To increase the security of a NX server installation administrators have the possibility to replace the default keys used by clients to actually login to NX server with a SSH key generated per-server.
To generate your own key-pairs for the nx user please follow the instructions reported below.
How to generate SSH keys with NX Server version 2.0.0 or higher
- Login as the 'root' user to the server on which NX server is
installed. If NX Server is not installed yet, please download it and install it (alongside with the prerequisite 'NX Client' and
'NX Node' package suited for your platform). You can find
detailed instructions on how to install the NX Server packages at:
http://www.nomachine.com/documents/server/install.php "> http://www.nomachine.com/documents/server/install.php
- Use the nxserver utility to actually generate the new keys
as reported below:
How to distribute the new SSH keys
- Change the ownership and permissions on the authorized_keys file. Depending on which O.S. your NX is running on, you may need to execute:
chown nx:root /usr/NX/home/nx/.ssh/authorized_keys2
chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys2
chown nx:root /usr/NX/home/nx/.ssh/authorized_keys
chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys
- Change the ownership and permissions on the following file:
chown nx:root /usr/NX/home/nx/.ssh/default.id_dsa.pub
chmod 0644 /usr/NX/home/nx/.ssh/default.id_dsa.pub
A part of the key that must be distributed to clients is placed in:
Distribute the private key from the newly generated couple of keys located in the file:
to all clients that have to be granted acccess to the specific NX server host.
- Once the new key has been distributed to clients place it under the subdirectory 'share/keys' of the NX Client installation tree reserved to this purpose. The 'share/keys' subdirectory can be found in the NX Client installation tree according to the following standards:
On MacOS/X, Linux and Solaris it corresponds to:
While on Windows (using the default installation settings), it corresponds to:
C:\Program Files\NX Client for Windows\share\keys
When the key has been placed in the above location, please use the key management facilities provided by the NX Client GUI:from the 'General' tab of the session configuration window, click on the 'Key' button and choose Import to import the new key by navigating to the appropriate directory above and Save to save your changes.
The NX Client GUI facility allow you to import the new private key for the
session you are configuring. If you don't explicitly import any new key,
the default private key distributed together with the NX Client, i.e.
/usr/NX/share/keys/server.id_dsa.key will be used.
- Rename the default private key to preserve it.
- Rename the new private key from:
In this way, the new key will be used as the default key for all NX
sessions (except those sessions that have been previously configured
to use a specific key).
Note for NX Server Manager configuration
If a new SSH key has been generated, location and file name of the DSA key need to be specified in the NX Server Manager configuration file. Edit the /usr/NX/etc/manager.cfg file and set a proper value for the NXSSHPathIdentity key.
Restoring the default SSH key-pair
Starting from NX Server version 3.3.0, the --keyrestore server command allows to restore the SSH key-pair provided with the server package. The current public key will be moved to default.id_dsa.pub.backup file, while the current private key will be moved to /usr/NX/share/keys/default.id_dsa.key.backup file. Run the following command to use the default SSH key-pair:
In order to restore the default SSH key in the client, use the key management facilities provided by the NX Client GUI: in the 'General' tab of the session configuration window, click on the 'Key' button and choose Default. Click Save to save your changes.
You might like to see also the following article about how the NX login works:
How to generate SSH keys with NX Server version 1.5.0
- Login as the 'root' user to the server on which NX server is installed.
- Use the 'nxsetup' utility to actually generate the new keys as reported below: