Support Center

Your questions answered

Advanced Search
Back to results Printer-friendly version

Replacing the default SSH keys used by NX with your own keypair generated for the nx user

  Added On: 2005-01-14 Last Modified: 2009-08-31  
  ID: AR01C00126 Applies To: NX Software  

To increase the security of a NX server installation administrators have the possibility to replace the default keys used by clients to actually login to NX server with a SSH key generated per-server.

To generate  your own key-pairs for the nx user please follow the instructions reported below.

How to generate SSH keys with NX Server version 2.0.0 or higher

  • Login as the 'root' user to the server on which NX server is
    installed. If NX Server is not installed yet, please download it and install it (alongside with the prerequisite 'NX Client' and
    'NX Node' package suited for your platform). You can find
    detailed instructions on how to install the NX Server packages at:


  • Use the nxserver utility to actually generate the new keys
    as reported below:

            /usr/NX/scripts/setup/nxserver --keygen

How to distribute the new SSH keys

  • Change the ownership and permissions on the authorized_keys file.  Depending on which O.S. your NX is running on, you may need to execute:

    chown nx:root /usr/NX/home/nx/.ssh/authorized_keys2
    chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys2
    chown nx:root /usr/NX/home/nx/.ssh/authorized_keys
    chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys

  • Change the ownership and permissions on the following file:

    chown nx:root /usr/NX/home/nx/.ssh/
    chmod 0644 /usr/NX/home/nx/.ssh/

  • A part of the key that must be distributed to clients is placed in:


    Distribute the private key from the newly generated couple of keys located in the file:


    to all clients that have to be granted acccess to the specific NX server host.

  • Once the new key has been distributed to clients place it under the subdirectory 'share/keys' of the NX Client installation tree reserved to this purpose. The 'share/keys' subdirectory can be found in the NX Client installation tree according to the following standards:

    On MacOS/X, Linux and Solaris it corresponds to:


    While on Windows (using the default installation settings), it corresponds to:

    C:\Program Files\NX Client for Windows\share\keys

    When the key has been placed in the above location, please use the key management facilities provided by the NX Client GUI:from the 'General' tab of the session configuration window, click on the 'Key' button and choose Import to import the new key by navigating to the appropriate directory above and Save to save your changes.

    Additional Notes:

    The NX Client GUI facility allow you to import the new private key for the
    session you are configuring. If you don't explicitly import any new key,
    the default private key distributed together with the NX Client, i.e.
    /usr/NX/share/keys/server.id_dsa.key will be used.

  •  Rename the default private key to preserve it.
  •  Rename the new private key from:




             In this way, the new key will be used as the default key for all NX
             sessions (except those sessions that have been previously configured
             to use a specific key).

Note for NX Server Manager configuration

If a new SSH key has been generated, location and file name of the DSA key need to be specified in the NX Server Manager configuration file. Edit the /usr/NX/etc/manager.cfg file and set a proper value for the NXSSHPathIdentity key.

Restoring the default SSH key-pair

Starting from NX Server version 3.3.0, the --keyrestore server command allows to restore the SSH key-pair provided with the server package. The current public key will be moved to file, while the current private key will be moved to  /usr/NX/share/keys/default.id_dsa.key.backup file. Run the following command to use the default SSH key-pair:

          /usr/NX/bin/nxserver --keyrestore

In order to restore the default SSH key in the client,  use the key management facilities provided by the NX Client GUI: in the 'General' tab of the session configuration window, click on the 'Key' button and choose Default. Click Save to save your changes.

You might like to see also the following article about how the NX login works:

How to generate SSH keys with NX Server version 1.5.0

  • Login as the 'root' user to the server on which NX server is installed.
  • Use the 'nxsetup' utility to actually generate the new keys as reported below:

           /usr/NX/bin/nxsetup --keygen