Forum Replies Created
-
Posts
-
Hello,
Ansible could be an interesting solution.
But for the moment, could you please confirm owner, group and permissions, created manually, are OK on the following files and folders of this ECS machine ?
[my_user@ECSDR ~]$ pwd
/home/my_user
[my_user@ECSDR ~]$ ls -al
total 116
drwx——. 17 my_user my_user 4096 26 nov. 11:06 .
drwxr-xr-x. 11 root root 149 21 janv. 15:27 ..
…..
drwx——. 30 my_user my_user 4096 11 févr. 10:44 .nx
…..
[my_user@ECSDR ~]$ ls -al .nx
total 44
drwx——. 30 my_user my_user 4096 11 févr. 10:44 .
drwx——. 17 my_user my_user 4096 26 nov. 11:06 ..
…..
drwx——. 2 my_user my_user 63 3 févr. 17:57 config
…..
[my_user@ECSDR ~]$ ls -al .nx/config
total 24
drwx——. 2 my_user my_user 63 3 févr. 17:57 .
drwx——. 30 my_user my_user 4096 11 févr. 10:44 ..
-rw——-. 1 my_user my_user 982 3 févr. 13:38 authorized.crt
…
Thanks,
Regards,
Steve.
Hello,
Nothing like
sudo /etc/NX/nxserver --keyadd /home/user/node.localhost.id_rsa.pubbut to update
<user’s home>/.nx/config/authorized.crtinstead of /var/NX/nx/.nx/config/authorized.crt ?
On ECS, I’ve noticed that some users don’t have the folders <user’s home>/.nx/config
When <user’s home>/.nx is created ?
Thanks,
Regards,
Steve.
Hello,
It was actually a PAM (SELinux, Pluggable Authentication Modules) configuration problem.
The VM I was given for the POC has security hardening (I didn’t know that… but it’s a good thing to have a POC configuration matching the aimed one).
I solved the problem by following NoMachine – Troubleshooting LDAP And PAM Issues On Linux For Connections By NX Protocol – Knowledge Base
SSH access was OK so I used its PAM config file:
cp /etc/pam.d/nx /etc/pam.d/nx.ori
cp /etc/pam.d/sshd /etc/pam.d/nxNow, access from “!M Client” to ECS is OK with all protocols (SSH, NX & HTTPS). I can add nodes from the client module.
The nx and sshd PAM config files are now the same.
Do I need to do more testing to validate the solution ?
Thanks and happy new year !
Regards,
Steve.
Hello,
I reinstalled ECS twice on Linux RHEL 9.5 VM (SSH command line access) but I still have a serious authentication problem.
$ hostnamectl
Static hostname: wxyz.ptg (anonymized)
Icon name: computer-vm
Operating System: Red Hat Enterprise Linux 9.5 (Plow)
CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos
Kernel: Linux 5.14_xxx
Architecture: x86-64
Hardware Vendor: VMware, Inc.
Hardware Model: VMware7,1
Firmware Version: xxx
Install is OK:
$ groups
w123456-a wheel
$ sudo rpm -ivh nomachine-enterprise-cloud-server_8.14.2_1_x86_64.rpm
…
NX> 700 Installing nxserver version: 8.14.2.
NX> 700 Installing nxwebplayer version: 8.14.2.
NX> 700 Server install completed with warnings.
NX> 700 Please review the install log for details.
NX> 700 Installation completed at: Mon, 23 Dec 2024 15:36:31.
NX> 700 NoMachine was configured to run the following services:
NX> 700 NX service on port: 4000
NX> 700 HTTPS service on port: 4443
The 2 warnings are about printing and audio backends not detected (it”s normal).
Just after this “fresh” install;
[w123456-a@wxyz ~]$ /usr/NX/bin/nxexec –auth
Username:w123456-a
Password:********************
8537 8537 15:38:09 165 nxexecPAMCheckCredentials: ERROR! Authentication failed.
8537 8537 15:38:09 166 nxexecPAMCheckCredentials: Error code ‘6’, ‘Permission denied’.
Login failed.
From “!M Client” I added 3 connections (SSH, NX, HTTPS) to ECS.
Today none of them is OK => it gives “authentication failure”
On friday, SSH connection was OK, I was able to pass ECS login phase and access “Manage” button to create nodes. It’s crazy !
I can’t send you the whole log files fo security reasons, but only small parts.
Could you tell me what strings should I grep in the logs to help you to understand the problem ?
Here are some abstacts I found in nxserver.log after having activated “debug mode”:
SSH from “!M client”
6889 6889 15:27:12 898 nxexecPAMCheckCredentials: ERROR! Authentication failed.
6889 6889 15:27:12 898 nxexecPAMCheckCredentials: Error code ’10’, ‘User not known to the underlying authentication module’.
NX from “!M client”
$ sudo grep -i wrong /usr/NX/var/log/nxserver.log
Info: Handling connection from 10.11.12.13 port 64460 on Mon Dec 23 11:38:26 2024.
38882 38882 11:41:09 603 nxexecPAMCheckCredentials: ERROR! Authentication failed.
38882 38882 11:41:09 603 nxexecPAMCheckCredentials: Error code ‘6’, ‘Permission denied’.
35465 35465 2024-12-23 11:41:09 607.868 NXSERVER WARNING! Process ‘/usr/NX/bin/nxexec –auth’ with pid ‘38882/38882’ finished with exit code 1 after 2,161 seconds.
35465 35465 2024-12-23 11:41:09 608.811 NXSERVER ERROR! Authentication with ‘NX-password’ from host ‘10.11.12.13’ failed. Error is ‘Wrong password or login’.
Info: Connection from 10.11.12.13 port 64460 closed on Mon Dec 23 11:41:09 2024.
HTTPS from “!M client” relayed to Edge browser
Info: Handling connection from 127.0.0.1 port 36070 on Mon Dec 23 11:47:56 2024.
41412 41412 11:48:07 833 nxexecPAMCheckCredentials: ERROR! Authentication failed.
41412 41412 11:48:07 834 nxexecPAMCheckCredentials: Error code ‘6’, ‘Permission denied’.
41365 41365 2024-12-23 11:48:07 837.308 NXSERVER WARNING! Process ‘/usr/NX/bin/nxexec –auth’ with pid ‘41412/41412’ finished with exit code 1 after 2,513 seconds.
41365 41365 2024-12-23 11:48:07 837.805 NXSERVER ERROR! Authentication with ‘NX-password’ from host ‘10.11.12.13’ failed. Error is ‘Wrong password or login’.
Info: Connection from 127.0.0.1 port 36070 closed on Mon Dec 23 11:48:07 2024.
Regards,
Steve.
Hi!
In fact, I’ve run the script, it seems to update 38 rules supporting propagation, instead of 33 as described in the documentation.
So there seem to be 5 news rules… yes, if you confirm this figure, the document should be updated.
Thanks !
——————
1 unix-console
2 nxvfb
3 unix-gnome
4 vms unix-remote-custom
5 unix-xsession-default
6 vnc
7 windows
8 unix-remote
9 unix-desktop
10 nx-console
11 unix-cde
12 shadow
13 unix-kde
14 connection-only
15 unix-application
16 nx-console- shadow
17 unix-default
18 unix-xdm
19 physical-desktop
20 virtual-desktops-limit
21 connections-limit
22 unix-script
23 server-printer-sharing
24 client-network-sharing
25 audio
26 server-network-sharing
27 client-usb-sharing
28 interactive-mode
29 server-disk-sharing
30 local- recording
31 client-smartcard-sharing
32 microphone
33 client-printer-sharing
34 client-disk-sharing
35 server-file-transfer
36 client-file-transfer
37 session-recording
38 server-usb-sharing
——————
Hello,
Good job !
It seems to show much more (52) types of rights than in the ECS documentation (chap. 4.5 lists 33 types).
NoMachine Enterprise Cloud Server – Installation And Configuration Guide
All these types of rules can be propagated from the ECS to the nodes ?
Thanks!
Steve.
Hi,
I did a quick successful test closer to your need. 🙂
# !M Client 8.14.2 installed on:
Microsoft Windows 11 Enterprise Evaluation (expired from a few months)
Version 10.0.22621 Build 22621
VM under “VMWare Player 17” on “Debian 11”: 4 CPU 8 Go RAM> ssh -V:
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3> ssh-keygen -t ed25519
(default path+filenames+a passphrase entered)Public key
C:\Users\User\.ssh\id_ed25519.pub
transferred to Linux remote server and added to
/home/my-user/.nx/config/authorized.crt# Remote server:
“!M Enterprise Desktop 8.14.2” (evaluation)
VPS “Debian 12”, 1 vCPU, 2 Go !
LXDE# In “!M Client” on W11 VM
For “My Enterprise Desktop” created connection
Edit/Configuration
x Use key-based auth. with a key you provide
[ Modify ]
C:\Users\User\.ssh\id_ed25519That works like a charm !
Good luck and go ahead ! 😉
Steve.
Yes, thanks, “–keyadd” works great !
It’s exactly what I was looking for: simple and supported by NoMachine.
🙂
I’ve tested to add the public NX key of Cloud Server to Terminal Server to /var/NX/nx/.nx/config/autorized.crt (from memory).
“config” directory has to be created (with right permissions) if it’s the 1st node to be added. (Cat node..rsa.key.pub >> /var/NX/nx/.nx/config/autorized.crt)
Please, could you confirm it’s OK ?
It seems to be OK but I want to be sure not to forget something.
Thanks !
Regards.
Steve
Hello,
So, is it possible , with a profile , to propagate EnableDirectConnections=OFF to all nodes linked to a Cloud Cluster ?
If not, when will it be OK ?
Thanks
Regards
Steve.
Hello,
A few weeks ago, I had some problems too with ED25519 algorithm to generate keys and I thought it was not supported (hence my question https://forum.nomachine.com/topic/ed25519-algorithm-for-ssh-nx-keys ).
I’ve just done a test in full Linux environment, all is OK. (following https://kb.nomachine.com/AR02L00785)
On “!M Client” 8.14 side:
$ ssh-keygen -t ed25519 (-b is useless since fixed length key)
I kept default key names and added a passphrase.
The server is “!M Enterprise Cloud Server” 8.14.
FYI, ssh version :
$ ssh -V
OpenSSH_9.2p1
OpenSSL 3.0.14 4/6/2024O/S:
Debian 12 Bookworm
Linux antix1 6.1.105
(super light Linux, perfect for testing !M in live VMs)Good luck ! 🙂
NB: RSA 4096-bit key is still strong enough (even 3072-bit for common usage) !
Regards,
Steve.
Hello,
Great news for the POC in progress !
It’s crucial for us to protect “!M Enterprise Desktops” settings.An FR : (if I don’t need to change my glasses 😉 )
We need to give access to all Nodes only via Cloud Server.
I can’t see that “EnableDirectConnections” can be disabled by using a command line like :
nxserver --ruleadd --class propagation…It is “ON” by default.
Could you confirm please ? Is this FR already registered ? How long will it take to add this FR ?
I guess we’ll have to deal with this need at firewall level… 🙁
Regards,
Steve.
Hello,
“separating the web server host from the NoMachine server host ”
is a good thing but it is not enough for (very) sensitive environments.
“Protocol break” is a network protocol attack protection as described on this NCSC page :
Network protocol attack protection – NCSC.GOV.UK
https://www.ncsc.gov.uk/collection/cross-domain-solutions/using-the-principles/network-protocol-attack-protectionIn our case the risk occurs if a user, from a low security domain, has a remote access to a server in a high level security domain.
We must have strong protection against an attacker who might use the components within NoMachine as a route to compromise the core network.
NCSC :”A protocol break will terminate one transmission path, extract the relevant information, and use this to initiate a new transmission path.”
So the question is : what happens in the black box “nxhtd & nxwebplayer” between the 2 components ?
Is there a network session break ?
Is there a “rewriting” of data or just an “as-is” forwarding ?Please, could you forward these hard questions to a cybersecurity expert in your teams in labs ?
Thanks,
Regards,
Steve.
Hello,
If multiple screens are used, only one UDP port is used ?
how can it happen ?
In our case, only one remote UDP port would be open instead of a range !
In what case can it bring problems ? Give examples please.
Thanks !
Regards,
Steve.
Hello,
And what about server side (destination machine) ?
No way to cleanly uninstall “NoMachine Service” ?
Manual start must not be allowed in our case.
Is there a dirty way like removing files (binary file… )? Which one ?
The aim would be to have only the admin console on “!M Cloud Server”.
Is it possible ?
Thanks.
Steve.