Support for SSL client authentication for connections by NX protocol is available since the implementation of this feature request: http://www.nomachine.com/FR09M02964.
This article documents how to set up authorization of a specific client device by generating a certificate on the server side and transferring the public part to a selected client machine.
CONFIGURING NOMACHINE FOR SUPPORTING SSL CLIENT AUTHENTICATION
1) Edit the server configuration file (server.cfg), uncomment and activate the EnableNXClientAuthentication as it follows:
EnableNXClientAuthentication 1
Once this key has been enabled, only connections from devices that have a valid certificate will be allowed. This change will be available for all new sessions and doesn't require to restart NoMachine server and services.
2) Generate the client side private key and certificate
On Linux:
$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k nx_client_rsa_key -c nx_client_rsa_key.crt
On MacOS:
$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/ /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k nx_client_rsa_key -c nx_client_rsa_key.crt
On Windows:
$ %PROGRAMFILES%/NoMachine/bin/nxkeygen -k nx_client_rsa_key -c nx_client_rsa_key.crt
3) Distribute the client key and certificate to the end-user.
Place the nx_client_rsa_key and nx_client_rsa_key.crt files in the $HOME/.nx/config directory on the end-user's device to have:
$HOME/.nx/config/nx_client_rsa_key
$HOME/.nx/config/nx_client_rsa_key.crt
4) Add the client certificate (nx_client_rsa_key.crt) to the store file on the server (server.crt)
The server side path to the store file is
on Linux:
/var/NX/nx/.nx/config/server.crt
on Mac:
/Library/Application Support/NoMachine/var/nx/.nx/config/server.crt
on Windows:
C:/Users/nx/.nx/config/server.crt
If the "config" directory doesn't exist, create it manually.
Then create an empty file named server.crt file. Administrative permissions are required.
For example on Linux:
touch /var/NX/nx/.nx/config/server.crt
Add the just generated client certificate (nx_client_rsa_key.crt) to the store file, server.crt.
Format of the server.crt file is:
Host:<IP>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Host:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
...
Where <IP> is the IP address of the client.
If <IP> is not provied, the certificate will be matched against whichever IP address.
Example of a server.crt file:
Host:10.0.2.250
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAPQvPMRFM9jsvoR9yJhc9UAwDQYJKoZIhvcNAQELBQAw
KDESMBAGA1UECgwJTm9NYWNoaW5lMRIwEAYDVQQDDAlsb2NhbGhvc3QwIhgPMjAw
MDAxMDEwMDAwMDBaGA8yMDYwMDEwMTAwMDAwMFowKDESMBAGA1UECgwJTm9NYWNo
aW5lMRIwEAYDVQQDDAlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDgRHZcEpSLfb0Y2Wm/Lo8VjeZpbRwQHB3Pm+e+iZe5HHYlFf3QOE0O
EIVgZa9kDHnt+qk1lxXdN...........
-----END CERTIFICATE-----
Host:
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAKZlvRQxNriyAIQyPNRyJlwwDQYJKoZIhvcNAQELBQAw
KDESMBAGA1UECgwJTm9NYWNoaW5lMRIwEAYDVQQDDAlsb2NhbGhvc3QwIhgPMjAw
MDAxMDEwMDAwMDBaGA8yMDYwMDEwMTAwMDAwMFowKDESMBAGA1UECgwJTm9NYWNo
aW5lMRIwEAYDVQQDDAls............
-----END CERTIFICATE-----
FURTHER INSTRUCTIONS FOR CONNECTIONS BY THE WEB
After having executed all changes explained above, connections by the web are no longer possible. To re-enable them:
a) Generate server side private key and certificate
On Linux:
$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k nx_webclient_rsa_key -c nx_webclient_rsa_key.crt
On MacOS:
$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/ /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k nx_webclient_rsa_key -cnx_webclient_rsa_key.crt
On Windows:
$ %PROGRAMFILES%/NoMachine/bin/nxkeygen -k nx_webclient_rsa_key -c nx_webclient_rsa_key.crt
b) Move the private key and certificate files (nx_webclient_rsa_key and nx_webclient_rsa_key.crt) to the following directory:
on Linux:
/var/NX/nxhtd/.nx/config/
on Mac:
/Library/Application Support/NoMachine/var/nxhtd/.nx/config/
on Windows:
C:/Users/nxhtd/.nx/config/
c) Add certificate from nxhtd to servers.crt by following instructions at point 3 and without providing IP in Host value.
For example on linux:
# echo "Host:" >> /var/NX/nx/.nx/config/server.crt
# cat /var/NX/nxhtd/.nx/config/nx_webclient_rsa_key.crt >> /var/NX/nx/.nx/config/server.crt
NOTE FOR MULTI-NODE ENVIRONMENTS
In case of a multi node environment, no further operations are necessary.
CONFIGURING SUPPORT FOR SSL CLIENT AUTHENTICATION IN A NOMACHINE CLUSTER SERVER ENVIRONMENT
To provide communication between master and slave server it's necessary to perform the following operations.
a) Generate new server side private key and certificate.
On Linux:
$ LD_LIBRARY_PATH=/usr/NX/lib/ /usr/NX/bin/nxkeygen -k nx_cluster_rsa_key -c nx_cluster_rsa_key.crt
On MacOS:
$ LD_LIBRARY_PATH=/Applications/NoMachine.app/Contents/Frameworks/lib/ /Applications/NoMachine.app/Contents/Frameworks/bin/nxkeygen -k nx_cluster_rsa_key -c nx_cluster_rsa_key.crt
On Windows:
$ %PROGRAMFILES%/NoMachine/bin/nxkeygen -k nx_cluster_rsa_key -c nx_cluster_rsa_key.crt
b) Enable on the master server host the server configuration key 'EnableNXClientAuthentication' as per instructions at point 1.
c) Synchronize master and slave servers.
c1. Move the private key and certificate files (nx_cluster_rsa_key and nx_cluster_rsa_key.crt) to the following directory on the master host
on Linux:
/var/NX/nx/.nx/config/
on Mac:
/Library/Application Support/NoMachine/var/nx/.nx/config/
on Windows:
C:/Users/nx/.nx/config/
c2. Add certificate from nx to servers.crt by following instructions at point 4 above and without providing IP in Host value.
c3. Since the server.crt file on the master server is not automatically synchronized on the slave server, copy the (i) server.crt, (ii) private key (nx_cluster_rsa_key) and (iii) certificate (nx_cluster_rsa_key.crt) files from the master server to the slave server in the 'config' directory.
c4 Enable on the slave server host the server configuration key 'EnableNXClientAuthentication' as per instructions at point 1.
FURTHER INSTRUCTIONS FOR CONNECTIONS BY THE WEB IN A CLUSTER ENVIRONMENT
To re-enable web connections copy the private key and certificate to the nxhtd/.nx/config directory on both the master and slave server hosts.
For example on Linux:
cp /var/NX/nx/.nx/config/nx_cluster_rsa_key* /var/NX/nxhtd/.nx/config/
or follow instructions at par. "FURTHER INSTRUCTIONS FOR CONNECTIONS BY THE WEB"