FreeNX news from the development hotbed

Friday, 17 September 2004  |  pipitas


In the last two weeks Fabian has made huge progress with FreeNX:
  • he designed and implemented a new security model for FreeNX (with the help of some outstanding people who are now regularly joining debates in the #nx IRC channel on freenode). It doesn't use the nxssh binary any more (which made some Linux distro security auditors to be very suspicious), but instead uses the most recent "standard" OpenSSH package. So any newly discovered future SSH vulnerability doesnt need to be an "extra" NX concern -- fix SSH and you also fixed NX. We hope to have made the security experts (notably those from SUSE) happy with this and that the upcoming audits of FreeNX will soon be passed without need for much re-design.
  • he made FreeNX behave well with various types of clients (KDE's initial knx client for NX and FreeNX sessions, as available from KDE-CVS in the kdenonbeta module -- compile instructions are here; the NoMachine commercial -- but free-as-in-beer -- NX clients of the 1.3.x as well as the various 1.4-snapshot releases). For the NoMachine 1.3.x NX Client he even succeeded to hack an "auto-resume" feature into the FreeNX server: the user restores any suspended session automatically upon re-connection (the 1.3.x clients dont normally support that feature, they always create a new session).
  • he made FreeNX use server-specific SSH key authentication (for the special "nx" user who initiates each connection) as well as the general NoMachine key authentication (for the "nx" user), as well as supporting a passwordless, key-based SSH connection without the need for the "nx" user), as well as PAM-based authentication schemes.
But the coolest thing last.... It was inspired by a Slashdot posting (yeah, sometimes you even find gems there!) from someone who wished he could use an "ssh -NX" instead of an "ssh -X" commandline. This is not exactly here yet. But what you *can* use now is one of these:
  nxtunnel username@remote.NX.host bash
  nxtunnel username@remote.NX.host xterm
This will start a Bash shell or an xterm (just as if you used "ssh -X username@remote.NX.host xterm". But here the session is tunneled through an NX link, going through SSH. If you now type into the xterm or behind the new bash shell prompt something like "konqueror" or "kmail", you'll start these applications on the remote end (and display them locally), speed-boosted by NX compression (which is better and less CPU-intensive than generic ZLIB compression) and by NX caching (which is unprecedented in its efficiency and rate of cache hits). This is already considerably faster than "ssh -X -C" sessions. The third NX component, the X roundtrip suppression, which makes things really fly, is also enabled in nxtunnel sessions...



[CAVEAT!
Be aware that the mentioned third element of NX's superior methods to speed up remote X GUI sessions, its round-trip suppression scheme, does not yet work very reliably for the case of single application windows. The reason is, that the "nxagent" part of the NoMachine software currently only has experimental support for "rootless windows". Single applications therefore normally bypass the "nxagent" part of the NX machinerie and still suffer from the roundtrips. (If you are interested in a flowchart of the NX architecture, look at this one While benefitting from NX compression and caching, a roundtrip-bogged NX session is still faster than a plain "ssh -X -C" session, but it is far from being regarded as as a ground-breaking thing. -- The nxtunnel script enables the rootless window mode with roundtrip suppression, but it has still some bugs. The most important one being, that if you close just one window (like any child dialog) using the window manager "close" button, it'll close the whole nxagent connection. But this is being worked on... To partially avoid this, exit or kill the application from the bash or xterm window you started it from.]



nxtunnel can of course also start a complete KDE session:

  nxtunnel username@remote.NX.host -r startkde

The "-r" parameter tells the skript to set up a rooted window for a window manager.



nxtunnel was announced yesterday on the recently created FreeNX-kNX mailing list. nxtunnel is a Bash shell script and also available from the current FreeNX software repository.



nxtunnel development started from my own humble beginnings from a few months ago (which was based on the material I found in the NoMachine nxscripts.tar.gz package), was improved by <a href"http://www.kalyxo.org/">Peter "mornfall" Rockai, picked up there and rewritten by Neal H. Walfield, saw some heavy hacking from Fabian last, and may become a permanent part of the FreeNX package soon....



We hope that we can move the complete FreeNX and nxtunnel stuff rather soonish to a decent SVN repository on Freedesktop.org to make it easier to participate (or just check out the software and use it). I hope that there will be no silly excuses heard any more for more delays to occur. Or do we need to look for another hosting place?

P.S.:
And before I again get my mailbox filled with even more FAQs:

  • Yes, you *need* to install the NoMachine NX/GPL packages in order to make FreeNX, kNX or nxtunnel work.
  • No, can't forgo without their NoMachine foundational work if you want to use FreeNX or nxtunnel.
  • Yes, FreeNX and nxtunnel also have some additional software package dependencies: on OpenSSH, on expect, on netcat and on netpipes.
  • No, you don't get commercial support contracts for FreeNX from us.
  • Yes, for quotes about commercial NX support contracts you have to please contact NoMachine.
  • No, we don't intend to offer paid support for FreeNX any time soon.
  • Yes, there have been pre-decessors to NX (such as DXCP and mlview), or other attempts to make remote X faster (such as LBX).
  • No, these other attempts have never ever gone so far and never became so mature, stable and efficient as NoMachine's NX has been developed to.
  • Yes, NX and FreeNX can also proxy connections to Windows RDP servers or '((any-platform-you-like)'-VNC servers.
  • No, printing and sound is not yet implemented in FreeNX (but it may be next week).
  • Yes, FreeNX strifes to stay compatible with commercial NoMachine NX.
  • No, there is not yet a comprehensive FreeNX documentation available.
  • Yes, NoMachine have put all of their core technology developed in-house under the terms of the GPL.
  • No, NX and FreeNX are not limited to low bandwidth links.
  • Yes, NX and FreeNX work perfectly well also across fast and high bandwidth connections.
  • No, NX and FreeNX don't limit themselves to remote X sessions only.
  • Yes, NX and FreeNX can also link you up to TightVNC (all platoforms) and RDP (Windows) servers.
  • No, NX-1.4 is not yet released, it is still in development. As is FreeNX and nxtunnel. -- "snapshot" releases are available for all of them.
  • Yes, we expect to have a stable release very soon, possibly even this month.