Support Center

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR01C00126
Applies to: NX Software
Added on: 2005-01-14
Last update: 2015-01-07
Replacing the default SSH keys used by NoMachine with your own keypair generated for the nx user

When the SSH authentication + NoMachine login is used, administrators have the possibility to replace the default keys used by clients to actually login to NX server with a SSH key generated per-server.

Generating a custom SSH key pair for the NoMachine login

1) On the NoMachine server host machine run from xterm or CMD shell on Windows:
 
     nxserver --keygen

2) Change the ownership and permissions on the authorized_keys file.
     For example on Linux, depending on the version and configuration of the system SSH server, run:

     chown nx:root BaseDirectory/NX/home/nx/.ssh/authorized_keys2
     chmod 0644 BaseDirectory/NX/home/nx/.ssh/authorized_keys2

     Or:
     chown nx:root BaseDirectory/NX/home/nx/.ssh/authorized_keys
     chmod 0644 BaseDirectory/NX/home/nx/.ssh/authorized_keys


3) Change the ownership and permissions on the default.id_dsa.pub file. On Linux:

    chown nx:root BaseDirectory/NX/home/nx/.ssh/default.id_dsa.pub
    chmod 0644 BaseDirectory/NX/home/nx/.ssh/default.id_dsa.pub


The private part from the newly generated pair of keys is:

BaseDirectory/share/keys/default.id_dsa.key

where BaseDirectory is the installation directory of the NoMachine software.

The private key has to be distributed to all clients that have to be granted access to the server host.
 

Distributing the new SSH private key to clients

1) Place the new key default.id_dsa.key under the subdirectory 'share/keys' of the NoMachine installation tree

2) To use the new key for a specific session, access the configuration panel for that session and select the SSH protocol. Then open 'Advanced' settings, select the 'Use the NoMachine login' and continue. You can specify there the alternative key to be used for that session only.

3) To use the new SSH key for all the sessions (except those sessions that have been previously configured to use a specific key), rename the original private key (e.g. on Linux: BaseDirectory/NX/share/keys/server.id_dsa.key) to preserve it and rename the new private key from default.id_dsa.key to server.id_dsa.key
 

Using the new SSH private key for web sessions

To let the Cloud Server (webplayer) use the new private key, it's necessary to specify location and file name of the DSA key in the BaseDirectory/etc/cloud.cfg configuration file by setting a proper value for the following key:

SSHKey   /usr/NX/share/htdocs/nxwebplayer/keys/server.id_dsa.key


 

Notes for NX 3.5.0 version
 

Generating a custom SSH key pair for connecting to the NX Server

1) On the NX Server host generate the new SSH key pair by running:

/usr/NX/scripts/setup/nxserver --keygen

2) Change ownership and permissions on the authorized_keys file:

chown nx:root /usr/NX/home/nx/.ssh/authorized_keys2

chmod 0644 /usr/NX/home/nx/.ssh/authorized_key2

Or:

chown nx:root /usr/NX/home/nx/.ssh/authorized_keys

chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys

3) Change ownership and permissions on the following file:

chown nx:root /usr/NX/home/nx/.ssh/default.id_dsa.pub

chmod 0644 /usr/NX/home/nx/.ssh/default.id_dsa.pub

4) Distribute the private key to all clients that need to connect to that NX server.

The private key that must be distributed to clients is:

/usr/NX/share/keys/default.id_dsa.key

 

Distributing the new SSH key to NX Clients

4.1) Place the new key under the subdirectory 'share/keys' of the NX Client installation tree on the end-user's machine.

(/usr/NX/share/keys on MacOS/X, Linux and Solaris,  C:Program FilesNX Client for Windowssharekeys on Windows)

4.2) Load the new SSH from the NX Client 3.5.0 GUI: from the 'General' tab of the session configuration window, click on the 'Key' button and choose 'Import' to import the new key by navigating to the appropriate directory above and Save to save your changes. The new key will be used only for the session you are configuring.

To use the new SSH key as default for all sessions:

- Rename the original private key ( /usr/NX/share/keys/server.id_dsa.key) distributed togheter with the client installation.  

- Rename the new private key from:

/usr/NX/share/keys/default.id_dsa.key

to:

/usr/NX/share/keys/server.id_dsa.key

In this way, the new key will be used as the default key for all NX sessions (except those sessions that have been previously configured
to use a specific key).
 

Using the  new SSH key with the NX Server Manager

Specify location and file name of the new key in the /usr/NX/etc/manager.cfg configuration file and set a proper value for the NXSSHPathIdentity key.

 
Restoring the default SSH key pair

Run the following command to restore the SSH key pair provided with the server package:

/usr/NX/bin/nxserver --keyrestore

The current public key will be moved to default.id_dsa.pub.backup file, while the current private key will be moved to  /usr/NX/share/keys/default.id_dsa.key.backup file. Run the following command to use the default SSH key-pair:

To restore the default SSH key in the client,  use the key management facilities provided by the NX Client GUI: in the 'General' tab of the session configuration window, click on the 'Key' button and choose Default. Click Save to save your changes.