From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on sa.local.altlinux.org X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DNS_FROM_AHBL_RHSBL, FREEMAIL_FROM, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_PASS autolearn=no autolearn_force=no version=3.4.0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=1KCQOioRCL69InejUGhdBH4Z9vtRdrnMQajJzbbaZ+g=; b=AaIi9mMI8Uxe8ibLjRotEMA1WvnxjZvfdSrAX9zXA8+jdTfLO3C2T2QEWGFNuB89te iYflmEzbWtqoXAw+c/49LV4MXXZq5jAgdQZR1lXGI7mdKKh17iXo7azSA0+YJm92mkOm NrfizgE1FZ8jJHUOTOjyLj3eog+J2wcOacUXN+3RPoGOqizEjg4FzaTcGncRwAJsGD3y t0thln92I2ZvYm4HtBeWW38dmhQh/yAQ3Ux1p9blELGMEBUdu4YRhNwrzKovwAGV8Ibl A3U4/hQISnZgNiyb399aADgRWjWRlXGCq/InGn63SvbrxLl3B3iZA8Rn9o5czH6ttFhB /ukQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=1KCQOioRCL69InejUGhdBH4Z9vtRdrnMQajJzbbaZ+g=; b=FTpCVwgumtFq7Jr+nC3auIywX5qdqa0o6KaZKBbiORGQy7S5es+1eD601E8dyemA3X cWkUWGhvVQLRqmrTgAthQDVuVjSd/EQOzxw4R8SzQH/rlN1C5Vl/3k/P1H6BJ82dM2Sv fu04eRW3pxjtI6GEllo/M2vVwcczctnn6nInSqpZz4DkxuLcc/fohtzTy6yFVOij54n6 BpAwTTjeZkQAYsy4fXDyiAZTExqnUeLPs4dRrVLgP9JQHMl2NAEOwKryo9sgAvLARTX7 lMLLqXTPLY0Y2v/45ohmF/svW2LO8UDsYLFrNazIa/ZS3DU0hTGNfiWWLiJ7P01zlgq/ 07sQ== X-Gm-Message-State: AD7BkJIyVwLwQZK6PFXWWoX46KWOx5aVVPzVwt2Li8nc3SBJQrUiodvZFQLaLaRz5ik1Eg== X-Received: by 10.25.27.200 with SMTP id b191mr9340503lfb.8.1459098861012; Sun, 27 Mar 2016 10:14:21 -0700 (PDT) To: ALT Linux Sisyphus discussions From: Stas Message-ID: <56F814EA.5090008@gmail.com> Date: Sun, 27 Mar 2016 22:14:18 +0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Subject: [sisyphus] =?utf-8?b?0JIg0YPRgdGC0LDQvdC+0LLQvtGH0L3QvtC8INGB0Lo=?= =?utf-8?b?0YDQuNC/0YLQtSDQv9Cw0LrQtdGC0LAgZnJlZW54LXNlcnZlciDQt9Cw0YU=?= =?utf-8?b?0LDRgNC00LrQvtC20LXQvSDQutC70Y7RhyBTU0g=?= X-BeenThere: sisyphus@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Sisyphus discussions List-Id: ALT Linux Sisyphus discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Mar 2016 17:14:22 -0000 Archived-At: List-Archive: List-Post: Приветствую! Устанавливаю сервер freenx и обнаружил весёлую "дыру". После установки мануал рекомендует выполнить /etc/init.d/freenx-server install. В результате выполняется скрипт /usr/bin/nxsetup с параметром --install. Внутри /usr/bin/nxsetup в функции parse_cmdline(), начиная со строки 126 есть код: ============================================================ if [ "$INSTALL" = "yes" -a "$AUTOMATIC" = "no" -a "$SETUP_NOMACHINE_KEY" = "no" ] then echo "------> It is recommended that you use the NoMachine key for" echo " easier setup. If you answer \"y\", FreeNX creates a custom" echo " KeyPair and expects you to setup your clients manually. " echo " \"N\" is default and uses the NoMachine key for installation." echo "" echo -n " Do you want to use your own custom KeyPair? [y/N] " read -n 1 CHOICE [ "$CHOICE" = "y" ] || SETUP_NOMACHINE_KEY="yes" fi ============================================================ То есть скрипт рекомендует использовать некий "NoMachine key". Смотрим, что это за ключ такой и видим его в функции install_nx() (цитирую, начиная со строки 196): ============================================================ mkdir -p $NX_HOME_DIR/.ssh chmod 700 $NX_HOME_DIR/ $NX_HOME_DIR/.ssh if [ ! -f $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS -o "$SETUP_NOMACHINE_KEY" = "yes" ] then SETUP_NX_KEY="yes" if [ "$SETUP_NOMACHINE_KEY" = "yes" ] then cat << EOF >$NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS no-port-forwarding,no-agent-forwarding,command="$PATH_BIN/nxserver" ssh-dss AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEaKWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8OSgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoMnGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8= root@nettuno EOF chmod 600 $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS cat << EOF >$NX_HOME_DIR/.ssh/client.id_dsa.key -----BEGIN DSA PRIVATE KEY----- MIIBuwIBAAKBgQCXv9AzQXjxvXWC1qu3CdEqskX9YomTfyG865gb4D02ZwWuRU/9 C3I9/bEWLdaWgJYXIcFJsMCIkmWjjeSZyTmeoypI1iLifTHUxn3b7WNWi8AzKcVF aBsBGiljsop9NiD1mEpA0G+nHHrhvTXz7pUvYrsrXcdMyM6rxqn77nbbnwIVALCi xFdHZADw5KAVZI7r6QatEkqLAoGBAI4L1TQGFkq5xQ/nIIciW8setAAIyrcWdK/z 5/ZPeELdq70KDJxoLf81NL/8uIc4PoNyTRJjtT3R4f8Az1TsZWeh2+ReCEJxDWgG fbk2YhRqoQTtXPFsI4qvzBWct42WonWqyyb1bPBHk+JmXFscJu5yFQ+JUVNsENpY +Gkz3HqTAoGANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfa QU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3 mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8CFDIm1xRf 8xAPsSKs6yZ6j1FNklfu -----END DSA PRIVATE KEY----- EOF chmod 600 $NX_HOME_DIR/.ssh/client.id_dsa.key else # generate a new key, backup the old and copy it to $SSH_AUTHORIZED_KEYS $PATH_BIN/nxkeygen fi fi ============================================================ IMHO это серьёзный баг и нужно исключить использование такого ключа. -- Станислав Дёгтев Служба "Ваш админ" Мои контакты: - jabber: grumbler@grumbler.org - email: stas.grumbler@gmail.com и stas@vashadmin.su - телефоны в Е-бурге +79045430461 и +79222112259