NoMachine Support

Your questions answered

Knowledge Base

Searching in: Articles & FAQs
Filter the search results
Applies to:
Last update:
Searching in: Articles & FAQs
ID: AR12Q01064
Applies to: NoMachine Software
Added on: 2019-12-06
Last update: 2020-01-08
How to enable Yubico authentication with NoMachine on Linux

Procedure below has been tested with NoMachine v. 6.8.1 on CentOS 7.6/RHEL 7.6.

All commands need to be executed as root from a terminal.

1. Get EPEL repository:

wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

2. Install EPEL repository:

yum install epel-release-latest-7.noarch.rpm

3. Install necessary packages with dependencies:

yum install ykclient
yum install ykpers
yum install pam_yubico

4. Visit web site: https://upgrade.yubico.com/getapikey/ to generate Yubico client id and key.
This only requires to provide email address and key stored on YubiKey device (press 'y' button on the YubiKey dongle plugged into your machine).

5. Create /etc/yubikey_mappings file binding local accounts with Yubico keys.
   File should consists of <username>:<yubico_key> entries.

Example:
nomachine:uuccggddoopp
tester:uuccggddoopp

Where 'uuccggddoopp' are the first 12 letters of key stored on Yubico device.

6. To allow yubikey to work with SELinux, execute:

setsebool -P authlogin_yubikey on

More details are available here: https://developers.yubico.com/yubico-pam/YubiKey_and_SELinux.html

7. Enable YubiKey authentication with NX protocol

Edit /etc/pam.d/nx file by adding line:

auth required pam_yubico.so id=50982 key="hY035n7E+di6N8hMQsSFmWa7PKM=" debug debug_file=/var/log/pam_yubico_nx.log authfile=/etc/yubikey_mappings mode=client urllist=https://api.yubico.com/wsapi/2.0/verify

where:
id=50982 - is the client Id obtained from website at point 4.
key="hY035n7E+di6N8hMQsSFmWa7PKM=" - is the key generatedat point 4.
debug - it enables additional debug messages.
debug_file=/var/log/pam_yubico_nx.log - it is the file for pam_yubico debug logs. File must exist. SELinux needs to be set to permissive mode
for pam_yubico to be able to write messages.
mode=client
urllist=https://api.yubico.com/wsapi/2.0/verify - this argument is a workaround for https://github.com/Yubico/yubico-pam/issues/31, which we
reproduced on CentOS 7.

After the editing, the /etc/pam.d/nx file will look like:
auth       include       su
auth       required pam_yubico.so id=50982 key="hY035n7E+di6N8hMQsSFmWa7PKM=" debug debug_file=/var/log/pam_yubico_nx.log authfile=/etc/yubikey_mappings mode=client urllist=https://api.yubico.com/wsapi/2.0/verify
account    include       su
password   include       su
session    optional      pam_loginuid.so
session    include       su

8. Further configurations for Yubico and SSH protocol

Set the following values in /etc/ssh/sshd_config file:

PasswordAuthentication no
ChallengeResponseAuthentication yes

Then restart the sshd service.
 


How to enable Yubico + LDAP authentication with NoMachine on Linux

1. Download or clone this github repository on LDAP server host:
https://github.com/mludvig/yubikey-ldap

2. Enter yubikey-ldap-master/ldap-schema directory.

3. Install yubikey schema by following instructions of README file. Depending on type of ldap configuration, go to section:
"Installation - OLC aka cn=config"
or to section:
"Installation - slapd.conf"

4. Add yubiKeyUser and yubiKeyId attributes for users. This can be done manually or by using the python script.

Instructions for manually adding the attributes can be found in section:
"Storing the YubiKey IDs"

Instructions for using the python script are instead:

- Enter yubikey-ldap-master directory.

- Run command:

cp yubikey-ldap.conf.sample yubikey-ldap.conf

- Replace sample values in yubikey-ldap.conf with correct ones, matching your LDAP configuration.

- Run the script:

./yubikey-ldap

- Enter user names and Yubikey Ids for users for whom you want to enabled Yubikey authentication.
Yubikey Id can be passed by pressing 'Y' on your Yubikey dongle.

5. PAM configuration on NoMachine server host.

Add the following line in /etc/pam.d/nx in authentication stack:

auth required pam_yubico.so id=12345 key="+mwBIf=pGzofqVi6j+pNhwabcdefg=" \
debug debug_file=/var/log/pam_yubico_ldap.log ldap_uri=ldap://server \
ldapdn=cn=test-group,ou=test,dc=nxtestldap,dc=local user_attr=cn yubi_attr=yubiKeyId \
mode=client urllist=https://api.yubico.com/wsapi/2.0/verify

The line above is just an example, you will need to customize it according to your specific needs.

In particular, the 'required' control keyword will make yubikey authentication mandatory for all users connecting with NX protcol and it may be not always needed.

LDAP specific arguments need to be adjusted to match local LDAP configuration:
ldap_uri - uri of LDAP server
ldapdn - dn of directory in which users are stored
For example:
If user's dn (can be obtained using ldapsearch) is: cn=kratos,cn=test-group,ou=test,dc=nxtestldap,dc=local, ldapdn should be: cn=test-group,ou=test,dc=nxtestldap,dc=local
user_attr - Attribute used to identify user, in above example user kratos is stored in 'cn' attribute.
yubi_attr - Attribute storing key Id in LDAP server (stored on LDAP in points 3. and 4.).