NoMachine currently supports two-factor authentication but this doesn't currently include authentication via UF2-enabled USB or NFC devices such as YubiKey. Support for such devices will be added in the future:
Supporting the Universal 2nd Factor authentication standard for two-factor authentication
With the implementation of the above FR, full support of U2F/TOTP authentication in SSH and NX protocols will be available.
In the meantime, it's possible to support U2F/TOTP authentication in both SSH and NX protocol by following the general procedure described below. This requires basic skills of Linux procedures.
To get started, openssh needs to be configured on both client and server side.
It is recommended to use openssh-6.7p1.
Download the OpenSSH source package from the following link:
1) Extract the archive of the OpenSSH source code:
tar xvzf openssh-6.7p1.tar.gz
2) OpenSSH doesn't have U2F support by default, it's therefore necessary to patch the source code to add it.
Retrieve the diff file from this link and save it on the computer in the top directory of OpenSSH:
3) Enter the directory of OpenSSH, openssh-6.7p1, and patch the source by running:
patch -p1 < "file_name".patch
where "file_name".patch is the name of the diff file.
4) Then configure OpenSSH and build the patched source:
sudo rm -f configure
sudo autoconf -i
sudo configure –with-u2f
sudo make install
This procedure has to be done on:
(a) client side - the patched SSH client will be placed in /usr/local/bin/ssh.
You will then need to use it instead of the original SSH client.
(b) on server side – the patched SSH server (sshd) will be installed in /usr/local/sbin/sshd.
This is the SSH daemon to be used on the system in order to support UF2.
Before proceeding with the next steps, add the U2F device to the server host.
Making the necessary changes on the server side
On server side, update the sshd_config file.
Add these following lines at the end of the file:
To register U2F key for a given user, use next command:
ssh -o U2FMode=registration user@host
Replace user with the proper username, SSH will ask for the password of that user. Once authorized correctly you should see:
Authenticated with partial success.
Please touch your U2F security key now.
The token will be then provided, for example:
ssh-u2f BKn6/dAyMahAQQi0XqpW4u2GVLOt3dXN7eXi+wtljpWzptfaLBzOuKzDenU21pLbpp5R/HFEjyL5jG4t6XcGcxmalviUrnjf5tAJfagJ7kPNF0RSfxfoozGo+G4xOp38YqxJ1BP8WhZnVTSsn8exvLgBiq4H6rgrJsIvN9NaHqFk my security key
This token must be placed in the authorized_keys file, by default: /home/user/.ssh/authorized_keys
Two factor authentication will then be available for that specific user.
Run from a console:
It will ask for the password. After entering the password, the following message will show:
"Please touch your U2F security key now."
Upon touching, the user will then be authenticated.
Making the necessary changes on the client side
To permit the NoMachine client to use YubiKey some changes in nxplayer config file are necessary. The default location of that file is in the home of the given user:
Find it and change the following lines:
<option key="SSH client mode" value="library" />
<option key="SSH client mode" value="native" />
<option key="SSH Client" value="/usr/bin/ssh" />
<option key="SSH Client" value="/usr/local/bin/ssh" />.
In this way the NoMachine client will use the SSH client patched for the UF2 support.
Then create a wrapper script for /usr/local/bin/ssh.
Rename it, for example:
sudo mv /usr/local/bin/ssh /usr/local/bin/ssh_orig
Create a file named "ssh" which will be a bash script.
sudo touch /usr/local/bin/ssh
sudo chmod 755 /usr/local/bin/ssh
And add the following content:
exec "/usr/local/bin/ssh_orig" "-o PreferredAuthentications keyboard-interactive,password,u2f" "$@"
After all these changes, start the NoMachine client and try to connect to the NoMachine server on the U2F enabled host.
In the connection configuration, select SSH protocol and authentication type password (default).
After enter correct username and password, the NoMachine client connects to the remote host and the YubiKey device should start blinking. Touch the YubiKey.
Detailed instructions to use Yubico authentication with NoMachine on Linux are available here: https://www.nomachine.com/AR12Q01064