October 29, 2009

Adventures in NX, sshd and pam.

Or: How to get pam to distinquish between a login that's happening via ssh by someone using an NX client and one that's not.

I've got some Linux machines where I use pam_script in the GDM pam stack to do some stuff which I only want doing when the user logs in with an X session. Having set one of these machines up for NX access I realised that the pam_script stuff didn't get run for NX logins for the obvious reason that the logins don't happen via GDM. I want the pam_script to run for NX logins too and found this presented a problem. NX logins are done over ssh so I would have to put pam_script in the sshd stack. However I don't want the pam_script stuff to run for ssh logins done using the traditional command line method of 'ssh user@hostname'. So I needed to find a way to allow pam_script to distinguish an ssh login happening via NX from one that wasn't. Google searches didn't yielded a solution, hence this post.

NoMachine's nxserver allows you to execute scripts upon certain events. So I used UserScriptBeforeLogin to create a file in /tmp with a name based on the IP address of the machine the session was being initiated from.

#!/bin/bash
# $1 is ip address login is coming from
touch /tmp/nxsessioncomingfrom_$1

pam_script can then check for the presence of that file to determine whether the login is an NX one or a regular ssh one. To do that check, pam_script has to know where the login is coming from. (You can't assume that a login happening via ssh is an NX session simply because the aforementioned file exists in /tmp since someone could  login via ssh at the same time someone else is logging in with an NX client.) pam_script gets given the username of the user logging in as an argument. My first thought was to make pam_script look at the output of 'who' to find the IP address that user was logged in from. However I discovered that a user logged in via NX does not show up in the output of 'who'. They're listed in the output 'usr/bin/utmpdump < /var/run/utmp', but not in the output of 'who'. I expect there's some technical reason for that but I lost patience with trying to find out what it is. (If someone logged in via NX opens an interactive shell session, say by running gnome-terminal, then they do show up in the output of 'who'.) [Update: See note below regarding output of 'who'] So I needed to find another source of information abuot where the user was logging in from.

The only place I could find this information was in /var/log/messages. The NX Server writes an entry there that looks like:

Oct 26 09:40:00 foohost NXSERVER-3.4.0-8[25571]: User 'xxxxx' logged in from '137.205.xxx.xxx'. 'NXLogin::set'

Having located that, pam_script can determine whether the user logging in is coming from the same IP address as the file in /tmp indicates an NX session is coming from like so

ip=$(grep NXSERVER /var/log/messages  | grep "User '$1' logged in from" | tail -1 | awk '{print $11}' | sed "s/'//g;s/\.$//g")

if [ ! -f /tmp/nxsessioncomingfrom_${ip} ];then
# if the file isn't there then exit the script
# no reason for 34 other than it's distinctive for testing purposes
exit 34
else
# if the file is there then delete it and continue
rm -f /tmp/nxsessioncomingfrom_${ip}
fi



Update: I worked out why users don't show up in the output of 'who'. It's because sessreg isn't being run when they log in. To get sessreg to run you need to edit /usr/NX/etc/server.cfg and set the value of CommandSessreg to the location of sessreg. Search for CommandSessreg to find the placeholder. I haven't yet bothered to check whether sessreg runs early enough to make the need for UserScriptBeforeLogin redudent.



- No comments Not publicly viewable


Add a comment

You are not allowed to comment on this entry as it has restricted commenting permissions.

Search this blog

Tags

Not signed in
Sign in

Powered by BlogBuilder
© MMXXIV