Guro

[Guro]

It’s also useful to know whether user Emile is a user of domain or windows AD?

[Guro]

hello

“If there are no security risks to installing the debug package, then I’m happy for you to send it to me and use it.” –  It’s safe to install and use. It’s a regular package with extra debug enabled to allow us to go much deeper into why a particular error is happening so they will contain information about exchange protocol flow data, ssh key fingerprints and accepted encryption methods.

” Is the ssh tunnelling method I mentioned earlier in this thread sensible?” – Yes it is. You can see details here: https://kb.nomachine.com/AR10K00728

“Is there a way to make the connection more stable with this approach?” – I think the session freeze needs further investigation. First, can you send us server side logs? Logs would also allow us to check why the connection is failing without an appropriate error even without adding yubikey as a device. You can extract them using the instructions here: https://kb.nomachine.com/DT07S00243.

Send them to forum[at]nomachine[dot]com. Please use the title of this topic as the subject of your email. Thanks!

[Guro]

Hello

Please could you provide exact information of NoMachine server you are trying to connect to?
The free NoMachine version does not support SSH connections.

Thanks

[Guro]

Hello

To be able to provide more advises there is need to have more detailed log data. As for security reason, authentication logs are disabled by default.
But if you are willing to install new debug package on your working machine and test the authentication process to provide us more detailed information about this error, we can send you a debug package.

Thanks

[Guro]

hello

As you use -i option for ssh to point to private key in system path, then you could point same path in the connection > ‘Use key-based authentication with a key you provided’.

“Does your advice still apply in that case?” – yes. Check key real path after modify player.cfg and set

 

thanks

[Guro]

Hello

ssh -I /pathtokeyfile

Usually -I uses to access to pkcs11 module. For Yubico probably it should be libykcs11.dylib.

If yes then you can use path to module in section “Use key-based authentication with PKCS11 smart card”,

“Set an alternate security module”. there you can select absolute path to libykcs11.dylib.

By default path might look like /usr/local/lib/libykcs11.dylib.

If connection still fails, then please leave all settings as it but close all nomachine windows.

Edit ~/.nx/config/player.cfg

find line:

<option key=”SSH client mode” value=”library” />

and replace “library” to “native” like:

<option key=”SSH client mode” value=”native” />

also check if
<option key=”SSH Client” value=”/usr/local/bin/ssh” />

contain valid path to default ssh client. Finish and save edit content.

Open nomachine windows again and do SSH protocol connection by smart card.

Please inform as if it will helps and report errors if some appears.

[Guro]

Hello,

“My keys are resident keys stored on the Yubikey. I do have the public keys in ~/.ssh/authorized_keys on the server I’m trying to access.” – it looks good.

Could you please provide us the command of poor ssh you use to login to the server (hiding all sensitive data)?

Thanks

[Guro]

Regarding the logs, we notice that you try to install NoMachine on the D:\ disk space, instead of the default C:\Program Files.

Have you tested to install on the default path to compare the result?

And is the D: space a real local disk partition, or some network drive mounted with some service?

[Guro]

Hello Practice,

Please also provide us the Windows build version: open the power shell and run the command
winver
It would be useful for us to have a screenshot of the appearing window (but with your private data censored).

[Guro]

One additional information: if you have access on Yubikey keys and are able to extract the public key for ssh to place in ~/.ssh/authorized_keys , then you might use NoMachine SSH protocol connection and choose authentication with smartcard reader.

By default it works only to PKCS#11 compatible smartcard readers, but it might also recognize Yubikey.

Please try and let us know.

[Guro]

Hello,

“note that I am not using port 22 for ssh, will this be a problem?” – no, it shouldn’t be a problem.

“Do you have further suggestions to get login secured with Yubikey without an online server involved?” – not yet, as I suspect that it needs additional implementation.

“Here is the log output as requested:” – these logs are from the client side and mostly report about the connection problem then ‘Yubikey’ use.

Could you please provide us the server side logs, for a more clear information, and send them to forum[at]nomachine[dot]com, making sure to reference the topic as the subject of the email?

[Guro]

Hello

please bit more details about “After resetting Windows 11”. What did you exactly? Did you restart?

Additionally:

1. check whether after installing nomachine and restarting, the file C:\Windows\System32\nxlsa.dll is present in system.

2. open power shell as admin and run command

get-childitem “\\.\pipe\”

and provide lines containing nx* pattern. like: nxdevice, nxfsd, nxserver, nxsspi.

3. As administrator in power shell window try the next commands

net stop nxservice

net start nxservice

then check if in C:/ProgramData/NoMachine/var/logs an nxtrace.log appears.

Check windows Event Viewer and in section “Windows Logs” check (Application, System) and provide error/warning events generated by nxservice, nxserver, nxnode if they are present.

Inside Event Viewer check section “Applications and Services Logs > Microsoft > Windows > LSA” if it contains some events,
If yes, send content to us.

Remember that some event viewer data might contain sensitive data and so please avoid sharing to public here. You can redact the file by removing sensitive data.

Thanks

[Guro]

hello

“Doesn’t this approach require internet access to the Yubico cloud server?” – yes, there is need.

but

“I use this with FIDO2 resident keys for ssh already” – if you have updated ssh server configuration then

there is possible to try use ssh pam configuration to nx on server and check.

sudo cp /etc/pam.d/nx /etc/pam.d/nx.bak

sudo cp /etc/pam.d/sshd /etc/pam.d/nx

if login fails send server side logs to us, please.

thanks

[Guro]

hello

Is ‘remote one ‘ mac based? If yes then let’s check how remote side recognize username/password.

Open terminal window on remote side and run command:

/Applications/NoMachine.app/Contents/Frameworks/bin/nxexec --auth

input username <enter>, then password <enter>

and check result please. If username is not local system user like ldap, AD and etc command nxexec might

run as sudo or root user.

thanks

[Guro]

Please open powershell on the server side as admin and run the following command:
get-childitem \\.\pipe\ and provide all lines which contain pipe name as nx*

[Author]

Posts