Forum Replies Created
-
Posts
-
Hello
ssh -I /pathtokeyfile
Usually -I uses to access to pkcs11 module. For Yubico probably it should be libykcs11.dylib.
If yes then you can use path to module in section “Use key-based authentication with PKCS11 smart card”,
“Set an alternate security module”. there you can select absolute path to libykcs11.dylib.
By default path might look like /usr/local/lib/libykcs11.dylib.
If connection still fails, then please leave all settings as it but close all nomachine windows.
Edit ~/.nx/config/player.cfg
find line:
<option key=”SSH client mode” value=”library” />
and replace “library” to “native” like:
<option key=”SSH client mode” value=”native” />
also check if
<option key=”SSH Client” value=”/usr/local/bin/ssh” />contain valid path to default ssh client. Finish and save edit content.
Open nomachine windows again and do SSH protocol connection by smart card.
Please inform as if it will helps and report errors if some appears.
Hello,
“My keys are resident keys stored on the Yubikey. I do have the public keys in ~/.ssh/authorized_keys on the server I’m trying to access.” – it looks good.
Could you please provide us the command of poor ssh you use to login to the server (hiding all sensitive data)?
Thanks
Regarding the logs, we notice that you try to install NoMachine on the D:\ disk space, instead of the default C:\Program Files.
Have you tested to install on the default path to compare the result?
And is the D: space a real local disk partition, or some network drive mounted with some service?
Hello Practice,
Please also provide us the Windows build version: open the power shell and run the command
winver
It would be useful for us to have a screenshot of the appearing window (but with your private data censored).One additional information: if you have access on Yubikey keys and are able to extract the public key for ssh to place in ~/.ssh/authorized_keys , then you might use NoMachine SSH protocol connection and choose authentication with smartcard reader.
By default it works only to PKCS#11 compatible smartcard readers, but it might also recognize Yubikey.
Please try and let us know.
Hello,
“note that I am not using port 22 for ssh, will this be a problem?” – no, it shouldn’t be a problem.
“Do you have further suggestions to get login secured with Yubikey without an online server involved?” – not yet, as I suspect that it needs additional implementation.
“Here is the log output as requested:” – these logs are from the client side and mostly report about the connection problem then ‘Yubikey’ use.
Could you please provide us the server side logs, for a more clear information, and send them to forum[at]nomachine[dot]com, making sure to reference the topic as the subject of the email?
Hello
please bit more details about “After resetting Windows 11”. What did you exactly? Did you restart?
Additionally:
1. check whether after installing nomachine and restarting, the file C:\Windows\System32\nxlsa.dll is present in system.
2. open power shell as admin and run command
get-childitem “\\.\pipe\”
and provide lines containing nx* pattern. like: nxdevice, nxfsd, nxserver, nxsspi.
3. As administrator in power shell window try the next commands
net stop nxservice
net start nxservice
then check if in C:/ProgramData/NoMachine/var/logs an nxtrace.log appears.
Check windows Event Viewer and in section “Windows Logs” check (Application, System) and provide error/warning events generated by nxservice, nxserver, nxnode if they are present.
Inside Event Viewer check section “Applications and Services Logs > Microsoft > Windows > LSA” if it contains some events,
If yes, send content to us.Remember that some event viewer data might contain sensitive data and so please avoid sharing to public here. You can redact the file by removing sensitive data.
Thanks
hello
“Doesn’t this approach require internet access to the Yubico cloud server?” – yes, there is need.
but
“I use this with FIDO2 resident keys for ssh already” – if you have updated ssh server configuration then
there is possible to try use ssh pam configuration to nx on server and check.
sudo cp /etc/pam.d/nx /etc/pam.d/nx.bak
sudo cp /etc/pam.d/sshd /etc/pam.d/nx
if login fails send server side logs to us, please.
thanks
hello
Is ‘remote one ‘ mac based? If yes then let’s check how remote side recognize username/password.
Open terminal window on remote side and run command:
/Applications/NoMachine.app/Contents/Frameworks/bin/nxexec --authinput username <enter>, then password <enter>
and check result please. If username is not local system user like ldap, AD and etc command nxexec might
run as sudo or root user.
thanks
Please open powershell on the server side as admin and run the following command:
get-childitem \\.\pipe\and provide all lines which contain pipe name as nx*Hello,
no need for a debug package Britgirl.
When you install NoMachine, it creates user ‘nx’ in the admin group. This is an important account with specific privileges which is used for the internal handling of the program’s operations.
From your logs it appears the ‘nx’ user does not have enough privileges:
5388 7200 2024-04-24 09:28:49 522.932 ValidateNXAccount: ERROR! NX account doesn't have following required privileges:
5388 7200 2024-04-24 09:28:49 522.932 'SeTcbPrivilege'.
5388 7200 2024-04-24 09:28:49 522.932 'SeIncreaseQuotaPrivilege'.
5388 7200 2024-04-24 09:28:49 522.932 'SeAssignPrimaryTokenPrivilege'.This can happen when using a custom security policy on local workgroup or AD domain.
You can check that user privileges are correctly set using the following command:
secedit /export /areas USER_RIGHTS /cfg OUT.CFG
making sure to run it with local Windows admin account and then with domain administrator account if the Windows host is in an AD domain.
The OUT.CFG will show users by SID not username, but using this command
wmic useraccount get name,sidallows you to find the username for SID association.
To add/assign privileges for the user you need to use (from Run, a powershell or command prompt)
gpedit.msc -> Windows Settings -> Security Settings -> User Rights Assignmentsor contact your administrator if your machine is part of an AD domain (if you cannot do this).
Running gpedit.msc shows the Local Group Policy Editor. In the policy list:
– click on ‘Act as part of the operating system’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Adjust memory quotas for a process’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Replace a process level token’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
– click on ‘Obtain an impersonation token for another user in the same session’. Check if nx user name or nx sid is present in shown, if not, click Add User or Group to add it and choose nx or the nx sid from the list.
We recommend performing the login to Windows as a local workgroup Administrator, checking the NoMachine status and modifying privileges if NoMachine does not start.
If you are installing NoMachine as the domain administrator, then you need check that nx user is not already registered in domain to avoid conflict of user permissions.
hello
it seems issue is related to AD user recognition.
Could you check
/nxexec --authwith sudo or root access account for mvladimirov like:sudo ./nxexec --authAlso provide information about AD integration of macOS host, do you some third party tools or only macos standards?
Thanks
Hello
We checked the sent logs and they are only from client side. Please send to us server side host logs and windows events related to nxserver/nxnode/nxservice.
Thanks
Hello
Please also provide server side logs and check if nxtrace.log was generated in C:\ProgramData\NoMachine\var\log\ folder.
Also please check windows events and export nxservice/nxnode relate reports and send with nx logs, please.Thanks
Hello
The NX protocol key authentication should be generated by nxkeygen command, or if it is generated by ssh-keygen, then should be converted in pem format.
You can convert the existing SSH private key by using this command:
ssh-keygen -p -m PEM -f path_to_the_key
We’s like to check the client side logs, can you send them to us? Please see the document here for instructions and then send them directly to forum[at]nomachine[dot]com making sure to use the title of this topic as the subject of your email. Thanks!