NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR09P00996
Applies to: NoMachine Software
Added on: 2018-09-04
Last update: 2019-12-06
How to set up UF2 (Universal 2nd factor authentication) on Linux

NoMachine currently supports two-factor authentication but this doesn't currently include authentication via UF2-enabled USB or NFC devices such as YubiKey. Support for such devices will be added in the future:

Supporting the Universal 2nd Factor authentication standard for two-factor authentication
https://www.nomachine.com/FR07N03138


With the implementation of the above FR, full support of U2F/TOTP authentication in SSH and NX protocols will be available.


In the meantime, it's possible to support U2F/TOTP authentication in both SSH and NX protocol by following the general procedure described below. This requires basic skills of Linux procedures.

To get started, openssh needs to be configured on both client and server side.

It is recommended to use openssh-6.7p1.

Download the OpenSSH source package from the following link:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz

1) Extract the archive of the OpenSSH source code:

tar xvzf openssh-6.7p1.tar.gz

2) OpenSSH doesn't have U2F support by default, it's therefore necessary to patch the source code to add it.  
Retrieve the diff file from this link and save it on the computer in the top directory of OpenSSH:
https://bugzilla.mindrot.org/attachment.cgi?id=2521&action=diff&collapsed=&headers=1&format=raw
 
3) Enter the directory of OpenSSH, openssh-6.7p1, and patch the source by running:

patch -p1 < "file_name".patch

where "file_name".patch is the name of the diff file.

4) Then configure OpenSSH and build the patched source:

sudo rm -f configure
sudo autoconf -i
sudo configure –with-u2f
sudo make
sudo make install

This procedure has to be done on:
(a) client side - the patched SSH client will be placed in /usr/local/bin/ssh.
You will then need to use it instead of the original SSH client.
(b) on server side – the patched SSH server (sshd) will be installed in /usr/local/sbin/sshd.
This is the SSH daemon to be used on the system in order to support UF2.

Before proceeding with the next steps, add the U2F device to the server host.
 

Making the necessary changes on the server side

On server side, update the sshd_config file.

Add these following lines at the end of the file:

U2FAuthentication yes
AuthenticationMethods password,u2f.

To register U2F key for a given user, use next command:

ssh -o U2FMode=registration user@host

Replace user with the proper username, SSH will ask for the password of that user. Once authorized correctly you should see:

Authenticated with partial success.
Please touch your U2F security key now.

The token will be then provided, for example:

ssh-u2f BKn6/dAyMahAQQi0XqpW4u2GVLOt3dXN7eXi+wtljpWzptfaLBzOuKzDenU21pLbpp5R/HFEjyL5jG4t6XcGcxmalviUrnjf5tAJfagJ7kPNF0RSfxfoozGo+G4xOp38YqxJ1BP8WhZnVTSsn8exvLgBiq4H6rgrJsIvN9NaHqFk my security key

This token must be placed in the authorized_keys file, by default: /home/user/.ssh/authorized_keys

Two factor authentication will then be available for that specific user.
Run from a console:
ssh user@host
It will ask for the password. After entering the password, the following message will show:
"Please touch your U2F security key now."


Upon touching, the user will then be authenticated.


 
Making the necessary changes on the client side

To permit the NoMachine client to use YubiKey some changes in nxplayer config file are necessary. The default location of that file is in the home of the given user:

/home/user/.nx/config/player.cfg

Find it and change the following lines:

<option key="SSH client mode" value="library" />

to

<option key="SSH client mode" value="native" />

and

<option key="SSH Client" value="/usr/bin/ssh" />

to

<option key="SSH Client" value="/usr/local/bin/ssh" />.

In this way the NoMachine client will use the SSH client patched for the UF2 support.

Then create a wrapper script for /usr/local/bin/ssh.

Rename it, for example:

sudo mv /usr/local/bin/ssh /usr/local/bin/ssh_orig

Create a file   named "ssh" which will be a bash script.

sudo touch /usr/local/bin/ssh
sudo chmod 755 /usr/local/bin/ssh

And add the following content:

#!/bin/bash

exec "/usr/local/bin/ssh_orig" "-o PreferredAuthentications keyboard-interactive,password,u2f" "$@"
 

After all these changes, start the NoMachine client and try to connect to the NoMachine server on the U2F enabled host.

In the connection configuration, select SSH protocol and authentication type password (default).

After enter correct username and password, the NoMachine client connects to the remote host and the YubiKey device should start blinking. Touch the YubiKey.


Detailed instructions to use Yubico authentication with NoMachine on Linux are available here: https://www.nomachine.com/AR12Q01064