1

I'm following a FreeNX install wiki page for ArchLinux. Right now I'm setting the SSHD parameter for "AuthorizedKeysfIle". And this brings up the question,

How many authorized_keys can/should be set up in SSHD to support all the services that use SSH tunnel?

More importantly, this FreeNX tutorial is instructing me to point SSHD to a NX directory, but then what about SSH? NFS?

A quick search finds several files in different locations:

/root/.ssh/authorized_keys2
/var/lib/nxserver/home/.ssh/authorized_keys2
/root/.ssh/authorized_keys
/srv/nfs4/mrwizard_xtian/.ssh/authorized_keys
/home/mrwizard/xtian/.ssh/authorized_keys
xtian
  • 583
  • 5
  • 17

2 Answers2

2

You seem to have misunderstood something. SSHD is the ssh daemon, it is not a directory or a file, you cannot change it to /usr/NX/home/nx/.ssh/authorized_keys and the linked tutorial does not suggest that you do.

authorized_keys contains the keys used to verify a user's identity when the user attempts to connect to the server (thanks @goldilocks and also see @Gilles' answer here).

This is explained quite nicely in the man pages, try man sshd:

 sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
 programs replace rlogin(1) and rsh(1), and provide secure encrypted com‐
 munications between two untrusted hosts over an insecure network.


 AuthorizedKeysFile specifies the files containing public keys for public
 key authentication; if none is specified, the default is
 ~/.ssh/authorized_keys and ~/.ssh/authorized_keys2.

The tutorial is telling you that you need to set up your NX's sshd correctly and tell it where to find an authorized_keys file. In the example they have set up two such files, /usr/NX/home/nx/.ssh/authorized_keys and /usr/NX/home/nx/.ssh/authorized_keys2.

Community
  • 1
terdon
  • 234,489
  • 66
  • 447
  • 667
  • @goldilocks then why do I get "This server's certificate has changed [blah blah], offending line is ~/.ssh/authorized_keys:2` if I try to connect to a remote server whose key has changed? – terdon Sep 17 '13 at 01:35
  • 1
    I haven't seen that one and google `sshd "This server's certificate has changed"` == "did not match any documents", so you'll have to clarify... The purpose of `authorized_keys` is in your `man` quote, if you keep in mind it is a file examined *on the server*, not on the client. Here's how it works: the client sends its public key to a server in an attempt to establish a connection as a particular user. The remote sshd checks the specified (local) user's `authorized_keys` to see if the key is in the list. It's a list of client keys that can connect to this server (hence the "bass-ackwards" ;) – goldilocks Sep 17 '13 at 01:45
  • @goldilocks Argh, I'm an idiot, the message I mentioned (haven't seen it for a while so the wording is a little off) refers to the `known_hosts` file, my bad. In my defense, it's 3:56 am here :). Thanks for the clarification, answer edited. – terdon Sep 17 '13 at 01:57
  • Each set up tutorial I'm working through is setting up seperate authorized_keys (as shown by the find results in my question) by _default_. Are you saying the keys created by these different processes need to be gathered together and added all at once to the user's private keys? Therefore, root would have access to all, but maybe user xtian only has access to nfs in his authorized_keys? – xtian Sep 17 '13 at 13:34
  • @xtian no, that's not what I'm saying. The point the tutorial is making is simply that you have to point `/etc/ssh/sshd_config` to the location of the `authorized_keys` file. The `authorized_keys2` file is [apparently](http://serverfault.com/q/116177/155817) deprecated by the way. – terdon Sep 17 '13 at 16:39
  • @terdon Yes. Ok. Exactly my Q. If not collecting from each process, then I'm pointing to which authorized_key file? for SSH in `~/**.ssh**`, NX in `/var/lib/nxserver/home/**.ssh**`, or NFS in `/srv/nfs4/mrwizard_xtian/**.ssh**` One? All? – xtian Sep 17 '13 at 19:28
1

The NX server runs as a dedicated user and performs its own authentication. You connect to the NX server over SSH, then you authenticate with the NX server to create or connect to an NX session running as a local account.

The NX user has its own set of SSH authorized keys since you connect to it over SSH. This is unusual: it is uncommon to access services over SSH. Usually you only connect to real users' accounts over SSH.

Each account that you connect to over SSH with key authentication has its own ~/.ssh/authorized_keys file. The SSH user authentication keys aren't configured with the SSH daemon, they're configured in each account. Barring highly unusual setups, there's a single file for that. For reasons of backward compatibility, the file can be called ~/.ssh/authorized_keys2 instead of ~/.ssh/authorized_keys. The location can also be configured in the server configuration by changing AuthorizedKeysFile.

I have no idea what you mean by “point SSHD to a NX directory” (sshd isn't something you can “point”) or where you see a connection with NFS.

Gilles 'SO- stop being evil'
  • 807,993
  • 194
  • 1,674
  • 2,175
  • Perhaps you can use the sshd_config "Match" configuration for the 'nx' user to tell it to use a specific file for authorized_keys, as well as what command to run (which isn't mentioned but probably what I'd do). – jsbillings Sep 17 '13 at 02:00
  • "point SSHD to a NX directory" means this file: `/etc/ssh/sshd_config` With this line: `AuthorizedKeysfIle /usr/NX/home/nx/.ssh/authorized_keys /usr/NX/home/nx/.ssh/authorized_keys2` is looking for authorized_keys not in the user's `~/.ssh` directory but in `/usr/NX...` for the authorized_keys file. – xtian Sep 17 '13 at 13:39
  • "The NX user has its own set of SSH authorized keys since you connect to it over SSH. This is unusual..." You can say that again. In another post I've brought up another unusual aspect of NX setup which suggests NX is looking for a nxclient user nx to connect to a nxserver user nx with the same private key! But that's my Q and not my A, so [don't quote me!](http://unix.stackexchange.com/questions/90513/why-do-nomachine-nxclient-docs-instruct-to-copy-over-the-servers-private-key/90515?noredirect=1#comment136742_90515) – xtian Sep 17 '13 at 13:46