NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR03Q01020
Applies to: NX Software
Added on: 2019-03-27
Last update: 2019-05-07
How to set up key based authentication for web connections with NX protocol

Since NoMachine version 6.6.8, it's possible to configure the authentication method to be used for web connections when the NX protocol is set for the webplayer-server communication. Accepted methods are password and key based authentication. By default, users authenticate by password, both when NX protocol or SSH protocol is set. Key-based authentication is not supported yet for the SSH protocol.
Ref.
https://www.nomachine.com/FR06O03450
https://www.nomachine.com/FR11P03745

 

How to make users to authenticate by private SSH key

Support for key-based authentication requires the public SSH key be added on the server side, in the user's home, to grant access. When you connect to the server you will have to insert the private key in the NoMachine web User Interface.

Premises

You have already generated an SSH key pair, for example by using the ssh-keygen tool on a Linux host.

Be sure that the keys is in OpenSSH format.
Note that the new OpenSSH format introduced by openssh version 7.8p1-1 is not supported yet, please see https://www.nomachine.com/FR05Q03834 for more details. It provides also a possible workaround.

If you have generated the SSH key pair on Windows, for example by using 'PuTTYgen' (https://www.puttygen.com), be sure it's in OpenSSH format or convert it. To do that choose the key file in the PuTTYgen main window. Then go to Conversions->Export OpenSSH key to export your private key and save it.


First step:  Add the public SSH key on the server

1. Navigate to the <user's home>/.nx/config directory.

2. You should find there the authorized.crt file. Create this file if it doesn't exist. On Linux/Mac, this file needs to have permissions set to 0600.

3. Append your SSH public key at the end of the authorized.crt file. If you're using a text editor, be sure to not save the file in a different format.

4. Save changes.
 

This is an example of how the public key added to the authorized.crt file looks like:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLPbAnTn+6UlZQEqudUChU9JMm2bZ92E7Pda313s6p/W89tFHV3MmG965
+OQKQcIFYDfSmF/dM+qKVrkcdLE8Vc2O+HiBxJmeaKYuDdcOZGeRvW2mhskULDmuVA5IFCqaOx+OINuiNYGzQYzl0vzFg9prvp
KmOVnXDjzsuMOTrLr45TPv3Vk5iFmsyYA3J69Z2VErc486lY5aU6Qqg21hd3Yh/4rflGPE4QWVBkpO9qIhynT5+qlT9JyXg9J+al0K
fcttgOYaApdhd/OiE4Nxycl7duwk4eXDm1Um/HHcO361VT9rznL8gU+Rm99CLiecW1FiB90s5TV9USXUz8Mqr


Second step:  Configure NoMachine to accept key-based authentication for web sessions

1. Edit the server configuration file:

BaseDirectory/NX/etc/erver.cfg on Linux
BaseDirectory/NoMachine/etc/server.cfg on Windows
BaseDirectory/NoMachine.app/Contents/Frameworks/etc/server.cfg on Mac

2. Look for the Section "Server" and change from 'Authentication password' to  'Authentication private-key', for example:

Section "Server"

Name "Connection to localhost"
Host 127.0.0.1
Protocol NX
Port 4000
Authentication private-key

EndSection

 

Use the private SSH key when connecting with your browser

On your device:

1. Point the browser to: http://SERVER:4080

    Where SERVER is either the name or IP address of the host you want to reach.

2. You will be prompted with a dialog asking to provide the private key to be used to log-in. The key should be a DSA or RSA key in OpenSSH format.

3. Click the '...' button, navigate directories on your device and provide path to your private SSH key.

4. Click on 'OK' button and connect.

The client will prompt you for username and passphrase. If your SSH key doesn't have a passhprase, provide only your username. You can also save the passphrase.