
#
# Read the config file
@@ -223,7 +223,7 @@
echo "------- ---------------- -------------------------------- -------- ----- -------------- --------- ----------------------" >> $TMPFILE
else
echo "Display Type Session ID Options Depth Screen Status Session Name" >> $TMPFILE
- echo " ------- ---------------- -------------------------------- -------- ----- -------------- ----------- ------------------------------" >> $TMPFILE
+ echo "------- ---------------- -------------------------------- -------- ----- -------------- ----------- ------------------------------" >> $TMPFILE
fi
for i in $NX_SESS_DIR/running/*
do
@@ -249,7 +249,7 @@
then
available="Yes"
fi
- echo -e "$(getparam display)\t$(getparam type)\t$(getparam sessionId)\t$options\t$depth\t$geom\t$available\t$(getparam sessionName)" >> $TMPFILE
+ printf "%-7s %-16s %32s %8s %5s %-14s %-11s %s" "$(getparam display)" "$(getparam type)" "$(getparam sessionId)" "$options" "$depth" "$geom" "$available" "$(getparam sessionName)" >> $TMPFILE
fi
egrep -q "^userName=$1$" $i && let SESSION_COUNT_USER=$SESSION_COUNT_USER+1
done
@@ -387,9 +387,24 @@
# Main nxserver <-> nxclient communication module
#
-if [ $USER = "nxfree" -o "$USER" = "nx" ]
+if [ $USER = "nxfree" -o "$USER" = "nx" -o "$ENABLE_USERMODE_AUTHENTICATION" = "1" ]
then
+setup_usermode_auth()
+{
+
+ [ $USER = "nxfree" -o "$USER" = "nx" ] && ENABLE_USERMODE_AUTHENTICATION="0"
+
+ if [ "$ENABLE_USERMODE_AUTHENTICATION" = "1" ]
+ then
+ export NX_SESS_DIR="$USER_FAKE_HOME/.nx/db/"
+ export NX_LOGFILE="$USER_FAKE_HOME/.nx/temp/nxserver.log"
+ mkdir -p $NX_SESS_DIR/{closed,running,failed}
+ fi
+}
+
+setup_usermode_auth
+
# Loglevels:
# 1: Errors
# 2: Warnings
@@ -404,6 +419,18 @@
[ "$NX_LOG_LEVEL" -ge "$1" -a -w "$NX_LOGFILE" ] && shift && echo "$@" >> "$NX_LOGFILE"
}
+# Log in a way that is secure for passwords / cookies / ...
+
+log_secure()
+{
+ if [ "$NX_LOG_SECURE" = "0" ]
+ then
+ log "$@"
+ else
+ [ "$NX_LOG_LEVEL" -ge "$1" -a -w "$NX_LOGFILE" ] && shift && echo "$@ " | perl -pi -e 's/--cookie=".+?"/--cookie="******"/g; s/--agent_password=".+?"/agent_password="******"/g; s/--password=".+?"/password="******"/g; s/cookie=.+?&/cookie=******&/g; s/agent_password=.+?&/agent_password=******&/g; s/password=.+?&/password=******&/g;' >> "$NX_LOGFILE"
+ fi
+}
+
log_tee()
{
[ "$NX_LOG_LEVEL" -ge "4" -a -w "$NX_LOGFILE" ] && exec tee -a "$NX_LOGFILE"
@@ -496,6 +523,14 @@
echo_x ""
log 6 -n "Info: Auth method: "
+ # USER already logged in?
+ if [ "$ENABLE_USERMODE_AUTHENTICATION" = "1" ]
+ then
+ LOGIN_SUCCESS="1"
+ LOGIN_METHOD="USERMODE"
+ USER=$(whoami)
+ fi
+
# PASSDB based auth
if [ "$ENABLE_PASSDB_AUTHENTICATION" = "1" -a "$LOGIN_SUCCESS" = "0" ]
then
@@ -544,6 +579,8 @@
then
# Reread the config files (so that $USER.node.conf get sourced)
. $(PATH=$(cd $(dirname $0) && pwd):$PATH which nxloadconfig) --userconf
+ setup_usermode_auth
+
echo_x "NX> 103 Welcome to: $SERVER_NAME user: $USER"
break
else
@@ -595,11 +632,14 @@
if [ "$LOGIN_METHOD" = "SSH" ]
then
export COMMAND_SSH
- echo "$PASS" | $PATH_BIN/nxnode-login -- ssh "$USER" "$SSHD_PORT" "$PATH_BIN/nxnode" "$CMD" "$@" 2>&1 | log_tee
+ echo "$PASS" | NXNODE_TOSEND="$@" $PATH_BIN/nxnode-login -- ssh "$USER" "$SSHD_PORT" "$PATH_BIN/nxnode" "$CMD" 2>&1 | log_tee
elif [ "$LOGIN_METHOD" = "SU" ]
then
- echo "$PASS" | $PATH_BIN/nxnode-login -- su "$USER" "" "$PATH_BIN/nxnode" "$CMD" "$@" 2>&1 | log_tee
- else
+ echo "$PASS" | NXNODE_TOSEND="$@" $PATH_BIN/nxnode-login -- su "$USER" "" "$PATH_BIN/nxnode" "$CMD" 2>&1 | log_tee
+ elif [ "$LOGIN_METHOD" = "USERMODE" ]
+ then
+ echo "$@" | $PATH_BIN/nxnode "$CMD" 2>&1 | log_tee
+ else
echo "$@" | $COMMAND_SSH -l "$USER" 127.0.0.1 -p $SSHD_PORT -x -2 -i $NX_ETC_DIR/users.id_dsa -o 'PubkeyAuthentication yes' -o 'RSAAuthentication yes' -o 'RhostsAuthentication no' -o 'PasswordAuthentication no' -o 'RhostsRSAAuthentication no' -o 'StrictHostKeyChecking no' $PATH_BIN/nxnode "$CMD" | log_tee
fi
}
@@ -722,6 +762,7 @@
server_get_params $CMD
PARAMS=$SERVER_PARAMS
+ PARAMS="$PARAMS&clientproto=$PROTO"
CMDLINE=$PARAMS
echo_x
@@ -808,8 +849,8 @@
fi
uniqueid=$(echo $[$RANDOM*$RANDOM] | md5sum | cut -d" " -f1 | tr "[a-z]" "[A-Z]")
- FULL_PARAMS="user=$USER&userip=$USERIP&uniqueid=$uniqueid&display=$SESS_DISPLAY&$PARAMS"
- log 6 "$FULL_PARAMS"
+ FULL_PARAMS="$PARAMS&user=$USER&userip=$USERIP&uniqueid=$uniqueid&display=$SESS_DISPLAY"
+ log_secure "6" "$FULL_PARAMS"
# now update the session listing
CMDLINE="a=b&$FULL_PARAMS"
@@ -820,7 +861,7 @@
session_change "$uniqueid" "foreignAddress" "$USERIP"
CMDLINE=$(session_get "$uniqueid")
- FULL_PARAMS="user=$USER&userip=$(getparam foreignAddress)&uniqueid=$uniqueid&display=$(getparam display)$PARAMS"
+ FULL_PARAMS="$PARAMS&user=$USER&userip=$(getparam foreignAddress)&uniqueid=$uniqueid&display=$(getparam display)"
SESS_DISPLAY=$(getparam display)
fi
@@ -853,7 +894,19 @@
read CMD 2>/dev/null
# FIXME?
[ "$CMD" = "" ] && CMD="quit"
- echo_x "$CMD"
+
+ echo "$CMD"
+
+ # Logging
+ case "$CMD" in
+ startsession*|restoresession*|addmount*|addprinter*)
+ log_secure "4" "$CMD"
+ ;;
+ *)
+ log "4" "$CMD"
+ ;;
+ esac
+
case "$CMD" in
quit|QUIT)
echo_x "Quit"
@@ -895,6 +948,9 @@
# disabled due to problems with 1.4.0-5 client
#session_list_user_suspended "$USER" 'Suspended$|^status=Running$' "$(getparam geometry)" "$(getparam type)" | log_tee
session_list_user_suspended "$USER" 'Suspended' "$(getparam geometry)" "$(getparam type)" | log_tee
+ elif [ "$status" = "suspended,running" -o "$status" = "suspended" ] # since 1.5.0
+ then
+ session_list_user_suspended "$USER" 'Suspended' "$(getparam geometry)" "$(getparam type)" | log_tee
else
session_list_user "$USER" | log_tee
fi
@@ -961,13 +1017,13 @@
addmount*)
server_get_params $CMD
PARAMS=$SERVER_PARAMS
- server_nxnode_start --smbmount "$USER" "$PARAMS" 2>&1 | log_error >/dev/null
+ server_nxnode_start --smbmount "$USER" "$PARAMS" >/dev/null 2>&1 | log_error >/dev/null
echo_x "NX> 719 SMB filesystem: running"
;;
addprinter*)
server_get_params $CMD
PARAMS=$SERVER_PARAMS
- server_nxnode_start --addprinter "$USER" "$PARAMS" 2>&1 | log_error >/dev/null
+ server_nxnode_start --addprinter "$USER" "$PARAMS" >/dev/null 2>&1 | log_error >/dev/null
;;
*)
# disabled for 1.4.0-5 snapshot client
More information about the Pkg-nx-commits
mailing list