NoMachine Support

Your questions answered

Knowledge Base

Searching in: Feature Requests
Filter the search results
Target version:
Products:
Status:
Last update:
Searching in: Feature Requests
ID: FR06Q03840
Added on:  2019-06-13
Last update: 2019-09-17
Priority: Low
Products: NoMachine Server
Target: 6
Status:  Implemented
Adding a server configuration key to enable using PAM account stack for key-based authentication by NX protocol

A new server configuration key will allow to enable/disable support for PAM account management when the user connects by NX protocol and uses key-based authentication. This will apply also to connections by the web, when configured to use the NX protocol (default).

The new key, e.g.  NXKeyBasedUsePAM, is enabled by default:

#
# Enable or disable support for PAM account management when key-based
# authentication is used in connections by NX protocol.
#
# 1: Enabled. Support for PAM account management is enabled.
#    
# 0: Disabled. Support for PAM account management is disabled.
#
#NXKeyBasedUsePAM 1


Notes:

In the current versions, in order to use the PAM account stack settings for example to restrict access to specific users, administrators can adopt any of the following configurations:

1) Force users to connect by SSH protocol (PAM stack account will be effective for password-based, key-based and kerberos-based authentication).

NoMachine server can be configured to accept only connections by SSH protocol.

To do that, edit the ClientConnectionMethods key in the server configuration and set it to:

ClientConnectionMethods SSH

Then restart the NoMachine server to make changes effective.
 

2) Allow users to connect by the web or by NX protocol but only by password-based authentication.

NoMachine server can be configured to allow only password-based authentication.

Edit the server configuration file and set the following for client connections:

AcceptedAuthenticationMethods NX-password

For connections by the web, ensure that:

Protocol NX
Authentication password

are set in the "Section 'Server'" (default).

Restart the server to make changes effective.

 

Alternative ways to prevent user's access can be:

3) Prevent users from trying to log-in to the system according to their client IP.

This can be done via a custom script set in the UserScriptBeforeLogin key in the server configuration file.  According to the client IP, NoMachine can allow or not the user to log-in. No further configurations on the system or in NoMachine server are necessary .

4) Enabling NoMachine Users DB to allow access only to those user who are in the NoMachine Users DB.

To do that, edit the server configuration file and set:

EnableUserDB 1

Then add any of the system users to the Users DB:

nxserver --useradd USERNAME

If the user doesn't exist on the system yet, you can create it:

nxserver --useradd USERNAME --system

Use: nxserver --userenable USERNAME or: nxserver --userdisable USERNAME to enable/disable any of the users in Users DB to access the system. 

5) For those users who are not allowed to connect to the system by NX/HTTP protocol and key-based authentication, remove their public keys  from the NoMachine the authorized.crt file.

This file is placed in the  <user's home>/.nx/config directory.