- This topic has 2 replies, 2 voices, and was last updated 8 years, 9 months ago by
.
-
Posts
-
Hello. I’m connecting to NoMachine free server 5.0.63 for Fedora23 from Windows 10 same version. All works fine when I use user & password with NX protocol for system login authentication (as root). But when I try to connect via NX protocol with private key I get the error : The session negotiation failed. Error: Cannot accept public key
https://www.nomachine.com/AR02L00785 was strictly followed: I added /root/.nx/config folder (both .nx and config have 0700 owner root) and authorized.crt (0600 owner root). In Edit connection – Advanced – Private key – Settings I input private key file.
Tried generating keys 1024bit with PuTTYgen.exe, with nxkeygen (2048bit), with XCA (2048bit). Tried to edit public key in one line as recommended for PuTTY – same result.
PuTTY and WinSCP authenticate OK with key pair generated by PuTTYgen.exe and public key in /root/.ssh/authorized_keys
AcceptedAuthenticationMethods is ALL (default)
Switched debugging into level 7 but the log is growing like a mushroom and I find no clue in this mess. In debug level 6 I see:
WARNING! Process ‘/usr/NX/bin/nxexec –cat –user root –path config/authorized.crt’ with pid ‘18560/18560’ finished with exit code 1 after 0,17 seconds.
WARNING! Cannot write to FD#8.
WARNING! Error is: 32, ‘Broken pipe’.
What am I missing?
Thanks. Andrei.
I solved the problem after some head banging. The correct setup is:
1. Public key in /root/.nx/config/authorized.crt (.nx and .nx/config have 0700 permissions, authorized.crt has 0600 permissions, owner root) should be the same format as in /root/.ssh/authorized_keys:
ssh-rsa AAAA .. in-one-line .. Bis= <comment>
This is the output of PuTTYgen generate window (not the saved file) and is different from SSH / XCA format of the generated public key .crt file. SSH seems to have some setup allowing it to generate the pulic key in this format, but I am not sure about the syntax. The .crt format used to input certificates in browsers and mail clients should not be used:
—–BEGIN CERTIFICATE—–
AAAA..
<<<in-many-lines>>>
..Bis
—–END CERTIFICATE—–2. In NX client under WIN select Session – Edit – Advanced – Private key – Settings file field: browse for private key file in SSH format, not the file saved by PuTTYgen. Private key file format should be:
—–BEGIN ENCRYPTED PRIVATE KEY—–
MI…
…
/m8=
—–END ENCRYPTED PRIVATE KEY—–Hope this naive explanation helps someone like me who is not on the professional side.
I wonder if authorized.crt file allows to place restrictions for IP, command etc. like the ones which can be added at the beginning of the line of each pulic key in /root/.ssh/authorized_keys. If “yes”, should one use the same sytax, are all restrictions in authorized_keys applicable?
<p style=”border-width: medium medium 1px; border-style: none none solid; border-color: currentColor currentColor #000000; padding: 0cm 0cm 0.04cm; margin-bottom: 0cm;” align=”LEFT”></p>
This topic was marked as solved, you can't post.