Veyon Community Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups

    Keyfile Authentication with domain users

    Help & Troubleshooting
    1
    2
    467
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      R2Tech last edited by

      Hello,

      Previously I had a Veyon 4.0.7 deployment working smoothly using keyfile configuration, but after updating to 4.10/4.1.1 this method no longer seems to work. I think this is due to the change on the keyfiles/folders having ACL rule requirements now. Previously I just copied the public key to the clients appdata/veyon/keys/public folder and that seemed to be enough for access from the Masters.

      We are in a domain environment, but I do not want to use domain logon based authentication as the access checks cause teacher logon events on the DC for the client workstations, which throws our web filter for a loop and kicks students off the internet.

      With the keyfile I start running into the same problem as I now have to specify a user group for access. I'd just set it to "Everyone" but this does not seem to be possible. Setting it to Domain\Domain Users also does not seem to grant access. Importing the key using the config generator also doesn't work and the key pair ID always differs between client and master.

      What is the process to getting keyfile authentication to work like it did previously?

      1 Reply Last reply Reply Quote 0
      • R
        R2Tech last edited by

        Finally got it to work with 4.2.2.

        Setup is the following: lab with a Master. The Master will not be used by students, logon auth is unneeded and causes other issues.

        First install Veyon with the master on a machine and generate a key pair (I just name it "teacher"). Export them to another folder (I put them on the file share for distribution later). Generate locations and computers in Location & Computers. You'll have to install the clients with either a config file included or utilize veyon-wcli to change authentication mode. The config will not set the key access control group, you'll need to set it with veyon-wcli. By default it pulls the highest privilege group available when the key pair is created (Administrators), but you'll actually want to have it for the lowest (Users).

        //Config for Master/Client
        
        General
           Authentication
              Method: Key file authentication
        
        Computer Access Control
           x Grant access to every authenticated user (default)
        
        Authentication keys
           Set Access group to "Users"
        
        
        //Imports public key
        "C:\Program Files\Veyon\veyon-wcli.exe" authkeys import teacher/public \\fileserver\share$\folder\teacher_public_key.pem
        
        //Imports private key (Master Only)
        "C:\Program Files\Veyon\veyon-wcli.exe" authkeys import teacher/private \\fileserver\share$\folder\teacher_private_key.pem
        
        //Sets access group to Users (works with domain login as well)
        "C:\Program Files\Veyon\veyon-wcli.exe" authkeys setaccessgroup teacher/public Users
        
        //Sets access group to Users (works with domain login as well) (Master Only)
        "C:\Program Files\Veyon\veyon-wcli.exe" authkeys setaccessgroup teacher/private Users
        
        

        One gotcha I learned is that the Veyon uninstaller will not remove keys. If you generated new keys for a new version but with the same name, the old ones will have to be deleted first because the import will not work if a file with the same name exists.

        //Remove the Veyon folder from ProgramData
        rmdir /s /q "C:\ProgramData\Veyon"
        

        When you import the keys with veyon-wcli the folder structure will be created.

        Now you've Veyon running with key authentication.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Powered by NodeBB | Contributors