Forum / NoMachine Cloud Server Products / Cloud Server Kerberos auth to node
- This topic has 1 reply, 2 voices, and was last updated 2 years, 1 month ago by Britgirl.
-
AuthorPosts
-
September 25, 2022 at 19:05 #40261dav3rParticipant
Hello, I’m evaluating Cloud Server (
LCSE 7.10.1
) running on a Debian 11 (bullseye) server. I’m able to successfully connect to the Cloud Server using my Kerberos credentials:NXSERVER User ‘myusername’ logged in from ‘10.10.10.10’ using authentication method NX-kerberos.
My problem is that I cannot figure out how to authenticate via Kerberos when adding a new server to the Cloud Server. I want to connect to a Kali node (running
LEDE 7.10.1
on Kali 2022.3) with Kerberos, but despite my best efforts, I have only seen it attempt to authenticate viaNX-password
andNX-private-key
.Both the Cloud Server and the Kali node are part of the same Kerberos realm. I have confirmed that the Cloud Server is able to successfully communicate with the Kali node (I am able to connect by username/password, but that is not a feasible solution for my use case).
I have also confirmed that I am able to use my local NoMachine player to successfully connect directly to the Kali node via Kerberos authentication. I just need to figure out how to do that from the Cloud Server.
On the Kali node’s
server.cfg
, I have the following options configured:EnableNXKerberosAuthentication 1
NXGssapiLibraryPath “/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2”
NXKerberosLibraryPath “/usr/lib/x86_64-linux-gnu/libkrb5.so.3”And I have restarted the
nxserver
after making the config changes above.On the Cloud Server, when I attempt to create the connection to the Kali node, in the “advanced configuration for client forwarding”, I tried to use the “Only System” option for NX, which according to the help text “will adopt the same credentials and authentication method used for connecting to the parent server” (Kerberos in my case), but it never seems to work. I tried the default “Only Tunnel” option as well and saw the same results in the log:
NXSERVER ERROR! Authentication with ‘NX-private-key’ from host ‘10.10.10.10’ failed. Error is ‘Public key not recognized’.
…
NXSERVER ERROR! Authentication with ‘NX-password’ from host ‘10.10.10.10’ failed. Error is ‘Wrong password or login’.Please let me know if you have any ideas or suggestions or if I can provide any additional information.
Thanks very much in advance for any assistance!
-DaveSeptember 30, 2022 at 14:59 #40464BritgirlKeymasterHello and welcome 🙂
firstly take a look a the latest Cloud Sever Family in version 8. There have been a lot of improvements in the navigation interface, so it’s easier to add/remove nodes and monitor your node machines as well (more about this is here http://www.nomachine.com/cloud-server-family). In your case, you should look at Enterprise Cloud Server or Enterprise Cloud Server Cluster. Both allow unlimited connections, the latter provides failover capabilities.
Regarding kerberos support in add/remove and other admin operations (via GUI or CLI), this is planned. At the moment, adding and removing nodes to the cloud server is done via password authentication. We had planned to extend support for other authentication methods, including Kerberos, to the administrator procedures in the recent v8, but unfortunately other priorities meant that this got postponed to a later release.
To allow users to connect using kerberos, you need set the following on your cloud server host:
server.cfg –EnableNXKerberosAuthentication 1
server.cfg –EnableNXKerberosForwardingToRemote 1
server.cfg –NXGSSAPIStrictAcceptorCheck 0
server.cfg –NXGssapiLibraryPath "/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2"
server.cfg –NXKerberosLibraryPath "/usr/lib/x86_64-linux-gnu/libkrb5.so.3"
These last two paths can be slightly different depending on the system.
The user, when creating a connection should do the following in the Player. Click ‘Add’, go to Configuration, select “Use kerberos ticket-based authentication”. If you want to use more options, click ‘Modify’. Choosing DNS translation will require an IP address in the Address Host field, otherwise provide a hostname.
-
AuthorPosts
This topic was marked as solved, you can't post.