This offers seamless integration with the authentication subsystem (e.g. (i) either against the authentication system by providing his system username and password. Once the initial authentication stage between client and server is completed, it's requested that the real user authenticates: In case of multiple NoMachine servers, it's possible to set-up different RSA key-pairs for each server. To do that it's necessary to generate a custom SSH key pair by means of the 'nxserver -keygen' command and distribute the private part of the key pair to all clients that have to be granted access to the server host. Additionally, no operation is allowed by the NoMachine server until the real user has authenticated.īy comparison, this use of SSH is in practice the same that HTTPS servers do with the Secure Socket Layer specification to provide secure access to Web content.įor a further level of control over the access via NoMachine, administrators can replace the default RSA key-pairs with their own SSH keys. There is no way for the 'nx' user to gain administrative privileges ('root' privileges on Linux and Mac) other than by exploiting some other bug that is present in the OS or in a existing program that is allowed to run with administrative privileges. He can only start the initial 'handshake' phase and is then stucked. Hence nobody can login to the system via NoMachine and with only knowing the NoMachine RSA key. This encrypted channel is then used for the authentication of the real user. Once that the initial stage is completed and the 'nx' user has logged-in through the usual host authentication and SSL key negotiation mechanisms offered by the Transport Level Security built in SSH, a secure encrypted channel is established. As the 'nx' user is required to properly function, the username for 'nx' cannot be changed. Using the RSA key pair forces the SSH server to execute the nxserver shell and prevents any possibility for the special user 'nx' to login on the server host outside NoMachine. The private and public part of the RSA key pair is provided by the installation of the NoMachine client and server software. The RSA key is NOT used for making the user to log into the system. This is all done before the real user login happens. The nx account is needed to setup the initial stage of the client-server connection and uses a RSA keypair to authenticate. The way NoMachine login works is by using a special user account named 'nx', created on the server host during the software installation, and whose shell, /etc/NX/nxserver, is executed any time a remote user connects by SSH and NoMachine login. Note that this authentication method is no longer supported since NoMachine v.
0 Comments
Leave a Reply. |