>> Which is of course totally screwed in the NX protocol. What the hell
>> for does it need an nx user for? Pretty much nothing. Indeed nothing
>> at all.
> I'd say it is much, much better than trying to re-invent
> a different secure connection protocol.
Okay: let's evalute what it does and what it could do and explain to me
how the current situation is better.
It currently logs in via ssh and privatekey to nx@servermachine, after
which it takes the user supplied user/password combo and passes it to the
nxserver which uses them to ssh user@localhost and passes the password.
Effectively we're logged in as user@servermachine. Furthermore sometimes
the freenx server makes a mess of things and leaves around files which
only nx (thus root) can delete making further use of nx impossible without
root intervention.
Why can't we have: the client gets user/password combo (or even a
privatekey for the user!) and ssh's directly into user@servermachine.
Effectively we've achieved the same thing, except we've no need for an nx
account and if freenx makes a booboo a user can clean out it's temporary
files by himself.
>> It could just as well ssh directly into your account via ssh user@host
>> /usr/bin/nxserver.
> The real login does not have to run over ssh or use encryption.
> That is optional and a waste of CPU if not needed.
I don't get this comment? We're running ssh on top of ssh - isn't that
wasteful in and of itself? (is this only in freenx?)
The only use the 'nx' account design decision has is making stuff harder
for the administrator.
>> But so much on bad design decisions.
>
> It's not that bad compared to a lot of other ways they might
> have tried to ensure that the real user password exchange is
> encrypted.
Sure they could have screwed up worse, but normal ssh already allows a
user to login with user/password combo - and everything is encrypted.
And of course they could have used a different protocol or designed their
own instead of ssh - that would have been a bigger mess.
> The nomachine server always uses the same key for for the nx user and
> trusts the shell program to not permit anything but the next stage login
> to happen. That eliminates the key-setup issue that you have with the
> freenx variation which builds new keys during the install on each
> server.
OK, truthfully I don't trust the shell program to not permit anything
else. Why can't we leave authentication up to ssh? Stop all the already
ironed out bugs out of ssh from having an opportunity to show up in the
nxserver shell? Again what do we gain?
I'm lost... is there something I'm not seeing?
Maybe this is partly due to being freenx and not the nomachine server.
But frankly I still don't see why the NX server - which _DOES_ not require
any special priveledges can't run as the user you want to log in as. Does
it require special priveledges (which? what for?)
Enlighten me, please.
Cheers,
MaZe.
