Support Center

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR01C00126
Applies to: NX Software
Added on: 2005-01-14
Last update: 2009-08-31
Replacing the default SSH keys used by NX with your own keypair generated for the nx user

To increase the security of a NX server installation administrators have the possibility to replace the default keys used by clients to actually login to NX server with a SSH key generated per-server.

To generate  your own key-pairs for the nx user please follow the instructions reported below.

How to generate SSH keys with NX Server version 2.0.0 or higher

  • Login as the 'root' user to the server on which NX server is
    installed. If NX Server is not installed yet, please download it and install it (alongside with the prerequisite 'NX Client' and
    'NX Node' package suited for your platform). You can find
    detailed instructions on how to install the NX Server packages at:

           http://www.nomachine.com/documents/server/install.php "> http://www.nomachine.com/documents/server/install.php

  • Use the nxserver utility to actually generate the new keys
    as reported below:

            /usr/NX/scripts/setup/nxserver --keygen

How to distribute the new SSH keys

  • Change the ownership and permissions on the authorized_keys file.  Depending on which O.S. your NX is running on, you may need to execute:

    chown nx:root /usr/NX/home/nx/.ssh/authorized_keys2
    chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys2
    Or:
    chown nx:root /usr/NX/home/nx/.ssh/authorized_keys
    chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys

  • Change the ownership and permissions on the following file:

    chown nx:root /usr/NX/home/nx/.ssh/default.id_dsa.pub
    chmod 0644 /usr/NX/home/nx/.ssh/default.id_dsa.pub

  • A part of the key that must be distributed to clients is placed in:

    /usr/NX/share/keys

    Distribute the private key from the newly generated couple of keys located in the file:

    /usr/NX/share/keys/default.id_dsa.key

    to all clients that have to be granted acccess to the specific NX server host.

  • Once the new key has been distributed to clients place it under the subdirectory 'share/keys' of the NX Client installation tree reserved to this purpose. The 'share/keys' subdirectory can be found in the NX Client installation tree according to the following standards:

    On MacOS/X, Linux and Solaris it corresponds to:

    /usr/NX/share/keys

    While on Windows (using the default installation settings), it corresponds to:

    C:\Program Files\NX Client for Windows\share\keys

    When the key has been placed in the above location, please use the key management facilities provided by the NX Client GUI:from the 'General' tab of the session configuration window, click on the 'Key' button and choose Import to import the new key by navigating to the appropriate directory above and Save to save your changes.

    Additional Notes:

    The NX Client GUI facility allow you to import the new private key for the
    session you are configuring. If you don't explicitly import any new key,
    the default private key distributed together with the NX Client, i.e.
    /usr/NX/share/keys/server.id_dsa.key will be used.

  •  Rename the default private key to preserve it.
  •  Rename the new private key from:

              /usr/NX/share/keys/default.id_dsa.key

              to:

              /usr/NX/share/keys/server.id_dsa.key

             In this way, the new key will be used as the default key for all NX
             sessions (except those sessions that have been previously configured
             to use a specific key).

Note for NX Server Manager configuration

If a new SSH key has been generated, location and file name of the DSA key need to be specified in the NX Server Manager configuration file. Edit the /usr/NX/etc/manager.cfg file and set a proper value for the NXSSHPathIdentity key.

Restoring the default SSH key-pair

Starting from NX Server version 3.3.0, the --keyrestore server command allows to restore the SSH key-pair provided with the server package. The current public key will be moved to default.id_dsa.pub.backup file, while the current private key will be moved to  /usr/NX/share/keys/default.id_dsa.key.backup file. Run the following command to use the default SSH key-pair:

          /usr/NX/bin/nxserver --keyrestore

In order to restore the default SSH key in the client,  use the key management facilities provided by the NX Client GUI: in the 'General' tab of the session configuration window, click on the 'Key' button and choose Default. Click Save to save your changes.

You might like to see also the following article about how the NX login works:

http://www.nomachine.com/ar/view.php?ar_id=AR02C00150

How to generate SSH keys with NX Server version 1.5.0

  • Login as the 'root' user to the server on which NX server is installed.
  • Use the 'nxsetup' utility to actually generate the new keys as reported below:

           /usr/NX/bin/nxsetup --keygen