Yubikey support

Forum / NoMachine for Linux / Yubikey support

Viewing 15 posts - 1 through 15 (of 23 total)
  • Author
    Posts
  • #49144
    Chatter5352
    Participant

    Hi,

    I am very impressed with NoMachine so far but am seeking assistance with integrating my Yubikey for secure login. I use this with FIDO2 resident keys for ssh already and tried to do similar for NoMachine login to my Ubuntu server from my MacBook. Unfortunately this didn’t work and I assume it is because Nx does not support FIDO2 resident keys for login?

    If that is the case, can somebody advise me on the best way to protect my account using my Yubikey? I would need to register multiple keys in case I lose one of them.

    Thanks for your help!

    #49154
    Britgirl
    Keymaster

    Hi,

    NoMachine currently supports Yubico authentication by configuring PAM. You can read more about how to do that here:

    How to enable Yubico authentication with NoMachine on Linux
    https://kb.nomachine.com/AR12Q01064

    #49155
    Chatter5352
    Participant

    Thanks for your swift response!

    Doesn’t this approach require internet access to the Yubico cloud server? I need an offline only solution. Are there any other supported approaches I can try? Thanks for your help!

    #49169
    Guro
    Contributor

    hello

    “Doesn’t this approach require internet access to the Yubico cloud server?” – yes, there is need.

    but

    “I use this with FIDO2 resident keys for ssh already” – if you have updated ssh server configuration then

    there is possible to try use ssh pam configuration to nx on server and check.

    sudo cp /etc/pam.d/nx /etc/pam.d/nx.bak

    sudo cp /etc/pam.d/sshd /etc/pam.d/nx

    if login fails send server side logs to us, please.

    thanks

    #49349
    Chatter5352
    Participant

    Thanks for your suggestion! I copied those files then tried logging in with “Key-based authentication with a key you provide” and pointed it to the key on my computer that points to the key on the Yubikey. I note that I am not using port 22 for ssh, will this be a problem?

    The login failed though. I also tried using the Nomachine GUI to ssh in, but also failed.

    Do you have further suggestions to get login secured with Yubikey without an online server involved?

     

    Here is the log output as requested:

    Info: Starting NoMachine version 8.12.12.

    Info: Loading settings from ‘/Users/me/.nx/config/player.cfg’.

    Info: Loaded translation files for ‘English’.

    68155 259 2024-08-24 09:22:56 071.013 Main: Creating the client session.

    68155 259 2024-08-24 09:22:56 071.085 ClientSession: Initializing session at 0x155837a00.

    68155 259 2024-08-24 09:22:57 152.145 ClientSession: Initialized session at 0x155837a00.

    68155 259 2024-08-24 09:22:57 153.472 ClientSession: Starting session at 0x155837a00.

    68155 259 2024-08-24 09:22:57 155.553 ClientSession: Going to start session ‘/Users/me/Documents/NoMachine/compName.nxs’.

    68155 259 2024-08-24 09:22:57 159.678 Connection: Initializing connection at 0x154149ae0.

    68155 259 2024-08-24 09:22:57 159.831 Connection: Initialized connection at 0x154149ae0.

    68155 259 2024-08-24 09:22:57 159.843 Connection: Starting connection at 0x154149ae0.

    68155 259 2024-08-24 09:22:57 159.850 ClientDaemonConnector: Starting a new connection to host ‘192.168.1.144’ on port ‘4000’.

    68155 259 2024-08-24 09:22:57 159.950 Connection: Started connection at 0x154149ae0.

    68155 259 2024-08-24 09:22:57 162.504 ClientSession: Started session at 0x155837a00.

    Info: Slave server running with pid 89603.

    Info: Listening to slave connections on port 23093.

    68155 259 2024-08-24 09:22:57 162.929 Main: Entering the GUI event loop.

    68155 259 2024-08-24 09:22:57 357.572 MacInit: WARNING! Activation event lost, try to recover by synthesizing a new event.

    68155 259 2024-08-24 09:23:27 162.987 Connection: Connection at 0x154149ae0 failed.

    68155 259 2024-08-24 09:23:27 163.358 ClientSession: Runnable at 0x154149ae0 caused the session at 0x155837a00 to fail.

    68155 259 2024-08-24 09:23:27 163.392 ClientSession: Failing reason is ‘A connection timeout has occurred while trying to connect to ‘192.168.1.144’ on port ‘4000’. The issue could either be caused by a networking problem, by a firewall or NAT blocking incoming traffic or by a wrong server address. Please verify your configuration and try again.’.

    68155 259 2024-08-24 09:23:27 168.888 ClientSession: Stopping session at 0x155837a00.

    68155 259 2024-08-24 09:23:27 174.427 ClientSession: Destroying display client.

    Info: Slave server running with pid 90119.

    Info: Listening to slave connections on port 30046.

    68155 259 2024-08-24 09:23:27 175.818 Connection: Stopping connection at 0x154149ae0.

    68155 259 2024-08-24 09:23:27 175.872 ClientDaemonConnector: Stopping the current connection.

    68155 259 2024-08-24 09:23:27 175.896 Connection: Stopped connection at 0x154149ae0.

    68155 259 2024-08-24 09:23:27 182.955 ClientSession: Stopped session at 0x155837a00.

     

    #49377
    dsholm
    Participant

    Not sure this is the correct forum for this question at this point, you should be asking Yubico instead. There is a way to store SSH keys on your key, there might be a way to even host your own inhouse validation server (if not allowed, then only what is stored on the key will ever work). Either way, this is more of a Yubico question as to how to setup PAM and your key to work correctly.

    #49380
    Guro
    Contributor

    Hello,

    note that I am not using port 22 for ssh, will this be a problem?” – no, it shouldn’t be a problem.

    Do you have further suggestions to get login secured with Yubikey without an online server involved?” – not yet, as I suspect that it needs additional implementation.

    Here is the log output as requested:” – these logs are from the client side and mostly report about the connection problem then ‘Yubikey’ use.

    Could you please provide us the server side logs, for a more clear information, and send them to forum[at]nomachine[dot]com, making sure to reference the topic as the subject of the email?

    #49399
    Guro
    Contributor

    One additional information: if you have access on Yubikey keys and are able to extract the public key for ssh to place in ~/.ssh/authorized_keys , then you might use NoMachine SSH protocol connection and choose authentication with smartcard reader.

    By default it works only to PKCS#11 compatible smartcard readers, but it might also recognize Yubikey.

    Please try and let us know.

    #49403
    Chatter5352
    Participant

    @dsholm:

    I have tried asking around Yubikey forums, but am yet to find a solution unfortunately..

    I can and do store my private keys on my Yubikey. This resident key approach works fine for ssh to this server for example!


    @Guro
    :

    Thanks for taking the time to help with this, it’s very much appreciated!

    I don’t want to accidentally send private information in the log files. Can you point to me which files it is safe to send for this debugging?

    For now, here are some outputs whilst trying to login with the key method. Hopefully it helps:

    “438722 438722 2024-08-27 11:33:06 493.870 NXSERVER NXShell: Machine ‘NXLoginStateMachine’ is ready.

    438722 438722 2024-08-27 11:33:06 493.912 NXSERVER NXShell: Run state machines.

    438722 438722 2024-08-27 11:33:06 493.956 NXSERVER NXShell: Run state machine ‘NXLoginStateMachine’.

    438722 438722 2024-08-27 11:33:06 493.998 NXSERVER Login State Machine: State ‘publicKeyLogin’.

    438722 438722 2024-08-27 11:33:06 494.047 NXSERVER __setMode server

    438722 438722 2024-08-27 11:33:06 494.109 NXSERVER __setKeyAlgorithm RSA

    438722 438722 2024-08-27 11:33:06 494.254 NXSERVER NXMsg: Sent request message ‘NX> 250 Properties: publicKey required for labgateway port: 4000 service login: ‘

    438722 438722 2024-08-27 11:33:06 494.385 NXSERVER NXParser: adding handle ‘4’ FD#4 to the selector.

    438722 438722 2024-08-27 11:33:06 494.474 NXSERVER NXParser: adding handle ‘7’ FD#7 to the selector.

    438722 438722 2024-08-27 11:33:06 494.557 NXSERVER NXParser: main loop started with timeout inf.

    438722 438722 2024-08-27 11:33:06 494.619 NXSERVER NXParser: set timeout to : -1.

    243797 243870 2024-08-27 11:33:10 613.671 ServerPhysicalSession/ServerConnectOnDisplaySocket: ERROR! Can’t connect to socket @’/tmp/.X11-unix/X1′ proto UNIX.

    243797 243870 2024-08-27 11:33:10 613.712 ServerPhysicalSession/ServerConnectOnDisplaySocket: Error is 11, Resource temporarily unavailable.

    243797 243870 2024-08-27 11:33:11 849.237 ServerPhysicalSession/ServerConnectOnDisplaySocket: ERROR! Can’t connect to socket @’/tmp/.X11-unix/X1′ proto UNIX.

    243797 243870 2024-08-27 11:33:11 849.287 ServerPhysicalSession/ServerConnectOnDisplaySocket: Error is 11, Resource temporarily unavailable.

    243797 243870 2024-08-27 11:33:14 302.664 ServerPhysicalSession/ServerConnectOnDisplaySocket: ERROR! Can’t connect to socket @’/tmp/.X11-unix/X1′ proto UNIX.

    243797 243870 2024-08-27 11:33:14 302.707 ServerPhysicalSession/ServerConnectOnDisplaySocket: Error is 11, Resource temporarily unavailable.

    243797 243870 2024-08-27 11:33:22 412.104 ServerPhysicalSession/ServerConnectOnDisplaySocket: ERROR! Can’t connect to socket @’/tmp/.X11-unix/X1′ proto UNIX.  ”

    My keys are resident keys stored on the Yubikey. I do have the public keys in ~/.ssh/authorized_keys on the server I’m trying to access. I tried then using the ssh protocol and smart card reader method but got the following error:

    Could not connect to the server.

Error is 94: Bad message

    Very eager to try any other suggestions as I’d really like to get this up and running!

    #49441
    Guro
    Contributor

    Hello,

    My keys are resident keys stored on the Yubikey. I do have the public keys in ~/.ssh/authorized_keys on the server I’m trying to access.” – it looks good.

    Could you please provide us the command of poor ssh you use to login to the server (hiding all sensitive data)?

    Thanks

    #49467
    Chatter5352
    Participant

    Sorry, I’m not sure what you mean by “poor ssh”? Here is the command I use for ssh, if that’s what you’re after:

    ssh -I /pathtokeyfile -p portnumber user@IPADDRESS

    Hopefully that helps! 

    #49485
    Guro
    Contributor

    Hello

    ssh -I /pathtokeyfile

    Usually -I uses to access to pkcs11 module. For Yubico probably it should be libykcs11.dylib.

    If yes then you can use path to module in section “Use key-based authentication with PKCS11 smart card”,

    “Set an alternate security module”. there you can select absolute path to libykcs11.dylib.

    By default path might look like /usr/local/lib/libykcs11.dylib.

    If connection still fails, then please leave all settings as it but close all nomachine windows.

    Edit ~/.nx/config/player.cfg

    find line:

    <option key=”SSH client mode” value=”library” />

    and replace “library” to “native” like:

    <option key=”SSH client mode” value=”native” />

    also check if
    <option key=”SSH Client” value=”/usr/local/bin/ssh” />

    contain valid path to default ssh client. Finish and save edit content.

    Open nomachine windows again and do SSH protocol connection by smart card.

    Please inform as if it will helps and report errors if some appears.

    #49593
    Chatter5352
    Participant

    Sorry for the delayed response (have been out of email contact), and for the misunderstanding! I use the -lowercasei option not -I (the forum autocorrected it and I can’t override that for some reason…). This is to specify my key file which is just a pointer to where the key is actually stored on the Yubikey as far as I understand.

    Does your advice still apply in that case?

    In the mean time I have found a possible workaround. This is to use the Yubikey to ssh tunnel the 4000 port to my localhost. Then I can connect to localhost using Nomachine. This works and may be an acceptable workaround, unless you see problems with this method? One possible issue is that I have found this connection less reliable than directly using Nomachine to the remote IP and port eg. session freezes and I have to reconnect. Is there a way to make the connection more stable with this approach?

    Thanks again for your help!

    #49604
    Guro
    Contributor

    hello

    As you use -i option for ssh to point to private key in system path, then you could point same path in the connection > ‘Use key-based authentication with a key you provided’.

    Does your advice still apply in that case?” – yes. Check key real path after modify player.cfg and set

     

    thanks

    #49607
    Chatter5352
    Participant

    Thanks! I just tried that change to ‘native’ and using path to key with key-based auth. It can find the server I think, but it gives the same error as before:

    Authentication failed, please try again.

     

Viewing 15 posts - 1 through 15 (of 23 total)

You must be logged in to reply to this topic. Please login .