Unable to apply key authentication

Forum / NoMachine for Linux / Unable to apply key authentication

Viewing 3 posts - 1 through 3 (of 3 total)
  • Author
    Posts
  • #10065
    andrewa
    Participant

    Hello. I’m connecting to NoMachine free server 5.0.63 for Fedora23 from Windows 10 same version. All works fine when I use user & password with NX protocol for system login authentication (as root). But when I try to connect via NX protocol with private key I get the error : The session negotiation failed. Error: Cannot accept public key

    https://www.nomachine.com/AR02L00785  was strictly followed: I added /root/.nx/config folder (both .nx and config have 0700 owner root) and authorized.crt (0600 owner root). In Edit connection – Advanced – Private key – Settings I input private key file.

    Tried generating keys 1024bit with PuTTYgen.exe, with nxkeygen (2048bit), with XCA (2048bit). Tried to edit public key in one line as recommended for PuTTY – same result.

    PuTTY and WinSCP authenticate OK with key pair generated by PuTTYgen.exe and public key in /root/.ssh/authorized_keys

    AcceptedAuthenticationMethods is ALL (default)

    Switched debugging into level 7 but the log is growing like a mushroom and I find no clue in this mess. In debug level 6 I see:

    WARNING! Process ‘/usr/NX/bin/nxexec –cat –user root –path config/authorized.crt’ with pid ‘18560/18560’ finished with exit code 1 after 0,17 seconds.

    WARNING! Cannot write to FD#8.

    WARNING! Error is: 32, ‘Broken pipe’.

     

    What am I missing?

    Thanks. Andrei.

    #10089
    andrewa
    Participant

    I solved the problem after some head banging. The correct setup is:

    1. Public key in /root/.nx/config/authorized.crt  (.nx and .nx/config have 0700 permissions,  authorized.crt has 0600 permissions, owner root) should be the same format as in /root/.ssh/authorized_keys:

    ssh-rsa AAAA    .. in-one-line ..   Bis= <comment>

    This is the output of PuTTYgen generate window (not the saved file) and is different from SSH / XCA format of the generated public key .crt file. SSH seems to have some setup allowing it to generate the pulic key in this format, but I am not sure about the syntax. The .crt format used to input certificates in browsers and mail clients should not be used:

    —–BEGIN CERTIFICATE—–
    AAAA..
    <<<in-many-lines>>>
    ..Bis
    —–END CERTIFICATE—–

    2. In NX client under WIN select  Session – Edit – Advanced – Private key – Settings file field: browse for private key file in SSH format, not the file saved by PuTTYgen. Private key file format should be:

    —–BEGIN ENCRYPTED PRIVATE KEY—–
    MI…

    /m8=
    —–END ENCRYPTED PRIVATE KEY—–

     

    Hope this naive explanation helps someone like me who is not on the professional side.

    I wonder if authorized.crt  file allows to place restrictions for IP, command etc. like the ones which can be added at the beginning of the line of each pulic key in /root/.ssh/authorized_keys. If “yes”, should one use the same sytax, are all restrictions in authorized_keys applicable?

    <p style=”border-width: medium medium 1px; border-style: none none solid; border-color: currentColor currentColor #000000; padding: 0cm 0cm 0.04cm; margin-bottom: 0cm;” align=”LEFT”></p>

    #10096
    Haven
    Participant

    Hello andrewa,
    NoMachine require keys to be in OpenSSH format. PuTTYgen.exe could be indeed hard to use to generate a proper pare of keys. I am glad that you worked this out! We don’t support additional option keys in authorized.crt. The key must be in format: key-type data comment.

Viewing 3 posts - 1 through 3 (of 3 total)

This topic was marked as solved, you can't post.