NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR12K00768
Applies to: NoMachine Software
Added on: 2013-12-30
Last update: 2020-06-22
Differences in protocols and authentication between legacy 3.5.0 and later versions

The NX and SSH protocols

The first major difference between the NX 3.x and later versions (starting with version 4 released in 2014) used the SSH protocol. With the new version the default connection method is via the NX protocol. SSH continues to be supported in the Enterprise products (e.g. Workstation, Terminal Server, Enterprise Server and so on).

Both protocols use encryption and end to end protection of communication. The NX protocol is implemented using TLS/SSL standard and OpenSSL library as explained in the following articles about encryption and the foundations of the NX protocol.

https://www.nomachine.com/AR10K00705
https://www.nomachine.com/AR11K00745

There are several reasons for which NoMachine developed its own (NX) protocol, the main one being performance. This, along with the other considerations are documented in the following article:

https://www.nomachine.com/AR11K00739

 

Authentication mechanisms in NX 3.5.0

In NX 3, SSH worked using a special key (user configurable) that gave the client access to the system as the nx user. From there the client booted into a special shell created by nxserver. How this worked is explained in more detail here:

https://www.nomachine.com/AR02C00150

 

Authentication mechanisms in NoMachine 4 and later

SSH can work in the same way it worked in 3.5.0, i.e via the "NoMachine login", or by using a "System login". 'NoMachine login' means that the user logs in as the nx user to request the nxserver shell. This type of authentication is limited to password based authentication, but can be used by the server to implement guest accounts, to provide finer control over the users allowed to connect, to create custom authentication mechanisms or to create new users on demand, based on a profile, at the time the user first connects.

'System login' means that the user must have a valid account on the system and that SSH connections must be enabled for the user at the time he/she connects. Since most users don't need the advanced functionalities offered by the NoMachine login, and since the NoMachine login may present the additional burden of having to distribute a custom key-pair, the system login is now the default method when using SSH in version 4.

The System login via SSH supports most  authentication methods supported by SSH, including:


- Password;
- Key-based;
- Key-based stored on smart card;
- Kerberos.


Additionally, it supports forwarding of key-based auth and Kerberos tickets to the node host. These advanced authentication methods in NoMachine 4 are explained in:

https://www.nomachine.com/DT12I00037

The NX protocol supports both password and key based authentication methods. Support for Kerberos and smartcard authentication will be coming soon. Once implemented, key-based authentication for the NX protocol will mirror the SSH implementation meaning that you can insert the key for NX protocol just as you do with SSH.

Both the NX and SSH protocols support host authentication (verification). Please consult the following article for more information on how to use different keys and certificates.

https://www.nomachine.com/AR04K00665