Steve92

Forum Replies Created

Viewing 14 posts - 1 through 14 (of 14 total)
  • Author
    Posts
  • in reply to: Protocol break between nxhtd & nxwebplayer (CGI) ? #49848
    Steve92
    Participant

    Hello,

    “separating the web server host from the NoMachine server host ”

    is a good thing but it is not enough for (very) sensitive environments.

    “Protocol break” is a network protocol attack protection as described on this NCSC page :

    Network protocol attack protection – NCSC.GOV.UK
    https://www.ncsc.gov.uk/collection/cross-domain-solutions/using-the-principles/network-protocol-attack-protection

    In our case the risk occurs if a user, from a low security domain, has a remote access to a server in a high level security domain.

    We must have strong protection against an attacker who might use the components within NoMachine as a route to compromise the core network.

    NCSC :”A protocol break will terminate one transmission path, extract the relevant information, and use this to initiate a new transmission path.”

    So the question is : what happens in the black box “nxhtd & nxwebplayer” between the 2 components ?

    Is there a network session break ?
    Is there a “rewriting” of data or just an “as-is” forwarding ?

    Please, could you forward these hard questions to a cybersecurity expert in your teams in labs ?

    Thanks,

    Regards,

    Steve.

    in reply to: UDP remote ports #49805
    Steve92
    Participant

    Hello,

    If multiple screens are used, only one UDP port is used ?

    how can it happen ?

    In our case, only one remote UDP port would be open instead of a range !

    In what case can it bring problems ? Give examples please.

    Thanks !

    Regards,

    Steve.

    in reply to: Cleanly uninstall the NoMachine Service? #49804
    Steve92
    Participant

    Hello,

    And what about server side (destination machine) ?

    No way to cleanly uninstall  “NoMachine Service” ?

    Manual start must not be allowed in our case.

    Is there a dirty way like removing files (binary file… )? Which one ?

    The aim would be to have only the admin console on “!M Cloud Server”.

    Is it possible ?

    Thanks.

    Steve.

    in reply to: Put nxhtd (HTTPS server) on a distinct machine ? #49515
    Steve92
    Participant

    Hello,

    I read again the page “Use Your Own Apache Web Server…”.

    If I well understand the chain of components is:
    [ Browser ] <= HTTPS => [ nxhtd ] <= ? => [ nxwebplayer ] <= NX/SSH => [ nxserver ]
    Is it correct ? If not, what is the right one ?

    How [ nxhtd ], the web server, communicates (protocol, port) with [ nxwebplayer ], the web app. ?

    Must [ nxhtd ] and [ nxwebplayer ] be on the same machine ?

    Thanks,

    Regards.

    Steve.

    in reply to: Cipher suite update: TLS 1.2 to 1.3 ? #49475
    Steve92
    Participant

    Hello,

    To summarize, according to ANSSI (French National Cyber Security Agency) and IETF, for TLS 1.2, only the following extensions should/must be used:

    Extension Type: 0x000A (supported_groups)
    Extension Type: 0x000B (ec_point_formats)
    Extension Type: 0x000D (signature_algorithms)
    Extension Type: 0x0016 (encrypt_then_mac)
    Extension Type: 0x0017 (extended_master_secret)

    PLUS

    signed_certificate_timestamp (0x0012) …. if SCT used
    renegotiation_info (0xFF01)

    Regards,

    Steve.

    in reply to: Put nxhtd (HTTPS server) on a distinct machine ? #49470
    Steve92
    Participant

    I found these 2 very interesting links :

    NoMachine – How To Configure A NoMachine Server V. 6 Or Later To Connect Web Sessions On Localhost Or On Different Hosts – Knowledge Base

    NoMachine – Use Your Own Apache Web Server To Run NoMachine Sessions On The Web – Knowledge Base

    but I had a quick look (too quick?) at this guide

    NoMachine – NoMachine Enterprise Desktop – Installation And Configuration Guide – Knowledge Base

    and I didn’t find a way to install only nxhtd on VM_A and only nxd on VM_B.

    How can we proceed ? Is there an installer allowing to choose what component we need to install on each machine ?

    Thank!

     

    Steve.

     

    in reply to: Differences for the user according to access protocol? #49469
    Steve92
    Participant

    Thank you for this quick answer.

    Do you have an official document describing the differences between !M web player and native client ?

    Is copy/paste possible in both directions ? For any content or only text ?

    I can’t wait to have my test environment and begin the POC… 😉

    in reply to: Differences for the user according to access protocol? #49458
    Steve92
    Participant

    Hello

    This link deals with reasons for new technical choice and performances but what about features and look and feal from the user side ?

    Are there UI differences  depending on the used protocol (NX, SSH, HTTPS) ?

    …or is it actually imperceptible ?

    I’ve heard from a previous user of NoMachine v6 things like “Connecting from a browser to NoMachine Enterprise Desktop gives terrible performances ! Impossible to copy/paste… “.

    I would like to have your opinion before I can test IRL.

    Thanks !

    Steve.

    in reply to: Cipher suite update: TLS 1.2 to 1.3 ? #49359
    Steve92
    Participant

    Hello,

    Thanks a lot for these precise infos.

    I have to make a RFI (before POC) on 2 or 3 solutions of remote desktop for sensitive and complex environments.

    Security is indeed a major point of the evaluation.

    So ANSSI (French  National Cyber Security Agency) recommendations must be taken into account in our case.

    Sources: in compliance with IETF publications

    2020 FRENCH https://cyber.gouv.fr/publications/recommandations-de-securite-relatives-tls

    2017 ENGLISH (quite old!) https://cyber.gouv.fr/en/publications/security-recommendations-tls

    In a nutshell :

    *** NOT RECOMMENDED ***

    ec_point_formats (0x000B) [57]

    This extension reports the elliptic curve point formats supported by the client or server (if any). It is indeed possible to represent elliptic curve points in a compressed form. In the absence of this extension, it is expected that the point coordinates are transmitted in their entirety. The use of this extension has been made obsolete by the IETF, indicating that only the uncompressed format should be supported [73].

    [57] S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk et B. Moeller, « Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) », RFC 4492, IETF, May 2006.

    [73] Y. Nir, S. Josefsson et M. Pegourie-Gonnard, « Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier », RFC 8422, IETF, August 2018.

    *** GENERAL RECOMMENDATION ***

    signed_certificate_timestamp, ou sct (0x0012) [23]

    Only if SCT.

    [23] B. Laurie, A. Langley et E. Kasper, « Certificate Transparency », RFC 6962, IETF, June 2013.

    *** RECOMMENDATIONS for  TLS  V1.2 ***

    renegotiation_info (0xFF01) [60]

    The renegotiation mechanism originally designed for TLS versions less than or equal to 1.2 exposes the client to a protocol vulnerability. It is indeed possible for an attacker to pass off a client’s first negotiation as a renegotiation. The attacker is thus in a position to inject application data that the server attributes to the legitimate client. The renegotiation_info extension was defined in order to perform secure renegotiations. Using this extension requires preserving the protected content of the Finished messages used to authenticate the last handshake.

    [60] E. Rescorla, M. Ray, S. Dispensa et N. Oskov, « Transport Layer Security (TLS) Renegotiation Indication Extension », RFC 5746, IETF, February 2010.

     

    Other specific cases are considered in the document (the more recent one is in French only).

    Regards,

    Steve.

    in reply to: Cipher suite update: TLS 1.2 to 1.3 ? #49303
    Steve92
    Participant

    Hello,

    Thanks for this quick answer.

    So the the article is up-to-date until you validate TLS 1.3.

    “…the move to TLS 1.3 is something we are already working on, as low priority” means it could be available in about 6, 12 months, …more?

    According to our National Cyber Security Agency, TLS 1.3 is highly recommended but TLS 1.2 is still acceptable, only if right extensions are contained in ClientHello at the beginning of a session.

    Please could you give me the list of TLS extensions used in ClientHello by NoMachine ?

    Thanks !

    Steve.

    in reply to: Cipher suite update: TLS 1.2 to 1.3 ? #49277
    Steve92
    Participant

    Hello,

    I read the last releases of NoMachine (>=8.12.12,  July 2024) includes OpenSSL v3.0 that supports TLS 1.3 (in fact supported since OpenSSL v1.1.1).

    Why TLS 1.3 could not be used ?

    This page seems to be out of date:

    NoMachine – Encryption In NoMachine – Knowledge Base

    Could you clarify this ?

    Thanks !

    Steve.

    in reply to: Disable encryption/compression when using SSH tunnel #30019
    Steve92
    Participant

    Hello,

    It’s a pity that NX encryption can’t be disabled when using a VPN or SSH tunnel !

    Double encryption is totally useless, isn’it ?

    Wasn’t it possible with older verion (if I well remember) ? Why did you remove this feature ?

    Regards,

    Steve.

    in reply to: Wrong keyboard layout on login (azerty needed) #30018
    Steve92
    Participant

    Hello,

    After many hours of research on the Web, I finally found this solution, at display manager level, to get “azerty” (french) keyboard when login to Debian 10:
    – edit /etc/lightdm/lightdm.conf
    – under the section [Seat:*] add:
    display-setup-script=setxkbmap fr

     

    #Free bonus ! 🙂

    To get an ‘azerty’ keyboard after Debian  login
    in /etc/xdg/lxsession/LXDE/autostart
    add: setxkbmap -layout “fr,fr”

    It seems so simple once you have the solution. :o)

    I hope it will help all people who need “azerty” keyboard ! 😉

    Regards,

    Steve.

    in reply to: Logout takes 15 seconds #30017
    Steve92
    Participant

    Hello,

    Here is what I get in log: strange error when try to clean a non empty directory ?!?

    1st test : login via VPN installed on VPS I access,  session logout takes about 30 s. !!!

    — Access via VPN —————-
    2020-10-22 22:18:11 565.410 14422 NXSERVER User ‘root’ logged in from ‘10.8.0.2’ using authentication method NX-password.
    2020-10-22 22:18:40 237.188   987 NXNODE   WARNING! Process ‘/usr/NX/bin/nxexec /usr/NX/scripts/restricted/nxamixer.sh mute 0 0’ with pid ‘14657/14657’ finished with exit code 1 after 0,152 seconds.
    2020-10-22 22:19:16 814.560   987 NXNODE   ERROR! Session monitor: cleaning session files: cannot remove directory /usr/NX/var/log/node/C-vps999999-1001-3886D41748462B75D97C47F5B114F626/devices: Directory not empty
    2020-10-22 22:19:16 815.297   987 NXNODE   ERROR! session monitor: cleaning session files: cannot remove dir ‘/usr/NX/var/log/node/C-vps999999-1001-3886D41748462B75D97C47F5B114F626’: Directory not empty
    2020-10-22 22:21:10 156.495 14422 NXSERVER User ‘root’ from ‘10.8.0.2’ logged out.
    2020-10-22 22:21:10 244.216 15532 NXNODE   WARNING! Process ‘/usr/NX/bin/nxexec /usr/NX/scripts/restricted/nxamixer.sh mute 0 0’ with pid ‘15732/15732’ finished with exit code 1 after 0,061 seconds.

    2nd test:  login via SSH tunnel with VPS I access,  session logout takes about 15 s. !

    — Access via SSH tunnel ——————–
    2020-10-22 22:33:41 960.230 17150 NXSERVER User ‘root’ logged in from ‘151.12.34.56’ using authentication method NX-password.
    2020-10-22 22:34:18 522.887 15532 NXNODE   ERROR! Session monitor: cleaning session files: cannot remove directory /usr/NX/var/log/node/C-vps999999-1001-28C1704048563D930A1BBAB070D0BEAA/devices: Directory not empty
    2020-10-22 22:34:18 523.125 15532 NXNODE   ERROR! session monitor: cleaning session files: cannot remove dir ‘/usr/NX/var/log/node/C-vps999999-1001-28C1704048563D930A1BBAB070D0BEAA’: Directory not empty
    2020-10-22 22:39:07 684.815 17150 NXSERVER User ‘root’ from ‘151.12.34.56’ logged out.
    2020-10-22 22:39:07 720.752 18464 NXNODE   WARNING! Process ‘/usr/NX/bin/nxexec /usr/NX/scripts/restricted/nxamixer.sh mute 0 0’ with pid ‘18621/18621’ finished with exit code 1 after 0,046 seconds.

    ————————-

    Could these errors explain the long delay to logout ?

    How to solve them ?

    Thanks,

    Regards,

    Steve.

Viewing 14 posts - 1 through 14 (of 14 total)