The way NX has worked up to version 3.x is by creating an 'nx' user on the server machine whose shell, /usr/NX/bin/nxserver, is executed any time a remote NX user connects to SSH using NX Client. The initial login between client and server happens through a DSA key-pair. The public part is provided during the installation of the server, while the private part is distributed together with the NX Client. Using this nx key forces the SSH server to execute the nxserver shell and enables SSH X11 forwarding. X11 forwarding has been necessary since NX version 2.0.0 to avoid performance deterioration due to the behaviour of SSHD. Details on the topic are available here AR05D00391, while more information about how the NX login works can be found at AR02C00150.
Once the client has been authenticated on the server, the SSH secure channel has been established. Successive steps such as authentication of the user on the system and negotiation of session parameters happen on this channel. By default, NX Client is configured with encryption of all traffic enabled, i.e. NX tunnels all the session traffic over the encrypted SSH channel used to authenticate and negotiate the session with the server.
This is the basic sequence of actions performed by NX Client when encryption of all traffic is enabled:
nxclient runs nxssh to connect to the NX server.
nxclient authenticates to the server as user nx by using the nx key. SSHD runs the nxserver shell and protocol communciation between client and server begins.
NX client passes credentials to the server for authenticating the user
on the system.
In order to start a new session, NX Client passes session parameters to NX Server. On both the client and server sides, the options file is created. This file contains all the parameters which qualify the session, for example session type, geometry, link type etc ...
Once session parameters have been negotiated, NX Client opens the nxcomp channel between client and server by sending the 'Switching descriptors' command to nxssh. Since nxssh is linked with nxcomp, it will start the nxcomp with the options listed in options file.
Starting from NoMachine 4 users are able to select their preferred authentication method. See the following FRs for further details: