Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: a7a66e68c4
Fetching contributors…

Cannot retrieve contributors at this time

executable file 465 lines (417 sloc) 17.016 kb
#!/bin/bash
# Coypright (c) 2004-2005 by Fabian Franz <freenx@fabian-franz.de>.
# 2005 by Jon Severinsson <jonno@users.berlios.de>.
#
# License: GNU GPL, version 2
#
# SVN: $Id: nxsetup 512 2008-03-10 23:01:03Z fabianx $
#
HELP="no"
INSTALL="no"
SETUP_NOMACHINE_KEY="no"
SETUP_UID=""
SETUP_GID=""
LOCAL_USER_OPTION=""
# luseradd / luserdel are only available on RedHat
[ -f /etc/redhat-release ] && LOCAL_USER_OPTION="yes"
# altlinux have /etc/redhat-release file but don't have luseradd / luserdel commands
[ -f /etc/altlinux-release ] && LOCAL_USER_OPTION="no"
SETUP_LOCAL_USER="no"
CLEAN="no"
UNINSTALL="no"
PURGE="no"
SETUP_SSH2_KEY="no"
BUILD_KNOWN_HOSTS="yes"
AUTOMATIC="no"
IGNORE_ERRORS="no"
if [ $UID -ne 0 ]
then
echo "You need to be root to use this program."
exit 1
fi
parse_cmdline()
{
while [ "$1" ]
do
case "$1" in
--help) HELP="yes"; shift ;;
--install) INSTALL="yes"; shift ;;
--ignore-errors) IGNORE_ERRORS="yes"; shift;;
--setup-nomachine-key) SETUP_NOMACHINE_KEY="yes"; shift ;;
--ssh2) SETUP_SSH2_KEY="yes"; shift;;
--dont-build-known-hosts) BUILD_KNOWN_HOSTS="no"; shift;;
--uid) SETUP_UID=$2; shift 2 ;;
--gid) SETUP_GID=$2; shift 2 ;;
--localuser) SETUP_LOCAL_USER="yes"; shift;;
--clean) CLEAN="yes"; shift ;;
--uninstall) UNINSTALL="yes"; shift ;;
--purge) PURGE="yes"; shift ;;
--auto) AUTOMATIC="yes"; shift ;;
--test) TEST="yes"; shift ;;
--) shift ; break ;;
*) echo "Invalid flag $1" ; HELP="yes"; shift ; break ;;
esac
done
[ "$TEST" = "yes" ] && return # If we just test, we can return directly
#Check for invalid combinations:
[ "$SETUP_LOCAL_USER" = "yes" -a -z "$LOCAL_USER_OPTION" ] && HELP="yes"
[ "$INSTALL" = "yes" -a "$UNINSTALL" = "yes" ] && HELP="yes"
[ "$INSTALL" = "yes" -a "$CLEAN" = "no" -a "$PURGE" = "yes" ] && HELP="yes"
[ "$UNINSTALL" = "yes" ] && [ "$SETUP_NOMACHINE_KEY" = "yes" -o -n "$SETUP_UID" -o "$CLEAN" = "yes" ] && HELP="yes"
[ "$UNINSTALL" = "yes" -a "$CLEAN" = "yes" ] && HELP="yes"
[ "$SETUP_SSH2_KEY" = "yes" -a "$SETUP_NOMACHINE_KEY" = "no" ] && HELP="yes"
if [ "$INSTALL" = "no" -a "$UNINSTALL" = "no" -a "$AUTOMATIC" = "no" -a "$HELP" = "no" ]
then
echo "------> You did select no action."
echo " FreeNX guesses that you want to _install_ the server."
echo " Type \"y\" to abort the installation at this point in time."
echo " \"N\" is the default and continues installation."
echo " Use \"${0} --help\" to get more detailed help hints."
echo ""
echo -n " Do you want to abort now? [y/N] "
read -n 1 CHOICE
echo
[ "$CHOICE" = "y" ] || INSTALL="yes"
fi
[ "$INSTALL" = "no" -a "$UNINSTALL" = "no" ] && HELP="yes"
if [ "$HELP" = "yes" ]
then
echo "nxsetup - Setup the FreeNX server."
echo "Syntax: nxsetup --help"
echo " nxsetup --test [--ignore-errors]"
echo " nxsetup --install [--setup-nomachine-key] [--uid <nummber>] [--clean [--purge]]"
echo " nxsetup --uninstall [--purge]"
echo
echo " --help Display this help message."
echo " --test Test the configuration and connection to localhost NX Server."
echo " --install Install necessary files and add the special user \"nx\"."
echo " --ignore-errors Check for false configuration, but don't complain."
echo " --setup-nomachine-key Allow login with the key shipped with the NoMachine"
echo " client. This is fairly secure, and it simplifies the "
echo " configuration of clients. (Using a custom key pair."
echo " increases security even more, but complicates the"
echo " configuration of clients.)"
echo " Use this option at your own risk."
echo " --ssh2 Create additionally commercial pubkey-support; beware:"
echo " own _commercial_ ssh2-key is not supported!"
echo " --uid <number> Give the uid <number> to the user \"nx\"."
echo " --gid <number> Give the gid <number> to the user \"nx\"."
[ -n "$LOCAL_USER_OPTION" ] && \
echo " --localuser The special user \"nx\" will be created locally using"
echo " \"luseradd\", for use in NIS and NISplus environments."
echo " --clean Perform an uninstallation prior to installation."
echo " --uninstall Remove log and session files, as well as the special"
echo " user \"nx\"."
echo " --purge Remove extra configuration files and ssh keys when"
echo " performing a \"--uninstall\"."
echo " Note that node.conf will always be saved."
echo " --auto Perform automatic installation without testing or asking."
exit 0
fi
#Undocumented
#
# --dont-build-known-hosts For system without /etc/ssh/ssh_host_key.rsa.pub and anyway
# expect should handle nx-users known-hosts keys so why borther
# in nxsetup?
if [ "$INSTALL" = "yes" -a "$AUTOMATIC" = "no" -a "$SETUP_NOMACHINE_KEY" = "no" ]
then
echo "------> It is recommended that you use the NoMachine key for"
echo " easier setup. If you answer \"y\", FreeNX creates a custom"
echo " KeyPair and expects you to setup your clients manually. "
echo " \"N\" is default and uses the NoMachine key for installation."
echo ""
echo -n " Do you want to use your own custom KeyPair? [y/N] "
read -n 1 CHOICE
[ "$CHOICE" = "y" ] || SETUP_NOMACHINE_KEY="yes"
fi
}
parse_cmdline "$@"
# Read the config file
. $(PATH=$(cd $(dirname $0) && pwd):$PATH which nxloadconfig) --
run_nscd()
{
NSCD="nscd"
if [ -f /var/run/nscd/nscd.pid ]
then
$NSCD "$@" 2>/dev/null || true
fi
}
install_nx()
{
set -e
# FIXME!!!
# if [ "$(pidof sshd 2>/dev/null)" = "" ]
# then
# echo -n "Starting ssh service ..."
# # Generate Host keys if they are not available, yet
# [ -e /etc/ssh/ssh_host_rsa_key ] || $COMMAND_SSH_KEYGEN -q -t rsa -f /etc/ssh/ssh_host_rsa_key -C '' -N ''
# [ -e /etc/ssh/ssh_host_dsa_key ] || $COMMAND_SSH_KEYGEN -q -t dsa -f /etc/ssh/ssh_host_dsa_key -C '' -N ''
# [ -x /etc/init.d/sshd ] && /etc/init.d/sshd start
# [ -x /etc/init.d/ssh ] && /etc/init.d/ssh start
# echo "done"
# fi
echo -n "Setting up $NX_ETC_DIR ..."
mkdir -p $NX_ETC_DIR
touch $NX_ETC_DIR/passwords $NX_ETC_DIR/passwords.orig
chmod 600 $NX_ETC_DIR/passwords $NX_ETC_DIR/passwords.orig
echo "done"
if [ ! -f $NX_ETC_DIR/users.id_dsa ]
then
$COMMAND_SSH_KEYGEN -f $NX_ETC_DIR/users.id_dsa -t dsa -N ""
fi
echo -n "Setting up $NX_SESS_DIR ..."
mkdir -p $NX_SESS_DIR/closed $NX_SESS_DIR/running $NX_SESS_DIR/failed
chmod 700 $NX_SESS_DIR/*
echo "done"
echo -n "Setting up $NX_LOGFILE ..."
mkdir -p $(dirname "$NX_LOGFILE")
touch "$NX_LOGFILE"
chmod 600 "$NX_LOGFILE"
echo "done"
echo -n "Setting up known_hosts and $SSH_AUTHORIZED_KEYS ..."
SETUP_NX_KEY="no"
mkdir -p $NX_HOME_DIR/.ssh
chmod 700 $NX_HOME_DIR/ $NX_HOME_DIR/.ssh
if [ ! -f $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS -o "$SETUP_NOMACHINE_KEY" = "yes" ]
then
SETUP_NX_KEY="yes"
if [ "$SETUP_NOMACHINE_KEY" = "yes" ]
then
cat << EOF >$NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS
no-port-forwarding,no-agent-forwarding,command="$PATH_BIN/nxserver" ssh-dss AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEaKWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8OSgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoMnGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8= root@nettuno
EOF
chmod 600 $NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS
cat << EOF >$NX_HOME_DIR/.ssh/client.id_dsa.key
-----BEGIN DSA PRIVATE KEY-----
MIIBuwIBAAKBgQCXv9AzQXjxvXWC1qu3CdEqskX9YomTfyG865gb4D02ZwWuRU/9
C3I9/bEWLdaWgJYXIcFJsMCIkmWjjeSZyTmeoypI1iLifTHUxn3b7WNWi8AzKcVF
aBsBGiljsop9NiD1mEpA0G+nHHrhvTXz7pUvYrsrXcdMyM6rxqn77nbbnwIVALCi
xFdHZADw5KAVZI7r6QatEkqLAoGBAI4L1TQGFkq5xQ/nIIciW8setAAIyrcWdK/z
5/ZPeELdq70KDJxoLf81NL/8uIc4PoNyTRJjtT3R4f8Az1TsZWeh2+ReCEJxDWgG
fbk2YhRqoQTtXPFsI4qvzBWct42WonWqyyb1bPBHk+JmXFscJu5yFQ+JUVNsENpY
+Gkz3HqTAoGANlgcCuA4wrC+3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfa
QU7TGVLk2CzY4dasrwxJ1f6FsT8DHTNGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3
mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK/SI7cjzA+SqNfD7qEo8CFDIm1xRf
8xAPsSKs6yZ6j1FNklfu
-----END DSA PRIVATE KEY-----
EOF
chmod 600 $NX_HOME_DIR/.ssh/client.id_dsa.key
else
# generate a new key, backup the old and copy it to $SSH_AUTHORIZED_KEYS
$PATH_BIN/nxkeygen
fi
fi
# commercial ssh2-server uses other authentification-files
# as they are more or less static, I don't integrated these variable
# in node.conf, you have to change them here, if you like
SSH2_AUTHORIZATION="authorization"
SSH2_PUBKEY="nx_user.id.pub"
SSH2_HOME_DIR="$NX_HOME_DIR/.ssh2"
if [ ! -f "${SSH2_HOME_DIR}/$SSH2_PUBKEY" -a "$SETUP_SSH2_KEY" = "yes" -a "$SETUP_NOMACHINE_KEY" = "yes" ]
then
mkdir -p $SSH2_HOME_DIR
chmod 700 $SSH2_HOME_DIR
cat > ${SSH2_HOME_DIR}/$SSH2_PUBKEY <<EOF
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "1024-bit DSA, converted from OpenSSH by root@localhost"
AAAAB3NzaC1kc3MAAACBAJe/0DNBePG9dYLWq7cJ0SqyRf1iiZN/IbzrmBvgPTZnBa5FT/
0Lcj39sRYt1paAlhchwUmwwIiSZaON5JnJOZ6jKkjWIuJ9MdTGfdvtY1aLwDMpxUVoGwEa
KWOyin02IPWYSkDQb6cceuG9NfPulS9iuytdx0zIzqvGqfvudtufAAAAFQCwosRXR2QA8O
SgFWSO6+kGrRJKiwAAAIEAjgvVNAYWSrnFD+cghyJbyx60AAjKtxZ0r/Pn9k94Qt2rvQoM
nGgt/zU0v/y4hzg+g3JNEmO1PdHh/wDPVOxlZ6Hb5F4IQnENaAZ9uTZiFGqhBO1c8Wwjiq
/MFZy3jZaidarLJvVs8EeT4mZcWxwm7nIVD4lRU2wQ2lj4aTPcepMAAACANlgcCuA4wrC+
3Cic9CFkqiwO/Rn1vk8dvGuEQqFJ6f6LVfPfRTfaQU7TGVLk2CzY4dasrwxJ1f6FsT8DHT
NGnxELPKRuLstGrFY/PR7KeafeFZDf+fJ3mbX5nxrld3wi5titTnX+8s4IKv29HJguPvOK
/SI7cjzA+SqNfD7qEo8=
---- END SSH2 PUBLIC KEY ----
EOF
echo "Key $SSH2_PUBKEY" >> ${SSH2_HOME_DIR}/$SSH2_AUTHORIZATION
echo "Options no-port-forwarding,no-agent-forwarding,command=\"$PATH_BIN/nxserver\"" >> ${SSH2_HOME_DIR}/$SSH2_AUTHORIZATION
chmod 600 ${SSH2_HOME_DIR}/$SSH2_AUTHORIZATION ${SSH2_HOME_DIR}/$SSH2_PUBKEY
fi
if [ ! -f $NX_HOME_DIR/.ssh/known_hosts -a "$BUILD_KNOWN_HOSTS" = "yes" ]
then
echo -n "127.0.0.1 " > $NX_HOME_DIR/.ssh/known_hosts
if [ -e "/etc/openssh/ssh_host_rsa_key.pub" ] ; then
cat /etc/openssh/ssh_host_rsa_key.pub >> $NX_HOME_DIR/.ssh/known_hosts
else
[ -e "/etc/ssh/ssh_host_rsa_key.pub" ] && cat /etc/ssh/ssh_host_rsa_key.pub >> $NX_HOME_DIR/.ssh/known_hosts
fi
fi
echo "done"
echo -n "Setting up permissions ..."
chown -R nx:root $NX_SESS_DIR
chown -R nx:root $NX_ETC_DIR
chown -R nx:root $NX_HOME_DIR
chown nx:root "$NX_LOGFILE"
echo "done"
}
test_nx()
{
echo ""
echo "----> Testing your nxserver configuration ..."
[ "$IGNORE_ERRORS" = "yes" ] && NO_ERRORS="--ignore-errors"
. $(PATH=$(cd $(dirname $0) && pwd):$PATH which nxloadconfig) --check $NO_ERRORS
echo "<---- done"
echo ""
echo "----> Testing your nxserver connection ..."
CONNECTION=""
while read -t 3 line
do
echo $line
case "$line" in
*"HELLO NXSERVER - Version $NX_VERSION"*)
CONNECTION="yes"
;;
*"HELLO NXSERVER - Version"*)
echo "Warning: Version mismatch. Expected $NX_VERSION got: $line."
CONNECTION="yes"
;;
*"NX> 999 Bye"*)
break;
;;
esac
done < <(NODE_PUBLICKEY="$NX_HOME_DIR/.ssh/client.id_dsa.key" $PATH_BIN/nxnode-login test-nx nx "$SSHD_PORT" nxserver --check)
if [ -z "$CONNECTION" ]
then
echo "Fatal error: Could not connect to NX Server."
echo
echo "Please check your ssh setup:"
echo ""
echo "The following are _examples_ of what you might need to check."
echo ""
echo " - Make sure \"nx\" is one of the AllowUsers in sshd_config."
echo " (or that the line is outcommented/not there)"
echo " - Make sure \"nx\" is one of the AllowGroups in sshd_config."
echo " (or that the line is outcommented/not there)"
echo " - Make sure your sshd allows public key authentication."
echo " - Make sure your sshd is really running on port $SSHD_PORT."
echo " - Make sure your sshd_config AuthorizedKeysFile in sshd_config is set to $SSH_AUTHORIZED_KEYS."
echo " (this should be a filename not a pathname+filename)"
echo " - Make sure you allow ssh on localhost, this could come from some"
echo " restriction of:"
echo " -the tcp wrapper. Then add in /etc/hosts.allow: ALL:localhost"
echo " -the iptables. add to it:"
echo " $ iptables -A INPUT -i lo -j ACCEPT"
echo " $ iptables -A OUTPUT -o lo -j ACCEPT"
exit 1
fi
echo "<--- done"
echo ""
}
uninstall_nx()
{
if [ -e "$NX_SESS_DIR" ]
then
echo -n "Removing session database ..."
rm -f -r $NX_SESS_DIR/closed $NX_SESS_DIR/running $NX_SESS_DIR/failed 2>/dev/null
rmdir -p $NX_SESS_DIR 2>/dev/null
echo "done"
fi
if [ -e "$NX_LOGFILE" ]
then
echo -n "Removing logfile ..."
rm -f "$NX_LOGFILE" 2>/dev/null
rmdir -p $(dirname "$NX_LOGFILE") 2>/dev/null
echo "done"
fi
if [ "$PURGE" = "yes" -a -e "$NX_HOME_DIR" ]
then
echo -n "Removing home directory of special user \"nx\" ..."
rm -f -r "$NX_HOME_DIR" 2>/dev/null
rmdir -p $(dirname "$NX_HOME_DIR") 2>/dev/null
echo "done"
fi
if [ "$PURGE" = "yes" -a -e "$NX_ETC_DIR" ]
then
echo -n "Removing configuration files ..."
rm -f "$NX_ETC_DIR/passwords" "$NX_ETC_DIR/passwords.orig" "$NX_ETC_DIR/users.id_dsa" "$NX_ETC_DIR/users.id_dsa.pub" 2>/dev/null
for i in `ls $NX_ETC_DIR/*.node.conf 2>/dev/null` ;
do
rm -f "$i" 2>/dev/null;
done
echo "done"
fi
}
if [ "$TEST" = "yes" ]
then
test_nx
exit 0
fi
if [ "$INSTALL" = "yes" ]
then
#Perform cleanup?
[ "$CLEAN" = "yes" ] && uninstall_nx
[ -f /etc/nscd.conf ] && { run_nscd --invalidate passwd; run_nscd --invalidate group; }
install_nx
[ "$AUTOMATIC" = "no" ] && test_nx
echo "Ok, nxserver is ready."
echo
if [ "$ENABLE_SSH_AUTHENTICATION" = "1" -o "$ENABLE_SU_AUTHENTICATION" = "1" ]
then
echo "PAM authentication enabled:"
if [ "$ENABLE_USER_DB" = "1" ]
then
echo " Users will be able to login with their normal passwords,"
echo " but they have to be registered in the NX database to do so."
echo " To add new users to the NX user database do:"
echo " nxserver --adduser <username>"
else
echo " All users will be able to login with their normal passwords."
fi
echo
if [ "$ENABLE_SSH_AUTHENTICATION" = "1" -a "$ENABLE_SU_AUTHENTICATION" = "1" ]
then
echo " Both SSH and SU authentication is enabled."
echo " This does work, but is redundant."
echo " Please check if this is really what you intended."
elif [ "$ENABLE_SSH_AUTHENTICATION" = "1" ]
then
echo " PAM authentication will be done through SSH."
echo " Please ensure that SSHD on localhost accepts password authentication."
else
echo " PAM authentication will be done through SU."
echo " Please ensure that the user "nx" is a member of the wheel group."
fi
else
echo "PAM authentication disabled."
echo " Only users in the NX user database will be able to log in."
echo
echo " To add new users to the NX user database do:"
echo " nxserver --adduser <username>"
echo " Afterwards change the password with:"
echo " nxserver --passwd <username>"
fi
echo
echo " You can change this behaviour in the $NX_ETC_DIR/node.conf file."
if [ "$SETUP_NOMACHINE_KEY" = "no" -a "$SETUP_NX_KEY" = "yes" ]
then
echo
echo "Warning: Clients will not be able to login to this server with the standard key."
echo " Please replace /usr/NX/share/client.id_dsa.key on all clients you want"
echo " to use with $NX_HOME_DIR/.ssh/client.id_dsa.key"
echo " and protect it accordingly."
echo ""
echo " Since 1.5.0 you need to import the correct key via the GUI."
echo
echo " If you really want to use the NoMachine key please remove"
echo " '$NX_HOME_DIR/.ssh/$SSH_AUTHORIZED_KEYS'"
echo " and then run this script with the --setup-nomachine-key parameter."
fi
echo "Have Fun!"
elif [ "$UNINSTALL" = "yes" ]
then
uninstall_nx
echo "Ok, nxserver is uninstalled"
echo
if [ "$PURGE" = "yes" ]
then
echo "To complete the uninstallation process, remove the FreeNX scripts in $PATH_BIN"
echo "and the $NX_ETC_DIR/node.conf configuration file."
else
echo "To complete the uninstallation process, remove the FreeNX scripts in $PATH_BIN"
echo
echo "Configuration files and ssh keys are saved in case you would like to reinstall"
echo "freenx at a later time. To remove them, please run 'nxsetup --uninstall --purge'"
fi
fi
Jump to Line
Something went wrong with that request. Please try again.