NoMachine Support

Your questions answered

Knowledge Base

Searching in: Documents
Filter the search results
Version:
Last update:
Searching in: Documents
ID: DT09M00103
Version: NoMachine 5
Added on: 2015-09-22
Last update: 2017-11-15
How to use different keys or certificates with NoMachine (v.5)

 

Table of Contents

1. How to replace the SSL certificate for nxd
2. How to replace the SSL certificate for nxhtd
3. How to replace the RSA key pair for nxsshd
4. How to replace the RSA Key Pair for the Remote Nodes
5. How to replace the RSA Key Pair for the Failover Cluster
6. How to replace the default SSH keys for connections by SSH and NoMachine login

 

Premises

- The use of RSA keys has been introduced since v. 5.1.22 to let users authenticate on systems with ssh-dss (DSA) public key algorithm disabled. This is the default since OpenSSH v. 7.0. Compatibility with DSA keys is preserved.

- All instructions below are intended to be run from console and require an account with administrative privileges: 'root' on Linux and Mac (use a 'sudo' user if you don't have the 'root' account on your system, and add 'sudo' to all commands) and an administrator user on Windows. On Windows, execute the CMD shell as administrator.

- By default, keys and certificates are generated with 2048 bit length, specify the -n option for a different lenght.

- Instructions below refers to <installation directory> which is the installation directory of the NoMachine server, by default:

/usr/NX on Linux

/Applications/NoMachine.app/Contents/Frameworks/ on Mac

C:\PROGRA~1\NoMachine on Windows

i.e. C:\Program Files (x86)\NoMachine on 64bit systems or
C:\Program Files\NoMachine on 32bit systems.

- Instructions below use the 'nxkeygen' tool, as an alternative, you can use the standard ssh-keygen command from OpenSSH.

 

1. How to replace the SSL certificate for nxd

The nxd program is the NoMachine Network Daemon resident on the server host (any of the NoMachine servers and the Terminal Server Node) necessary to connect through NX protocol. Its SSL certificate is made of:

<installation directory>/etc/keys/host/nx_host_rsa_key.crt
<installation directory>/etc/keys/host/nx_host_rsa_key


How to generate and use a new certificate and private key

Step 1

The general format of the command to generate a new certificate and private key for nxd is:

<installation directory>/bin/nxkeygen -k privatekey -c certificate [-n length]

Important:

On Linux or Mac you need to set the LD_LIBRARY_PATH before running the nxkeygen tool.

For example on Linux:

export LD_LIBRARY_PATH=/usr/NX/lib
<installation directory>/bin/nxkeygen -k nx_host_rsa_key -c nx_host_rsa_key.crt -n 4096


Then be sure that the new certificate and key have the same name of the original ones and proper permissions and ownership. On Linux they should look like this:

-rw------- 1 nx root 1675 2013-11-18 12:18 nx_host_rsa_key
-rw-r--r-- 1 nx root 1090 2013-11-18 12:18 nx_host_rsa_key.crt

and on Mac like this:

-rw------- 1 nx wheel 1679 Apr 8 16:21 nx_host_rsa_key
-rw-r--r-- 1 nx wheel 1090 Apr 8 16:21 nx_host_rsa_key.crt

 

Step 2

To make changes effective, restart nxd once that the new certificate and key have been generated. This will terminate all running sessions.

To restart nxd, run from console:

<installation directory>/bin/nxserver --restart nxd

nxd can be restarted also in the Server preferences GUI.

 

Step 3

In the case of Cloud Server and web player, it's necessary to update client.crt by adding content of the new certificate nx_host_rsa_key.crt.

The certificate is:

/var/NX/nxhtd/.nx/config/client.crt on Linux

/Library/Application\ Support/NoMachine/var/nxhtd/.nx/config/client.crt on Mac

C:\ProgramData\NoMachine\nxhtd\.nx\config\client.crt on Windows

 

For example on Linux, if the new certificate is placed in /usr/NX:

echo "Host:localhost" > /var/NX/nxhtd/.nx/config/client.crt
cat /usr/NX/etc/keys/host/nx_host_rsa_key.crt >> /var/NX/nxhtd/.nx/config/client.crt
echo "Host:127.0.0.1" >> /var/NX/nxhtd/.nx/config/client.crt
cat /usr/NX/etc/keys/host/nx_host_rsa_key.crt >> /var/NX/nxhtd/.nx/config/client.crt

Both entries for Host:localhost and Host:127.0.0.1 must be present in client.crt which should look like:

Host:localhost
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAP4YLqSxLm9xey/k41vmu+cwDQYJKoZIhvcNAQEFBQAw
(......)
-----END CERTIFICATE-----
Host:127.0.0.1
-----BEGIN CERTIFICATE-----
MIIC9zCCAd+gAwIBAgIRAP4YLqSxLm9xey/k41vmu+cwDQYJKoZIhvcNAQEFBQAw
(....)
-----END CERTIFICATE-----

 

 

2. How to replace the SSL certificate for nxhtd

The nxhtd program is the NoMachine Web Server included in the Cloud Server installation and necessary for running web sessions.

Installation comes with a self-signed a SSL Certificate File and SSL Certificate Key file intended to be just a sample. They are, respectively:

<installation directory>/etc/keys/host/ht_host_rsa_key.crt
<installation directory>/etc/keys/host/ht_host_rsa_key

Administrators have to replace the sample SSL Certificate File and Key File with their own certificate self-signed or acquired from a CA.


How to generate a new certificate

The general format of the command to generate a new certificate and private key for nxhtd is:

<installation directory>/bin/nxkeygen -k privatekey -c certificate [-n length]

Important:

if you are using NoMachine tools on Linux you need to set the LD_LIBRARY_PATH before running the nxkeygen tool.

For example on Linux:

export LD_LIBRARY_PATH=/usr/NX/lib
<installation directory>/bin/nxkeygen -k
new_ht_host_rsa_key -c new_ht_host_rsa_key.crt


How to use the new certificate

Step 1

Edit the nxhtd configuration file to point to the new certificate. Let's assume that the new certificate is made of: new_ht_host_rsa_key.crt and new_ht_host_rsa_key.

Edit the <installation directory>/etc/cloud.inc file and set:

SSLCertificateFile "<installationdirectory>/etc/keys/host/new_ht_host_rsa_key.crt"
SSLCertificateKeyFile "<installation directory>/etc/keys/host/new_ht_host_rsa_key"


Step 2

Then restart nxhtd by running from console:

<installation directory>/bin/nxserver --restart nxhtd

nxhtd can be restarted also in the Server preferences GUI.


Step 3

On Linux and Mac it's necessary to update certificate permissions.

Run:

<installation directory>/bin/nxwebplayer --update

When executing "nxwebplayer --update", the nxhtd server is automatically restarted.


As an alternative, you can update permissions by hand to have:

--rw------- 1 nxhtd nxhtd 1,7K lis 20 18:40 new_ht_host_rsa_key
-rw-r--r-- 1 nxhtd nxhtd 1,1K lis 20 18:39 new_ht_host_rsa_key.crt

Then it's necessary to restart nxhtd.

 

3. How to replace the RSA key pair for nxsshd

The nxsshd program is the built-in NoMachine SSH server installed on Windows by any of the enterprise packages. it's necessary to connect through the SSH protocol.

Its RSA keys are:

<installation directory>/etc/keys/host/ssh_host_rsa_key
<installation directory>/etc/keys/host/ssh_host_rsa_key.pub

How to generate a new certificate

To generate a new SSH key pair, run from console:

<installation directory>/bin/nxkeygen -k
new_ssh_host_rsa_key -p new_ssh_host_rsa_key.pub


How to use the new certificate

Step 1

Configure nxsshd to use a different private key by editing:

<installation directory>/etc/sshd_config

uncomment and set the proper value for the HostKey configuration key.

For example, if the RSA key is placed at: "C:\Program Files (x86)\NoMachine\etc\keys\host\new_ssh_host_rsa_key"
- edit the sshd_config file
- uncomment the '#HostKey /etc/ssh/ssh_host_rsa_key' entry (i.e. remove '#')
- and change this key to to the appropriate value:

HostKey "C:\Program Files (x86)\NoMachine\etc\keys\host\new_ssh_host_rsa_key"



Step 2

Restarting nxsshd is required. This can be easily done in the Server preferences GUI.


Important:

The public key must be stored with the same file name of the private key but with .pub as postfix.

For example, if the new private key is new_rsa_key, the public key must be named new_rsa_key.pub

 

4. How to replace the RSA key pair for the remote nodes

Server authenticates on the node with a RSA key pair. This RSA key pair is generated during the installation and it's server specific.

This key pair is made of:

<installation directory>/etc/keys/node.localhost.id_rsa
<installation directory>/etc/keys/node.localhost.id_rsa.pub

 

When adding the node to the server (by means of nxserver --nodeadd command), the public part of the key pair is automatically added to the remote node.

The RSA key is deleted from the node when the node is removed from the list (with the nxserver --nodedel command).

The 'nxserver --nodeupdate NODENAME:PORT' command will add the new key (if set on the main server host) on the node, but it will not remove the old key.

 

Note that this key-pair is server-specific: if the node is added to a different server, the RSA key pair will also be different.

It's possible to adopt a custom key pair for server-node authentication:

1) Generate a RSA key pair with SSH tools or NoMachine tools (*)

2) Name the key pair as node.localhost.id_rsa and node.localhost.id_rsa.pub (*)

3) Stop the server to prevent users from starting new sessions while replacing the server public key on the nodes.

4) Make a backup of the original RSA keys on the server machine in <installation directory>/etc/keys/

5) Place the new RSA key pair in the same directory.

6) Execute 'nxserver --nodeupdate NODENAME:PORT' to propagate the new RSA sever public key on the node. (**)

 

Note that this command will not remove the old key on the node.

To remove it, delete the node:

nxserver --nodedel NODENAME:PORT

and re-add it so that the new key will be automatically added:

nxserver --nodedel NODENAME

There is also the possibility to run a manual procedure to remove the old RSA public key(**) and add the new one (***) on the remote node.

7) Update the cluster configuration, if you have a NoMachine cluster, to synchronize the new RSA key pair by running on the master or on the secondary server the following command:

nxserver --clusterupdate

This has to be done only if the cluster failover is set.

 

(*) Generate a new RSA key pair with NoMachine tools

Run from a console on the server host:

<installation directory>/bin/nxkeygen -k <installation directory>/etc/keys/node.localhost.id_rsa -p <installation directory>/etc/keys/node.localhost.id_rsa.pub -t rsa


Important:

If you are using NoMachine tools on Linux or Mac, you have to set the LD_LIBRARY_PATH before running the nxkeygen tool.

For example on Linux:

export LD_LIBRARY_PATH=/usr/NX/lib
/usr/NX/bin/nxkeygen -k /usr/NX/etc/keys/node.localhost.id_rsa -p /usr/NX/etc/keys/node.localhost.id_rsa.pub -t rsa

Then be sure that the new keys have the same name of the original ones and proper permissions and ownership. For example on Linux:

chmod 600 /usr/NX/etc/keys/node.localhost.id_rsa
chown nx:root /usr/NX/etc/keys/node.localhost.id_rsa
chmod 644 /usr/NX/etc/keys/node.localhost.id_rsa.pub
chown nx:root /usr/NX/etc/keys/node.localhost.id_rsa.pub

 

(**) Manually remove the old server RSA key from the node:

If the server is unable to connect while executing 'nxserver --nodedel' the node is removed from the NoMachine db but the server key is left on the node host, or if the manual procedure is adopted, it's necessary to remove the old server public key manually:

1) On the server host read the current server RSA key that is going to be replaced:

cat <installation directory>/etc/keys/node.localhost.id_rsa.pub

 

2) On each of the node hosts remove the line containing the current server public key from the following files:

- for server-node connections by NX protocol:
<nx home directory>/.nx/config/authorized.crt

- for server-node connections by SSH protocol:
<nx home directory>/.ssh/authorized_keys2

 

(***)Add the new RSA public key(node.localhost.id_rsa.pub) on the remote node

To add a RSA public key on node, you can run the following command on the node host:

nxserver --keyadd <public key file>

This will add the key to the authorized.crt file if server-node protocol is NX or to the authorized keys file if server-node protocol is SSH.

Alternatively, the RSA server public key can be manually added to the proper files:

(i) <nx home directory>/.nx/config/authorized.crt if server-node protocol is NX

(ii) <nx home directory>/.ssh/authorized_keys2 if server-node protocol is SSH

'authorized_keys2' is the standard name used in the SSHD configuration, replace it with the appropriate name if your SSHD has custom settings.

 

5. How to replace the RSA key pair for the Failover Cluster

RSA keys for the NoMachine failover cluster are:

<installation directory>etc/keys/cluster.id_rsa
<installation directory>/etc/keys/cluster.id_rsa.pub


You can generate a new SSH key pair for the failover cluster by running on the master server host:

<installation directory>/bin/nxkeygen -k <installation directory>/etc/keys/cluster.id_rsa -p <installation directory>/etc/keys/cluster.id_rsa.pub -t rsa



Important:

If you are using NoMachine tools on Linux or Mac, you have to set the LD_LIBRARY_PATH before running the nxkeygen tool.

For example on Linux:

export LD_LIBRARY_PATH=/usr/NX/lib
/usr/NX/bin/nxkeygen -k /usr/NX/etc/keys/cluster.localhost.id_rsa -p /usr/NX/etc/keys/cluster.id_rsa.pub -t rsa

Then be sure that the new keys have the same name as the original ones and proper permissions and ownership. For example on Linux:

chmod 600 /usr/NX/etc/keys/cluster.localhost.id_rsa
chown nx:root /usr/NX/etc/keys/cluster.localhost.id_rsa
chmod 644 /usr/NX/etc/keys/cluster.localhost.id_rsa.pub
chown nx:root /usr/NX/etc/keys/cluster.localhost.id_rsa.pub


How to use the new key-pair

Propagate the new key to the secondary server by running on the master server the following command:

<installation directory>/bin/nxserver --clusterupdate

 

6. How to replace the default SSH keys for connections by SSH and NoMachine login

1) Generate a custom SSH key pair

On the NoMachine server host machine run:

<installation directory>/bin/nxserver --keygen

Important:

This command generates a new RSA and DSA pair of keys. Since NoMachine v. 5.1.22 client and server uses by default the RSA key pair. Older versions of client still requires the DSA key.


The private part from the newly generated RSA pair of keys is:

<installation directory>/share/keys/server.id_rsa.key

and of the new DSA key pair:

<installation directory>/share/keys/server.id_dsa.key


The private key has to be distributed to all clients that have to be granted access to the server host.

If the NoMachine client is v. 5.1.22 or later, distribute the server.id_rsa.key key.

If it is an older version 5 or it's version 4, distribute the server.id_dsa.key.

 

2) Distribute the new SSH private key to users connecting via NoMachine clients

2.1) Place the new key server.id_rsa.key (or server.id_dsa.key for older clients) under the subdirectory 'share/keys' of the NoMachine installation tree.

2.2) To use the new key for a specific session, access the configuration panel for that session and select the SSH protocol. Then open 'Advanced' settings, select the 'Use the NoMachine login' and continue. You can specify there the alternative key to be used for that session only.

2.3) To use the new SSH key for all the sessions (except those sessions that have been previously configured to use a specific key), rename the original private key (e.g. on Linux: BaseDirectory/NX/share/keys/server.id_rsa.key or BaseDirectory/NX/share/keys/server.id_dsa.key) to preserve it and put in place the new private key.

Note for web sessions:

To let the Cloud Server (webplayer) use the new private key, it's necessary to specify location and file name of the DSA key in the <installation directory>/etc/cloud.cfg configuration file by setting a proper value for the following key:

SSHKey /usr/NX/share/htdocs/nxwebplayer/keys/server.id_rsa.key

or:

SSHKey /usr/NX/share/htdocs/nxwebplayer/keys/server.id_dsa.key