Support Center

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR01C00126
Applies to: NX Software
Added on: 2005-01-14
Last update: 2016-08-12
How to replace the default SSH keys for connections by SSH and NoMachine login

NoMachine servers v. 4 and 5 support connections by 1) SSH and NoMachine login, which correspond to the only method available for  connections to/from NX versions 3.5.0.

Other methods are: connections by 2) NX protocol (ddefault) and 3) SSH protocol and system login.

 

1) Login with SSH protocol and NoMachine login (not available with NoMachine free)

Connection is via the SSH protocol, the client first authenticates as user nx by using an SSH key pair and then the user authenticates on the system (only password authentication and two-factor authentication methods are supported).

Administrators may adopt a custom SSH key pair for the NoMachine login. The custom SSH key pair has to be generated on the server and the new private key has to be distributed to clients to let them connect to the server.

Instructions to replace the default SSH key pair for the NoMachine login in NoMachine v. 5 and 4 are available here:

https://www.nomachine.com/DT09M00103

For NX 3.5.0, please refer to the note at the bottom of this article.

 

2) Login with NX protocol and system login

Connection is via the NX protocol, the user authenticates on the system.  The following authentication methods are supported:

  • 2.1. Password based authentication. This is the default method.

  • 2.2. SSH key based authentication (private key).

  • 2.3.  System login with Kerberos ticket existing on client side.

Instructions to setup key-based authentication (2.2) are available at: https://www.nomachine.com/AR02L00785

 

3) Login with SSH protocol and system login (not available with NoMachine free)

Connection is via the SSH protocol, the user authenticates on the system. The following authentication methods are supported:

  • 3.1. Password based authentication. (Default 'System login' in the client GUI).

  • 3.2. SSH key based authentication with private key. ('System login' in the client GUI).

  • 3.3. System login with SSH key based authentication and SSH key stored on a PKCS11 smart card . ('System login' in the client GUI).

  • 3.4. System login with Kerberos ticket existing on client side. ('System login' in the client GUI).

 


NOTE: How to replace the default SSH key pair for NX 3.5.0

 

Generate a custom SSH key pair for connecting to the NX Server

1) On the NX Server host generate the new SSH key pair by running:

/usr/NX/scripts/setup/nxserver --keygen

2) Change ownership and permissions on the authorized_keys file:

chown nx:root /usr/NX/home/nx/.ssh/authorized_keys2

chmod 0644 /usr/NX/home/nx/.ssh/authorized_key2

Or:

chown nx:root /usr/NX/home/nx/.ssh/authorized_keys

chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys

3) Change ownership and permissions on the following file:

chown nx:root /usr/NX/home/nx/.ssh/default.id_dsa.pub

chmod 0644 /usr/NX/home/nx/.ssh/default.id_dsa.pub

4) Distribute the private key to all clients that need to connect to that NX server.

The private key that must be distributed to clients is:

/usr/NX/share/keys/default.id_dsa.key

 

Distribute the new SSH key to NX Clients

4.1) Place the new key under the subdirectory 'share/keys' of the NX Client installation tree on the end-user's machine.

(/usr/NX/share/keys on MacOS/X, Linux and Solaris,  C:Program FilesNX Client for Windowssharekeys on Windows)

4.2) Load the new SSH from the NX Client 3.5.0 GUI: from the 'General' tab of the session configuration window, click on the 'Key' button and choose 'Import' to import the new key by navigating to the appropriate directory above and Save to save your changes. The new key will be used only for the session you are configuring.

To use the new SSH key as default for all sessions:

- Rename the original private key ( /usr/NX/share/keys/server.id_dsa.key) distributed togheter with the client installation.  

- Rename the new private key from:

/usr/NX/share/keys/default.id_dsa.key

to:

/usr/NX/share/keys/server.id_dsa.key

In this way, the new key will be used as the default key for all NX sessions (except those sessions that have been previously configured
to use a specific key).
 

Use the new SSH key with the NX Server Manager

Specify location and file name of the new key in the /usr/NX/etc/manager.cfg configuration file and set a proper value for the NXSSHPathIdentity key.

 
Restore the default SSH key pair

Run the following command to restore the SSH key pair provided with the server package:

/usr/NX/bin/nxserver --keyrestore

The current public key will be moved to default.id_dsa.pub.backup file, while the current private key will be moved to  /usr/NX/share/keys/default.id_dsa.key.backup file. Run the following command to use the default SSH key-pair:

To restore the default SSH key in the client,  use the key management facilities provided by the NX Client GUI: in the 'General' tab of the session configuration window, click on the 'Key' button and choose Default. Click Save to save your changes.