15.2. Advanced FreeNX Configuration

The following sections introduce some advanced features mainly needed in more complex NX scenarios.

15.2.1. Configuring SSH Authentication Using Client Keys

The authentication configured in Section 15.1, “Getting Started with NX” solely relies on username and password credentials. For a more secure authentication, NX can be configured to generate a pair of SSH keys. The client key is then copied from the server machine to any client that should be able to connect to the NX server. Clients that do not present this key cannot authenticate at the NX server. This feature is only supported for the FreeNX server/knx client combination.

To configure the NX server to use this authentication method and generate the appropriate key pair, proceed as follows:

  1. Log in as root to the server machine.

  2. Open the server's configuration file /etc/nxserver/node.conf and make sure that ENABLE_SSH_AUTHENTICATION is set to 1 (which should be default).

  3. Install the server with the following command:

    nxsetup --install --clean --purge
  4. Adjust the access permissions to /var/lib/nxserver/home/.ssh/authorized_keys2:

    chmod 640 /var/lib/nxserver/home/.ssh/authorized_keys2
    
  5. Log out.

To configure knx to use this key, proceed as follows:

  1. At the server machine, log in as root.

  2. Copy the key file to the location on the client machine where knx needs it, replacing client with the client's address.

    scp /var/lib/nxserver/home/.ssh/client.id_dsa.key client:/usr/share/knx/
    
  3. Log in to the client machine as root.

  4. Adjust the access permissions as follows:

    chmod 644 /usr/share/knx/client.id_dsa.key
    
  5. Log out.

15.2.2. Configuring PAM Authentication

By default, FreeNX allows anyone to open an NX session provided this user is present in the user database of your server (locally or via LDAP, NIS, etc.). This behavior is toggled by the ENABLE_PAM_AUTHENTICATION variable in /usr/bin/nxserver on the server machine. The default value here is 1. Setting it to 0 disables the PAM-mediated user authentication (PAM_AUTH) for FreeNX.

If ENABLE_PAM_AUTHENTICATION is set to 0, you need to add users and passwords manually. To add local NX users on the server, proceed as follows:

  1. Log in to the server machine as root.

  2. Make sure that any user to add exists in the system's database of local users by checking the contents of /etc/passwd or using the YaST User Management module.

  3. For each user to add, add the username with the command nxserver --adduser. Then add the user's password with nxserver --passwd.

  4. Restart the server with nxserver --restart and log out.

15.2.3. Using Systemwide and User-Specific Configuration Files

The FreeNX server's behavior is controlled via /etc/node.conf. You can either run a global NX server configuration or run the server with user-specific configurations. This comes into pla, if you have different users running NX on one machine with different requirements.

In the following example, assume user joe wants NX automatically to start with a certain application as soon as he opens an NX session. To enable this behavior for this user only, proceed as follows:

  1. Log in as root.

  2. Enter the /etc/nxserver directory:

    cd /etc/nxserver
  3. Save a copy of the NX server's configuration file (node.conf) under joe.node.conf in the same directory.

  4. Edit the appropriate parameters (NODE_AUTOSTART and ENABLE_AUTORECONNECT) in joe.node.conf. For details on these features, refer to Section 15.2.5, “Configuring Autostart Tasks and Exporting Configurations” and Section 15.2.4, “Suspending and Resuming NX Sessions”.

  5. Reinstall the NX server to activate the new configuration:

    nxsetup --install --clean --purge --setup-nomachine-key

    The user-specific configuration overrides the global configuration.

  6. Log out.

15.2.4. Suspending and Resuming NX Sessions

As with sessions on a mobile computer, it is equally possible to configure NX to allow suspend and resume of user sessions. A suspended session reopens exactly in the same state as you left it.

To configure suspend and resume for NX sessions, proceed as follows:

  1. Log in as root.

  2. Open the server's configuration file, /etc/nxserver/node.conf, and edit it as follows:

    ENABLE_PASSDB_AUTHENTICATION="0"
    ENABLE_USER_DB="0"
    ENABLE_AUTORECONNECT="1"
    
  3. Save and exit the configuration file and restart the server with nxserver --restart.

  4. Log out.

To suspend a session on exit, click the X in the top right corner of your NX window and select Suspend to suspend your session and to exit the client. Upon reconnect, you are asked whether to resume the old session or start a fresh one.

15.2.5. Configuring Autostart Tasks and Exporting Configurations

FreeNX offers an autostart functionality that allows you to launch certain tasks when starting or resuming an NX session, provided the underlying application supports the start and resume properties. For example, you can automatically clean up the desktop or do other autostart tasks when you start FreeNX. This is especially useful when you reconnect a session, even from a different NX client (where you cannot use the standard KDE or GNOME mechanisms).

To configure autostart features, proceed as follows:

  1. Log in as root on the server machine.

  2. Open the server's configuration file /etc/nxserver/node.conf and edit the NODE_AUTOSTART variable to the following, replacing myprogram with the program that should be executed on start or resume of an NX session:

    NODE_AUTOSTART=myprogram
         
  3. Save and exit the configuration file.

  4. Restart the server with the nxserver --restart command and log out.

    The program specified now starts every time a session is started or resumed.

You can also export the variables NX_USERIP and NX_SESSIONID to make them accessible in the user's environment. This allows, for example, putting an icon onto the desktop with the generic content and accessing a Samba server running on the user's thin client. To make the contents of a floppy on the thin client's floppy drive available to the user, proceed as follows:

  1. Enable the export of the NX_USERIP and NX_SESSIONID variables on the server side:

    1. Log in as root on the server.

    2. Open the server's configuration /etc/nxserver/node.conf and set the following variables:

      EXPORT_USERIP="1"
      EXPORT_SESSIONID="1"
      
    3. Save and exit the server's configuration and restart the server using the nxserver --restart command.

    4. Log out.

  2. On the client side, open a session, export the floppy drive via SMB and create an icon on the desktop:

    1. Export the contents of your floppy drive through Samba using your file manager (Nautilus or Konqueror).

    2. Create a floppy.desktop file in the Desktop directory and enter the following line:

      Exec=smb://$NX_USERIP/floppy

      The server exports the thin client's IP address, allowing you to access the thin client's floppy drive with the floppy icon in the NX session.

15.2.6. Creating a Chain of NX Servers

A chain of NX servers enables you to traverse firewalls and cope with IP masquerading. An external “gateway” server can be used to forward incoming connections to an internal server hidden behind a (masquerading) firewall.

To configure a chain of NX servers, proceed as follows:

  1. Configure the internal server as described in Section 15.2.1, “Configuring SSH Authentication Using Client Keys” and distribute the server's private key (client.id_dsa.key) to /usr/NX/share/ on the gateway.

  2. On the gateway server, proceed as follows:

    1. Log in as root.

    2. Set the following variables in /etc/nxserver/node.conf, replacing myinternalhost with the IP address of the internal NX server:

      ENABLE_SERVER_FORWARD="1"
      SERVER_FORWARD_HOST="myinternalhost"
      SERVER_FORWARD_KEY="/usr/NX/share/client.id_dsa.key"
    3. Restart the external server to apply the altered configuration with the command nxserver --restart and log out.

      Any incoming connection is forwared to the internal server.

15.2.7. Installing and Running FreeNX and NoMachine on the Same Server

You can install and run FreeNX and the commercial NoMachine NX server on the same machine without interference. This is implemented in FreeNX by forwarding the connection to the NoMachine installed on the same machine.

To enable this feature, proceed as follows:

  1. Log in as root on the server machine.

  2. Open the server's configuration file for FreeNX under /etc/nxserver/node.conf and set the following variable:

    ENABLE_NOMACHINE_FORWARD="1"
  3. Save this file and restart the FreeNX server with the nserver --restart command.

  4. Log out.

To connect to the NoMachine server, use the standard username and password credentials. To connect to the FreeNX server, prepend freenx. to the normal username (for example, freenx.joedoe) and use the usual password.