Forum Replies Created
-
Posts
-
Hi!
In fact, I’ve run the script, it seems to update 38 rules supporting propagation, instead of 33 as described in the documentation.
So there seem to be 5 news rules… yes, if you confirm this figure, the document should be updated.
Thanks !
——————
1 unix-console
2 nxvfb
3 unix-gnome
4 vms unix-remote-custom
5 unix-xsession-default
6 vnc
7 windows
8 unix-remote
9 unix-desktop
10 nx-console
11 unix-cde
12 shadow
13 unix-kde
14 connection-only
15 unix-application
16 nx-console- shadow
17 unix-default
18 unix-xdm
19 physical-desktop
20 virtual-desktops-limit
21 connections-limit
22 unix-script
23 server-printer-sharing
24 client-network-sharing
25 audio
26 server-network-sharing
27 client-usb-sharing
28 interactive-mode
29 server-disk-sharing
30 local- recording
31 client-smartcard-sharing
32 microphone
33 client-printer-sharing
34 client-disk-sharing
35 server-file-transfer
36 client-file-transfer
37 session-recording
38 server-usb-sharing
——————
Hello,
Good job !
It seems to show much more (52) types of rights than in the ECS documentation (chap. 4.5 lists 33 types).
NoMachine Enterprise Cloud Server – Installation And Configuration Guide
All these types of rules can be propagated from the ECS to the nodes ?
Thanks!
Steve.
Hi,
I did a quick successful test closer to your need. 🙂
# !M Client 8.14.2 installed on:
Microsoft Windows 11 Enterprise Evaluation (expired from a few months)
Version 10.0.22621 Build 22621
VM under “VMWare Player 17” on “Debian 11”: 4 CPU 8 Go RAM> ssh -V:
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3> ssh-keygen -t ed25519
(default path+filenames+a passphrase entered)Public key
C:\Users\User\.ssh\id_ed25519.pub
transferred to Linux remote server and added to
/home/my-user/.nx/config/authorized.crt# Remote server:
“!M Enterprise Desktop 8.14.2” (evaluation)
VPS “Debian 12”, 1 vCPU, 2 Go !
LXDE# In “!M Client” on W11 VM
For “My Enterprise Desktop” created connection
Edit/Configuration
x Use key-based auth. with a key you provide
[ Modify ]
C:\Users\User\.ssh\id_ed25519That works like a charm !
Good luck and go ahead ! 😉
Steve.
Yes, thanks, “–keyadd” works great !
It’s exactly what I was looking for: simple and supported by NoMachine.
🙂
I’ve tested to add the public NX key of Cloud Server to Terminal Server to /var/NX/nx/.nx/config/autorized.crt (from memory).
“config” directory has to be created (with right permissions) if it’s the 1st node to be added. (Cat node..rsa.key.pub >> /var/NX/nx/.nx/config/autorized.crt)
Please, could you confirm it’s OK ?
It seems to be OK but I want to be sure not to forget something.
Thanks !
Regards.
Steve
Hello,
So, is it possible , with a profile , to propagate EnableDirectConnections=OFF to all nodes linked to a Cloud Cluster ?
If not, when will it be OK ?
Thanks
Regards
Steve.
Hello,
A few weeks ago, I had some problems too with ED25519 algorithm to generate keys and I thought it was not supported (hence my question https://forum.nomachine.com/topic/ed25519-algorithm-for-ssh-nx-keys ).
I’ve just done a test in full Linux environment, all is OK. (following https://kb.nomachine.com/AR02L00785)
On “!M Client” 8.14 side:
$ ssh-keygen -t ed25519 (-b is useless since fixed length key)
I kept default key names and added a passphrase.
The server is “!M Enterprise Cloud Server” 8.14.
FYI, ssh version :
$ ssh -V
OpenSSH_9.2p1
OpenSSL 3.0.14 4/6/2024O/S:
Debian 12 Bookworm
Linux antix1 6.1.105
(super light Linux, perfect for testing !M in live VMs)Good luck ! 🙂
NB: RSA 4096-bit key is still strong enough (even 3072-bit for common usage) !
Regards,
Steve.
Hello,
Great news for the POC in progress !
It’s crucial for us to protect “!M Enterprise Desktops” settings.An FR : (if I don’t need to change my glasses 😉 )
We need to give access to all Nodes only via Cloud Server.
I can’t see that “EnableDirectConnections” can be disabled by using a command line like :
nxserver --ruleadd --class propagation…It is “ON” by default.
Could you confirm please ? Is this FR already registered ? How long will it take to add this FR ?
I guess we’ll have to deal with this need at firewall level… 🙁
Regards,
Steve.
Hello,
“separating the web server host from the NoMachine server host ”
is a good thing but it is not enough for (very) sensitive environments.
“Protocol break” is a network protocol attack protection as described on this NCSC page :
Network protocol attack protection – NCSC.GOV.UK
https://www.ncsc.gov.uk/collection/cross-domain-solutions/using-the-principles/network-protocol-attack-protectionIn our case the risk occurs if a user, from a low security domain, has a remote access to a server in a high level security domain.
We must have strong protection against an attacker who might use the components within NoMachine as a route to compromise the core network.
NCSC :”A protocol break will terminate one transmission path, extract the relevant information, and use this to initiate a new transmission path.”
So the question is : what happens in the black box “nxhtd & nxwebplayer” between the 2 components ?
Is there a network session break ?
Is there a “rewriting” of data or just an “as-is” forwarding ?Please, could you forward these hard questions to a cybersecurity expert in your teams in labs ?
Thanks,
Regards,
Steve.
Hello,
If multiple screens are used, only one UDP port is used ?
how can it happen ?
In our case, only one remote UDP port would be open instead of a range !
In what case can it bring problems ? Give examples please.
Thanks !
Regards,
Steve.
Hello,
And what about server side (destination machine) ?
No way to cleanly uninstall “NoMachine Service” ?
Manual start must not be allowed in our case.
Is there a dirty way like removing files (binary file… )? Which one ?
The aim would be to have only the admin console on “!M Cloud Server”.
Is it possible ?
Thanks.
Steve.
Hello,
I read again the page “Use Your Own Apache Web Server…”.
If I well understand the chain of components is:
[ Browser ] <= HTTPS => [ nxhtd ] <= ? => [ nxwebplayer ] <= NX/SSH => [ nxserver ]
Is it correct ? If not, what is the right one ?How [ nxhtd ], the web server, communicates (protocol, port) with [ nxwebplayer ], the web app. ?
Must [ nxhtd ] and [ nxwebplayer ] be on the same machine ?
Thanks,
Regards.
Steve.
Hello,
To summarize, according to ANSSI (French National Cyber Security Agency) and IETF, for TLS 1.2, only the following extensions should/must be used:
Extension Type: 0x000A (supported_groups)
Extension Type: 0x000B (ec_point_formats)
Extension Type: 0x000D (signature_algorithms)
Extension Type: 0x0016 (encrypt_then_mac)
Extension Type: 0x0017 (extended_master_secret)PLUS
signed_certificate_timestamp (0x0012) …. if SCT used
renegotiation_info (0xFF01)Regards,
Steve.
I found these 2 very interesting links :
NoMachine – Use Your Own Apache Web Server To Run NoMachine Sessions On The Web – Knowledge Base
but I had a quick look (too quick?) at this guide
NoMachine – NoMachine Enterprise Desktop – Installation And Configuration Guide – Knowledge Base
and I didn’t find a way to install only nxhtd on VM_A and only nxd on VM_B.
How can we proceed ? Is there an installer allowing to choose what component we need to install on each machine ?
Thank!
Steve.