Forum / NoMachine for Windows / NoMachine 6.2.4_1 RSA key issue
Tagged: rsa
- This topic has 5 replies, 5 voices, and was last updated 6 years ago by Britgirl.
-
AuthorPosts
-
September 25, 2018 at 08:09 #19714ifyffeParticipant
Hi,
I’m trying to configure RSA key ID between two Windows 10 hosts.
I performed 2 fresh installs, and confirmed I can connect using the usual Windows account password auth.
Then I followed this guide for setting up RSA key access.
https://www.nomachine.com/AR02L00785
To generate the RSA keys, I used ssh-keygen on Linux, and copied the files to the Windows computers.
When I try to connect, I’m getting “the session negotiation failed. Error: Cannot accept public key”.
Here’s what I see on the server-side:
C:\>type Users\enviro2\.nx\config\authorized.crt
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCt9OVNjYd9BZEkB/QpKMc+hHEYfd1gxA4gnntvPCnWkKk92zluDJhDmFu49GQtR+vnpvR69zv3B9jLdRdjCwsG2mNzUuSotkWMWMlIkJ8pTM/n3cLs6xq/WIM+VlUdB+HnntnoJm5poXS7+cQpZyUObPy2IRweLD5Q7csK4p/uXejXfpfpuQ5s3DeuHxKeUS1C8ZA0NuXeBvvlYsfEBOUzdfX+P92NbsRwMYWhkoaDvOYMkFtHHk4gJjvIJ6lQojSE42nfxg3wxfJoO74Ki7e/QjxuiDT6yKkNniH5WLbSQJhXtDQ1lIXk24zZ2gNAqKneVm/dY7sfrFLFY50mz5mvC:\>type ProgramData\NoMachine\var\log\nxserver.log
2018-09-24 10:38:46 739.562 4120 NXSERVER Starting WS 6.2.4 and services.
2018-09-24 10:38:46 803.137 4120 NXSERVER System information: Windows 10, standalone.
2018-09-24 10:46:35 231.614 10780 NXSERVER WARNING! NXRunCommand: Timeout while waiting for command ‘C:\Program Files (x86)\NoMachine\\bin\\nxexec C:\Program Files (x86)\NoMachine\\bin\\nxexec –cat –user enviro2 –path config/authorized.crt’ response.
2018-09-24 10:46:35 333.756 10780 NXSERVER WARNING! Process ‘C:\Program Files (x86)\NoMachine\\bin\\nxexec –cat –user enviro2 –path config/authorized.crt’ with pid ‘3396/932’ finished with exit code 4 after 30,134 seconds.C:\>type ProgramData\NoMachine\var\log\nxerror.log
4120 6440 10:38:56 511.289 ServerNetworkInfoHandler: WARNING! Obtaining network data failed.
Info: Server process running with pid 3956.
Info: Handler started with pid 10780 on Mon Sep 24 10:46:03 2018.
Info: Handling connection from 10.1.2.28 port 50221 on Mon Sep 24 10:46:03 2018.
Error: Cannot send request to NXLSA package.
Error code is : 0.
Package’s response is : 0xc0000001.
Error: Cannot cat file ‘config/authorized.crt’ from user ‘enviro2’.
10780 12168 10:46:35 231.614 Monitor/FileReadMonitor: WARNING! Canceling busy thread 11172 for FD#7.
Info: Connection from 10.1.2.28 port 50221 closed on Mon Sep 24 10:46:35 2018.
Info: Handler with pid 10780 terminated on Mon Sep 24 10:46:35 2018.It seems like the issue is that the daemon can’t read the authorized keys file, but I’m able to print it as both administrator and the user in question. So I’m not sure how to continue troubleshooting.
Thanks for any advice
September 26, 2018 at 12:06 #19727CatoParticipantHello ifyffe,
Please, check if lsass.exe process is running in protected mode.
To do so:
1. Download and install Process Explorer using this link:
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx
2. Start Process Explorer as Administrator.
3. Double click on lsass.exe process and check the value of ‘Protected’ in ‘Security’ tab.
September 27, 2018 at 08:07 #19737ifyffeParticipantHi Cato,
Thanks for the reply.
lsass.exe security tab says
Protected: no
October 2, 2018 at 08:48 #19780GuroContributorHello
Currently we are unable to reproduce this issue in our test environment.
To take more detailed information of lsass to the NoMachine service, we need to prepare a debug package. Would it be possible for you to install this NoMachine package and then and send us the logs to us for further analysis?
October 12, 2018 at 11:14 #19948tylerXMDParticipantI had this same issue. I even used the process explorer and saw that lsass.exe was not running in protected mode. I resolved my issue and it does appear to be an issue on NoMachine’s side. My versions are Windows 6.3.6 server and Debian 6.3.6 client.
The issue I had was that the key was in the new format (i.e. I used ‘-o’ when creating the key).
The workaround was that I created a new key pair (without the ‘-o’ flag), appended the new public key to the server authorized.crt, and now it is working.
The solution would be for NoMachine to support the new key formats.
Hope this helps in the meantime!
November 7, 2018 at 08:59 #20378BritgirlKeymasterWe have inserted a new Feature Request in the development roadmap:
Adding support for ECDSA and ed25519 SSH key types
https://www.nomachine.com/FR11P03735Please use the ‘notify me’ service to know when it has been implemented 🙂
-
AuthorPosts
This topic was marked as closed, you can't post.