Using FreeNX to secure Terminal Services and VNC with two-factor authentication

These instructions will help you use WiKID Strong Authentication with FreeNXthis article on Linux Journal. Here is a quote:

For technically inclined people, imagine X server technology with compression so tight that GNOME and KDE sessions run over modems with SSH encryption. Image lightening-fast thin clients that use tiny amounts of bandwidth and handle audio and video, printing and session suspension instead of termination. Imagine real virtual KVM switches without hardware. Say goodbye to SunRay servers and all the thin clients that never lived up to their promise. Think about real heterogeneous interoperability on PCs and devices that scale.

For the less technically inclined, imagine system administrators being able to see and operate every server in their data centers with a single keyboard, video console and mouse--without a hardwire switch and hundreds of cables.

Obviously, you can tunnel VNC through SSH and use PAM radius for two-factor authentication with WiKID. FreeNX just gives you more options. While I did have to install a patch to get FreeNX working with a one-time passcode system, that was easy as was the rest of the install.

As always, there are some great resources for installing open source software. For FreeNX, I found Rick Stout's how-to for Fedora helpful.

First, configure PAM to support WiKID 2 factor authentication using Radius or using Tacacs+

Get your box up to date and install the dependencies:

#yum update

#yum install expect nc

Grab your preferred packages and install:

#rpm -Uvh nx-1.5.4-0.FC4.1.i386.rpm
#rpm -Uvh freenx-0.4.4-1.fdr.0.noarch.rpm

Now comes the patch. FreeNX, at least with Version 0.4.5, checks your password your password more than once. Obviously, if you check the one-time passcode more than the one time, you get rejected. I couldn't figure out a way around this, so I posted to the FreeNX mailing-list and promptly (Thanks Felix!). I wasn't able to get the diff inserted using the patch command, so I just inserted the patch manually by putting this into the nxserver file:

                        if [ -n "$FORCE_LOGIN_METHOD" ]
                        then
                                log 6 -n "Info: Forced LOGIN_METHOD to $FORCE_LOGIN_METHOD"
                                LOGIN_SUCCESS="1"
                                LOGIN_METHOD="$FORCE_LOGIN_METHOD"
                                if [ "$FORCE_LOGIN_METHOD" == "SSH" ]
                                then
                                        export COMMAND_SSH
                                fi
                        fi

after:

                        read -s PASS
                        echo_x ""
                        log 6 -n "Info: Auth method: "

and before:

                        # USER already logged in?
                        if [ "$ENABLE_USERMODE_AUTHENTICATION" = "1" ]

Now, you need to you add this line to node.conf (edit /etc/nxserver/node.conf.sample and save as node.conf):

FORCE_LOGIN_METHOD=SSH

You need to download a free Nomachine client. To configure your Nomachine client:

Set the host as your FreeNX server with your SSH Port.
For the desktop, select VNC.
For Desktop, select VNC and click on Settings,
Enter your VNC server and port as the host and use 1 as the display number. The VNC server should only be accessible on the LAN.
Enter in the VNC password and click the box to remember it. Keep in mind that you will be logging in to the FreeNX server with a WiKID one-time passcode and this VNC password will be encrypted over the internet. You could use a similar setup on the LAN, separating your servers on a VLAN behind the FreeNX server.

That should be it. Now, start the WiKID token client and use the OTP to log in to FreeNX. If it fails, check the WiKID server logs to see of FreeNX is sending the passcode twice. If so, then the patch didn't take.

That is it!

Sections

Personal tools

Using FreeNX to secure Terminal Services and VNC with two-factor authentication