- This topic has 8 replies, 2 voices, and was last updated 4 weeks ago by
.
-
Posts
-
Hi All, apologies for asking this and if it’s in the wrong forum. I’m very new to Linux and NoMachine but I do have reasonable experience in a Windows environment. I’m in the process of setting up some laptops for users using Linux Mint for the purpose or remote working. We were previously using Windows 10 but rather than update the hardware for Windows 11 it’s more cost effective to move to Linux. The laptops are no more than a console solely for the purpose of connecting in via [removed] to a Windows desktop.
I use google-authenticator and multiOTP successfully in our Windows environment so want to use the same for the Linux laptops. I can successfully get google-authenticator to work locally on the Linux laptops but when using NoMachine to connect to the Laptops it automatically asks for TOTP codes which always fail. I’ve not setup anything to use google-authenticator in NoMachine it just automatically uses it as soon as the .google_authenticator file is present in the Linux users home directory.
I try to connect with NoMachine and am asked for the TOTP code which fails with “Authentication failed, please try again.”
For information I’m only using NoMachine for laptop setup but could potentially use it for remote support if I can get MFA to work via google authenticator. If it’s possible to get just the Linux desktop logins to require MFA and the NoMachine to use a username and password only this would be acceptable.
Attachments:
Hi,
I’ve not setup anything to use google-authenticator in NoMachine it just automatically uses it as soon as the .google_authenticator file is present in the Linux users home directory.
Indeed, NoMachine does not need any configuration, but you will need to make some changes to the PAM configuration. There is an article in the knowledge base that explains how to set up Google Authenticator with NoMachine https://kb.nomachine.com/AR12L00828#3.2. I’ve linked you to the section dedicated to Google Authenticator directly, but it’s worth reading the earlier sections 1 and 2.
Does that help?
Hi, thanks for the response.
I’ve setup and confirmed google-authenticator works locally with 2 users. I did look at the guide you linked prior to posting here and have the same issue after following the steps specifically point 5. As soon as I add “auth required pam_google_authenticator.so” to the nx file I can’t connect with NoMachine to any user where google-authenticator is enabled. NoMachine prompts for the username and password and I if I use either of the local users it will ask for a verification code which fails every time.
See screenshot of the nx file with “auth required pam_google_authenticator.so” added. Unless I’m missing something else from the PAM config this appears to be all that’s required for Ubuntu?
For reference I’ve also attached a screenshot of the common-auth file incase this is where the issue lies but as said I’m able to connect locally just not via NoMachine.
There’s a typo in the common-auth file in the screenshot above which is not present in the live file on disk! Just a fumble while I was doing the screenshot 🙂
No problem 🙂 We’re investigating further. Generally those instructions are good to go for most Linux systems. Can you confirm you are using the latest Linux Mint? What Windows version are you connecting from? In the meantime, are you able to send us the logs? You can extract them using the instructions here: https://kb.nomachine.com/DT07S00243. Send both server-side logs (from the Linux Mint server) and the client-side logs from the device you are connecting from.
Send them to forum[at]nomachine[dot]com. Please use the title of this topic as the subject of your email. Thanks!
Just to let you know I’ve collected the logs as requested and sent them as requested. Please let me know if there is anything else I can do to help?
Just to confirm I am using the latest build of Linux Mint Cinnamon which has been fully updated and this is the server end and I’m connecting from a Windows 11 workstation on version 24H2 which is also fully upto date.
regards
We went through our article and checked our configurations with what you posted. Bear in mind that the instructions in the article are for one type of many possible configurations. For your set up, this should work:
edit /etc/pam.d/nx like here:
# This is a default PAM configuration for NoMachine. It is based on
# system’s ‘su’ configuration and can be adjusted freely according
# to administrative needs on the system.auth [success=1 default=ignore] pam_unix.so nullok
auth requisite pam_deny.so
auth required pam_permit.so
auth required pam_ecryptfs.so unwrap
auth optional pam_cap.soauth required pam_google_authenticator.so
account include su
password include su
session include suWe’ve tested it and it works.
Hi,
Thank you so much for your help with this. I can confirm everything is now working as expected!
regards
You must be logged in to reply to this topic. Please login here.