Forum Replies Created
-
AuthorPosts
-
Steve92
ParticipantHi,
For the moment, my question is about the SSL certificate for nxd and not RSA key pair.
I kwow the article you quote, but alas it is not precise about how to deal with change of SSL certificate for nxd. 🙁
Hence my question : “In short, how to handle nxd certificate change on nodes when nodes are administrated by different admins than ECS admin ?”
Regards,
Steve.
Steve92
ParticipantHi Fisherman,
Thanks for this quick answer but it is not exactly what I’d want.
Nodes are already added to ECS in “direct connection mode” or “inverse connection mode”.
For security reasons, keys have to be regenerated with 4096-bit instead of 2048-bit standard length.
One part of the subject is the keys for the nxd certificates of the nodes.
nxd certificates will be regenerated by local admin for all nodes of their VLAN (they don’t have admin rights on ECS).
The
nx_host_rsa_key.crt
files will be sent to ECS admin and then what have he to do on ECS (or eslewhere) ?(a script is needed to handle many .crt files )
When I check the last modification date of
/var/NX/nx/.nx/config/authorized.crt
,it does not seem to be the right file (unchanged date).
/var/NX/nx/.nx/config/cllient.crt
seems to be the right file to put .crt of certificate from nxd of nodes.
The .crt files will be sent to ECS admin and then what have he to do on ECS (or eslewhere) ?
In short, how to handle nxd certificate change on nodes when nodes are administrated by different admins than ECS admin ?
I hope it is more clear.
Thanks,
Regards,
Steve.
Steve92
ParticipantHi!
Remote nodes are on VLAN administred by local admins.
They don’t have rights on ECS that has its own dedicated admin.
I’ve analyzed the subject and if I well understand we could use –keyadd to register the public keys of nxd of remote nodes in
/var/NX/nx/.nx/config/authorized.crt on ECS.
* Local admin
Each local admin generates new 4096-bit nxd certificate (nx_host_rsa_key) and its public key (nx_host_rsa_key.crt) for all nodes on his VLAN.
A prefix is added to each key:
cp /usr/NX/etc/keys/host/nx_host_rsa_key.crt <source_hostname>_nx_host_rsa_key.crt
All the keys are sent to ECS admin.
* ECS Admin
For each pub key received :
sudo /etc/NX/nxserver –keyadd <source_hostname>_nx_host_rsa_key.crt
=> this command updates /var/NX/nx/.nx/config/authorized.crt
Q1- Please, could you validate my understanding and this procedure ?
Q2- What about inverse mode connection if nxd certificate is changed on remote node ?
Thanks,
Regards,
Steve.
Steve92
ParticipantHi!
No acronyms list V8 ?
Thanks !
Regards,
Steve.
Steve92
ParticipantHi!
Any suggestion for a specialized software to do that with V8 ?
Thanks!
Regards,
Steve.
Steve92
ParticipantAny idea ?
With V8 ? V9 ?
Steve92
ParticipantSteve,
Q2- Acronyms list V9 is a little bit different from V8. There is a notion of O/S ?
Thanks!
Regards,
Steve.
Steve92
ParticipantHi,
I need !M user groups only if ECS is not connected to AD, don’t I ?
Thanks!
Regards,
Steve.
Steve92
ParticipantHi
I see it in column groups !?!
(see the horrible copy/paste in my 1st post)
Regards,
Steve.
Steve92
ParticipantHi,
ECS has been hardened and unix-xsession-default set to NO too quickly.
Prob solved by putting it to YES. 🙂
Regards,
Steve.
Steve92
ParticipantHi!
No hope to use a host certificate and key issued by Certificate Authority. in V8.x ???
Regards,
Steve
Steve92
ParticipantHi,
Here is the result :
root@bmn-dev-deb01:/home/ADM_T0237305_L# grep -i availablesessiontypes /usr/NX/etc/*cfg
/usr/NX/etc/node.cfg:AvailableSessionTypes unix-remote,unix-console,unix-default,unix-application,physical-desktop,shadow,unix-xsession-default,unix-gnome,unix-xdm
/usr/NX/etc/server.cfg:# desktop=1 list all desktop types set in the AvailableSessionTypes
/usr/NX/etc/server.cfg:AvailableSessionTypes unix-remote,unix-console,unix-default,unix-application,physical-desktop,shadow,unix-xsession-default,unix-gnome,unix-xdm
Regards,
Steve
Steve92
ParticipantHello,
The idea would be to simulate a real user and from end to end and detect interruption of service before users scream 😉
Simulate for V8.16 :
!M Client (Win11) ==> ECS (RHEL) ==> ED (Win) or SBTS (RHEL /Debian)
Is it possible ? How ?
Thanks,
Steve.
Steve92
ParticipantHello,
– same result with another username
– yes SBTS V8.16 for Debian 12 (.deb got from URL provided by NoMachine team), valid evaluation key
Do you have the SHA256 signature for SBTS V8.16 for Debian x64 ?
Regards,
Steve
Steve92
ParticipantHi!
What logs exactly would you need ?
Those collected on client side with this command ?
tar -cvp –exclude ‘cache*’ –exclude ‘images’ –exclude ‘temp’ $HOME/.nx | gzip -c >nxdir.tar.gz
I can’t send all the the logs for security reasons, please could you be more precise and tell me just a few crucial log files you need to understand the problem ?
Thanks,
Regards,
Steve.
-
AuthorPosts