FreeNX
From Gentoo Linux Wiki
| Installation • Kernel & Hardware • Networks • Portage • Software • System • X Server • Gaming • Non-x86 • Emulators • Misc |
Contents |
[edit] What is FreeNX?
FreeNX allows you access an X11-Session over low-bandwidth Internet connections (starting from 40 KBit/s). It is based on X11 Forwarding software from NoMachine.
- You do NOT need anything else, for example, VNC server is not needed (although NX could act as a proxy for Microsoft rdesktop and VNC but that's another story)
- What is also great is that NX allows to suspend/resume sessions.
- You could run many sessions (you define that in the /etc/nxserver/node.conf config file as SESSION_LIMIT and SESSION_USER_LIMIT)
[edit] Installation (Version 1, easy and correct)
Currently, installation of nxserver-freenx on gentoo is very easy and the version 2 is generally outdated. Package is configured to use SSH and no additional configuration is required! For the installation I assume that your SSHD is working correctly and is set up on the 22 port. If SSHD is not installed then:
I had to make the following changes to my sshd_config: AuthorizedKeysFile .ssh/authorized_keys2 PubkeyAuthentication yes AllowUsers nx <userid> I'm not sure if all 3 lines are needed, but it drove me up the wall, and now it's working. So sharing what I learned with everyone else. (Note by someone else: Default config worked with just the AuthorizedKeysFile line, I didnt need the other two).
emerge openssh /etc/init.d/sshd start
The first thing you need to do is to set up correct USE flags, actually only one. Add this line to your /etc/portage/package.use:
net-misc/nxserver-freenx nxclient
This flag is needed so that NoMachine client will work. It is important to notice that it is the _only_ working client. If the portage says that the package is masked you may need to add the following lines to /etc/portage/package.keywords (create the file if it does not exist):
net-misc/nxserver-freenx net-misc/nxclient net-misc/nx
Now emerge:
emerge -av nxserver-freenx
After the emerge process finishes you have two possibilities to configure freenx:
1. use default, pre-generated SSH key from NoMachine (less secure):
nxsetup --install --setup-nomachine-key --clean --purge
2. generate your own key (more secure):
nxsetup --install --clean --purge
The key in /var/lib/nxserver/home/.ssh/client.id_dsa.key then needs to be copied into the "Key..." under "Configure..." -> "General" in the NX !M client. Just open the key, copy all text and paste it. You could save the key on flash disk or your gmail account for future convenience!
If the freenx does not work and client says that auth failed try the following command (issue it after every nxsetup command execution):
passwd -d nx
Just to be sure re-start the SSHD daemon:
/etc/init.d/sshd restart
I also needed to add /usr/bin/nxserver to /etc/shells, as well as adjust some permissions on /var/lib/nxserver (chown'd it to nx) before I could login with the NX user though ssh.
Also note that Windows client version works great with the latest version of nxserver-freenx (if you run in any problems try using client version 1.5 from here [1]).
[edit] SSH running on a different port
If you have changed your sshd to run on a different port, you need to tell FreeNX as well.
For FreeNX >=0.5.0 you should adapt the configuration file, located in /usr/NX/etc/node.conf or /etc/nxserver/node.conf:
Change the line
SSHD_PORT=22
to
SSHD_PORT=$YOURPORT
[edit] Use NX authentication instead of SSH
This is not really recommended as SSH provides secure and reliable authentication mechanism but if you want you can try using the built-in one. To enable it open your config file and edit (/etc/nxserver/node.conf):
ENABLE_PASSDB_AUTHENTICATION="1"
If you want you could disable all other authentication methods. Before you login it is necessary to add your user to the NX:
/usr/bin/nxserver --adduser <username> /usr/bin/nxserver --passwd <username>
[edit] Enable logging
By default NX does not log anything, e.g. logging is not enabled. To turn this feature on just open the configuration file and locate logging section. Set the desired level and log name file:
NX_LOG_LEVEL=3 # change level accordingly to your needs NX_LOGFILE=/var/log/nxserver.log
Now you can find and discover problems. It also might be a good idea to look into /var/log/messages to look at SSH logs as some problems might come from there.
[edit] The NX overlay
If you need more recent packages then you should access the nx gentoo overlay, however, portage is not far away... See [2]. You can add the nx overlay using layman:
emerge layman layman -a nx emerge -avt nxserver-freenx
[edit] Degraded performance over time
Over time, you can experience degraded performance, but it does not necessarily mean the nxclient is bugged or has a memory leak.
One of the criminals responsible for a sluggish response is Firefox. My guess is that it leaves too much cached images which end up taking up the nxclient cache, thus making it slower. I have experienced degraded performance even with 128MB of cache for the nxclient, since I use lots of tabs. So, if your connection starts to get slow, close Firefox. you will probably see the performance come back again all of a sudden. You can then open Firefox again and continue browsing happily.
[edit] Installation (Version 2, misleading and confusing)
The GPL'ed version of nxserver (FreeNX) is currently unstable and only available for x86 platform; Add the following to your /etc/portage/package.keywords file:
Note: You may need to create this file as it is not part of the base Gentoo install.
net-misc/nxserver-freenx ~x86 net-misc/nx ~x86
To install simply emerge the following packages: As always, check the list for appropriate USE flags.
emerge -avt nxserver-freenx source /etc/profile
There was a change in directory structure since 0.5.0-r1; You need to issue the following copy command:
cp /usr/lib/NX/bin/nx* /usr/bin/
Now run the nxsetup command:
nxsetup --override --install
Make sure your ssh daemon is up and running:
/etc/init.d/sshd status
That should do it.
[edit] Installation on amd64
There are masked packages which should work with amd64. I had no luck compiling nx-x11-1.5.0, but nx-x11-bin-1.5.0 works for me. The dependencies compile though...
You may also need to add "LDPATH=/usr/NX/lib" to /etc/env.d/50nxpaths and make sure that /usr/NX/lib points to /usr/NX/lib32 however this will only allow the server to run on the machine not the client.
[edit] Configuration
[edit] Add a user (optional)
Now add the users who are to have access to your system using FreeNX. These user names must correspond to the "correct" user names on the system.
/usr/NX/bin/nxserver --adduser <username> /usr/bin/nxserver --adduser <username> (nxserver-freenx-0.5.0-r1)
You set a per-user NX password using:
/usr/NX/bin/nxserver --passwd <username> /usr/bin/nxserver --passwd <username> (nxserver-freenx-0.5.0-r1)
[edit] Authenticate with SSH
ssh authentication is enabled by default. You *must* be able to login using passwords to use ssh authentication. If your sshd is configured to not accept passwords and forces key only authentication NX cannot use ssh authentication. It is unnecessary to configure users via nxserver --adduser <username> when you use ssh authentication.
If your sshd.conf uses ~/.ssh/authorized_keys for storing publickeys, and if you don't like to share your keypair for authentication with all other users of nx, you should edit /usr/NX/bin/nxserver or /usr/bin/nxserver or /usr/bin/nxloadconfig:
| File: /usr/NX/bin/nxserver or /usr/NX/bin/nxloadconfig or /usr/bin/nxserver or /usr/bin/nxloadconfig |
|
Change NX_AUTHORIZED_KEYS_FILE=.ssh/authorized_keys2 to NX_AUTHORIZED_KEYS_FILE=.ssh/authorized_keys |
rm /usr/NX/home/nx/.ssh/authorized_keys2
For FreeNX versions >=0.5.0 you need to add the following line to /usr/NX/etc/node.conf:
| File: /usr/NX/etc/node.conf or /etc/nxserver/node.conf |
SSH_AUTHORIZED_KEYS="authorized_keys" |
make new keypair:
It is a good idea to have a different key pair for each user and remove the private key from the server once added to your client ssh-keygen –d --> into: /usr/NX/home/nx/id_dsa --> no passphrase
put the one in authorized_keys:
cat /usr/NX/home/nx/id_dsa.pub > /usr/NX/home/nx/.ssh/authorized_keys
or for nxserver-freenx-0.5.0-r1
mkdir /var/lib/nxserver/home/.ssh cat /dir/to/id_dsa.pub >> /var/lib/nxserver/home/.ssh/authorized_keys2 chown nx -R /var/lib/nxserver/db (nxclient will fail login if you don't do this step)
then copy (securely with sftp or anything similar) /usr/NX/home/nx/id_dsa to your client. Look for the folder share/keys (or just share) in the client's installation prefix and replace the key you find there. Last but not least, remove the id_dsa and id_dsa.pub files from the server.
Eventually you have to do this before authentication works at all (if you changed the line in nxserver after adding user):
cd /home/xxx/.ssh/ cat authorized_keys2 >> authorized_keys rm authorized_keys2
Installing the NX server has installed the client automatically. You can start it with:
nxclient
Use
nxclient --wizard
if you need more help with configuring the client to connect to a machine that has the freenx nxserver installed on it.
[edit] Windows Client
You can download the Windows Client from [3].
You can download version 1.5 at [4] as version 2 will not work with 1.5 server
Copy paste the id_dsa key in the advanced configuration dialog, tab "General", button "Key..."
If you get a "X local server error" try installing this older Windows client http://www.nomachine.com/download/beta/nxclient-windows-binaries-pre1/
There is also a more detailed HowTo in the Forums, hidden at page 13 of the major NX thread. I paste that link here because I always have to search that bl#*Qy post and I hope others find it useful, too.
[edit] Troubleshooting
- Ensure /usr/NX/bin/nxagent exists on the server. (Merge or remerge net-misc/nx-x11.)
- Ensure that you can run X apps on the server:
ssh -X serverhost xterm
If you get some error like localhost:10.0 broken, then check libX11 for server/client are compatible
If you get an error about an invalid MIT-MAGIC-COOKIE-1 key, run the following command on the server where <clienthost> is the client's hostname:
xhost +<clienthost>
This is the quick and easy but less secure way of allowing the remote user to display X programs on their local X11 server. Other methods are more secure but more complex to set up.
- Ensure that you can run nxagent:
ssh -X serverhost LD_LIBRARY_PATH=/usr/NX/lib /usr/NX/bin/nxagent :1000
You should see a blank X session start.
- Ensure the version of OpenSSH installed on the server is recent. (There is a bug in OpenSSH 3.8.1p1 that seems to prevent PAM authentication in some cases.)
- Ensure your SSH Daemon configuration is OK. The configuration is to be found under /etc/ssh/sshd_config.
- Ensure X11Forwarding is set to yes
- Check for the denied and allowed users. If there are restrictions, make sure the nx user is allowed to login.
- If you are using the Windows Client, and are unable to connect, try selecting "Enable SSL encryption of all traffic" under the Configure -> Advanced Tab.
- If you want to run X programs from other remote servers, you need to enable tcp connections to nxagent. This ist disabled in /usr/bin/nxnode. To enable it, delete "-nolisten tcp" from line 528:
PATH="$PATH_BIN:$PATH" $PATH_BIN/nxagent $P $R -nolisten tcp -name "NX - $user@$SERVER_NAME:$display - $session (GPL Edition)" -option "$USER_FAKE_HOME/.nx/C-$sess_id/options" $K $G $B $FP $AGENT_EXTRA_OPTIONS_X :$display 2>&3 &
Afterwards you can open a shell in your NX session, add the remote host and run other X programs via ssh.
userA@nxserver ~ $ xhost otherServer otherServer being added to access control list userA@nxserver ~ $ ssh userB@otherServer "xterm -display nxserver:$DISPLAY"
[edit] Open Questions
- When adding a new user to nxserver, he copies a publickey to my authorized_keys, but ssh authentication seems to work with the nx user and his publickkey and afterwards my password is used to authenticate my nxuser. What is this publickey good for and which private key does belong to it?
- nx is using jpeg compression even though I have specified png compression
- I'm a little confused by the private key issue, too, though I hopefully understand that sharing the keypair is a bad thing. Are you supposed to use the private key "id_dsa" to overwrite the "/usr/NX/share/client.id_dsa.key" file on the client's machine? It was stated that you need to copy to the CLIENT's "share" folder, and I'm assuming this is what was meant. That was the only way I could get it to work by using my own machine as both server and client.
- Is it possible to have the user's X profile loaded? i.e. -- pull their defaults from $HOME/.gnome2/ ? When I login via nxclient, I get a default, not my own settings that I use when I log into the box directly.
- The 1.4 windows client is apparently no longer available from the nomachines website, this gives problems for following the windows setup in this doc. Nomachines download defaults to 1.5, and that is all.
Its best to upgrade to the latest stable 1.5 version
- What is the overview of working files and their authorisations.
