Forum Replies Created
-
Posts
-
Hello,
It was actually a PAM (SELinux, Pluggable Authentication Modules) configuration problem.
The VM I was given for the POC has security hardening (I didn’t know that… but it’s a good thing to have a POC configuration matching the aimed one).
I solved the problem by following NoMachine – Troubleshooting LDAP And PAM Issues On Linux For Connections By NX Protocol – Knowledge Base
SSH access was OK so I used its PAM config file:
cp /etc/pam.d/nx /etc/pam.d/nx.ori
cp /etc/pam.d/sshd /etc/pam.d/nxNow, access from “!M Client” to ECS is OK with all protocols (SSH, NX & HTTPS). I can add nodes from the client module.
The nx and sshd PAM config files are now the same.
Do I need to do more testing to validate the solution ?
Thanks and happy new year !
Regards,
Steve.
Hello,
I reinstalled ECS twice on Linux RHEL 9.5 VM (SSH command line access) but I still have a serious authentication problem.
$ hostnamectl
Static hostname: wxyz.ptg (anonymized)
Icon name: computer-vm
Operating System: Red Hat Enterprise Linux 9.5 (Plow)
CPE OS Name: cpe:/o:redhat:enterprise_linux:9::baseos
Kernel: Linux 5.14_xxx
Architecture: x86-64
Hardware Vendor: VMware, Inc.
Hardware Model: VMware7,1
Firmware Version: xxx
Install is OK:
$ groups
w123456-a wheel
$ sudo rpm -ivh nomachine-enterprise-cloud-server_8.14.2_1_x86_64.rpm
…
NX> 700 Installing nxserver version: 8.14.2.
NX> 700 Installing nxwebplayer version: 8.14.2.
NX> 700 Server install completed with warnings.
NX> 700 Please review the install log for details.
NX> 700 Installation completed at: Mon, 23 Dec 2024 15:36:31.
NX> 700 NoMachine was configured to run the following services:
NX> 700 NX service on port: 4000
NX> 700 HTTPS service on port: 4443
The 2 warnings are about printing and audio backends not detected (it”s normal).
Just after this “fresh” install;
[w123456-a@wxyz ~]$ /usr/NX/bin/nxexec –auth
Username:w123456-a
Password:********************
8537 8537 15:38:09 165 nxexecPAMCheckCredentials: ERROR! Authentication failed.
8537 8537 15:38:09 166 nxexecPAMCheckCredentials: Error code ‘6’, ‘Permission denied’.
Login failed.
From “!M Client” I added 3 connections (SSH, NX, HTTPS) to ECS.
Today none of them is OK => it gives “authentication failure”
On friday, SSH connection was OK, I was able to pass ECS login phase and access “Manage” button to create nodes. It’s crazy !
I can’t send you the whole log files fo security reasons, but only small parts.
Could you tell me what strings should I grep in the logs to help you to understand the problem ?
Here are some abstacts I found in nxserver.log after having activated “debug mode”:
SSH from “!M client”
6889 6889 15:27:12 898 nxexecPAMCheckCredentials: ERROR! Authentication failed.
6889 6889 15:27:12 898 nxexecPAMCheckCredentials: Error code ’10’, ‘User not known to the underlying authentication module’.
NX from “!M client”
$ sudo grep -i wrong /usr/NX/var/log/nxserver.log
Info: Handling connection from 10.11.12.13 port 64460 on Mon Dec 23 11:38:26 2024.
38882 38882 11:41:09 603 nxexecPAMCheckCredentials: ERROR! Authentication failed.
38882 38882 11:41:09 603 nxexecPAMCheckCredentials: Error code ‘6’, ‘Permission denied’.
35465 35465 2024-12-23 11:41:09 607.868 NXSERVER WARNING! Process ‘/usr/NX/bin/nxexec –auth’ with pid ‘38882/38882’ finished with exit code 1 after 2,161 seconds.
35465 35465 2024-12-23 11:41:09 608.811 NXSERVER ERROR! Authentication with ‘NX-password’ from host ‘10.11.12.13’ failed. Error is ‘Wrong password or login’.
Info: Connection from 10.11.12.13 port 64460 closed on Mon Dec 23 11:41:09 2024.
HTTPS from “!M client” relayed to Edge browser
Info: Handling connection from 127.0.0.1 port 36070 on Mon Dec 23 11:47:56 2024.
41412 41412 11:48:07 833 nxexecPAMCheckCredentials: ERROR! Authentication failed.
41412 41412 11:48:07 834 nxexecPAMCheckCredentials: Error code ‘6’, ‘Permission denied’.
41365 41365 2024-12-23 11:48:07 837.308 NXSERVER WARNING! Process ‘/usr/NX/bin/nxexec –auth’ with pid ‘41412/41412’ finished with exit code 1 after 2,513 seconds.
41365 41365 2024-12-23 11:48:07 837.805 NXSERVER ERROR! Authentication with ‘NX-password’ from host ‘10.11.12.13’ failed. Error is ‘Wrong password or login’.
Info: Connection from 127.0.0.1 port 36070 closed on Mon Dec 23 11:48:07 2024.
Regards,
Steve.
Hi!
In fact, I’ve run the script, it seems to update 38 rules supporting propagation, instead of 33 as described in the documentation.
So there seem to be 5 news rules… yes, if you confirm this figure, the document should be updated.
Thanks !
——————
1 unix-console
2 nxvfb
3 unix-gnome
4 vms unix-remote-custom
5 unix-xsession-default
6 vnc
7 windows
8 unix-remote
9 unix-desktop
10 nx-console
11 unix-cde
12 shadow
13 unix-kde
14 connection-only
15 unix-application
16 nx-console- shadow
17 unix-default
18 unix-xdm
19 physical-desktop
20 virtual-desktops-limit
21 connections-limit
22 unix-script
23 server-printer-sharing
24 client-network-sharing
25 audio
26 server-network-sharing
27 client-usb-sharing
28 interactive-mode
29 server-disk-sharing
30 local- recording
31 client-smartcard-sharing
32 microphone
33 client-printer-sharing
34 client-disk-sharing
35 server-file-transfer
36 client-file-transfer
37 session-recording
38 server-usb-sharing
——————
Hello,
Good job !
It seems to show much more (52) types of rights than in the ECS documentation (chap. 4.5 lists 33 types).
NoMachine Enterprise Cloud Server – Installation And Configuration Guide
All these types of rules can be propagated from the ECS to the nodes ?
Thanks!
Steve.
Hi,
I did a quick successful test closer to your need. 🙂
# !M Client 8.14.2 installed on:
Microsoft Windows 11 Enterprise Evaluation (expired from a few months)
Version 10.0.22621 Build 22621
VM under “VMWare Player 17” on “Debian 11”: 4 CPU 8 Go RAM> ssh -V:
OpenSSH_for_Windows_8.6p1, LibreSSL 3.4.3> ssh-keygen -t ed25519
(default path+filenames+a passphrase entered)Public key
C:\Users\User\.ssh\id_ed25519.pub
transferred to Linux remote server and added to
/home/my-user/.nx/config/authorized.crt# Remote server:
“!M Enterprise Desktop 8.14.2” (evaluation)
VPS “Debian 12”, 1 vCPU, 2 Go !
LXDE# In “!M Client” on W11 VM
For “My Enterprise Desktop” created connection
Edit/Configuration
x Use key-based auth. with a key you provide
[ Modify ]
C:\Users\User\.ssh\id_ed25519That works like a charm !
Good luck and go ahead ! 😉
Steve.
Yes, thanks, “–keyadd” works great !
It’s exactly what I was looking for: simple and supported by NoMachine.
🙂
I’ve tested to add the public NX key of Cloud Server to Terminal Server to /var/NX/nx/.nx/config/autorized.crt (from memory).
“config” directory has to be created (with right permissions) if it’s the 1st node to be added. (Cat node..rsa.key.pub >> /var/NX/nx/.nx/config/autorized.crt)
Please, could you confirm it’s OK ?
It seems to be OK but I want to be sure not to forget something.
Thanks !
Regards.
Steve
Hello,
So, is it possible , with a profile , to propagate EnableDirectConnections=OFF to all nodes linked to a Cloud Cluster ?
If not, when will it be OK ?
Thanks
Regards
Steve.
Hello,
A few weeks ago, I had some problems too with ED25519 algorithm to generate keys and I thought it was not supported (hence my question https://forum.nomachine.com/topic/ed25519-algorithm-for-ssh-nx-keys ).
I’ve just done a test in full Linux environment, all is OK. (following https://kb.nomachine.com/AR02L00785)
On “!M Client” 8.14 side:
$ ssh-keygen -t ed25519 (-b is useless since fixed length key)
I kept default key names and added a passphrase.
The server is “!M Enterprise Cloud Server” 8.14.
FYI, ssh version :
$ ssh -V
OpenSSH_9.2p1
OpenSSL 3.0.14 4/6/2024O/S:
Debian 12 Bookworm
Linux antix1 6.1.105
(super light Linux, perfect for testing !M in live VMs)Good luck ! 🙂
NB: RSA 4096-bit key is still strong enough (even 3072-bit for common usage) !
Regards,
Steve.
Hello,
Great news for the POC in progress !
It’s crucial for us to protect “!M Enterprise Desktops” settings.An FR : (if I don’t need to change my glasses 😉 )
We need to give access to all Nodes only via Cloud Server.
I can’t see that “EnableDirectConnections” can be disabled by using a command line like :
nxserver --ruleadd --class propagation…It is “ON” by default.
Could you confirm please ? Is this FR already registered ? How long will it take to add this FR ?
I guess we’ll have to deal with this need at firewall level… 🙁
Regards,
Steve.
Hello,
“separating the web server host from the NoMachine server host ”
is a good thing but it is not enough for (very) sensitive environments.
“Protocol break” is a network protocol attack protection as described on this NCSC page :
Network protocol attack protection – NCSC.GOV.UK
https://www.ncsc.gov.uk/collection/cross-domain-solutions/using-the-principles/network-protocol-attack-protectionIn our case the risk occurs if a user, from a low security domain, has a remote access to a server in a high level security domain.
We must have strong protection against an attacker who might use the components within NoMachine as a route to compromise the core network.
NCSC :”A protocol break will terminate one transmission path, extract the relevant information, and use this to initiate a new transmission path.”
So the question is : what happens in the black box “nxhtd & nxwebplayer” between the 2 components ?
Is there a network session break ?
Is there a “rewriting” of data or just an “as-is” forwarding ?Please, could you forward these hard questions to a cybersecurity expert in your teams in labs ?
Thanks,
Regards,
Steve.
Hello,
If multiple screens are used, only one UDP port is used ?
how can it happen ?
In our case, only one remote UDP port would be open instead of a range !
In what case can it bring problems ? Give examples please.
Thanks !
Regards,
Steve.
Hello,
And what about server side (destination machine) ?
No way to cleanly uninstall “NoMachine Service” ?
Manual start must not be allowed in our case.
Is there a dirty way like removing files (binary file… )? Which one ?
The aim would be to have only the admin console on “!M Cloud Server”.
Is it possible ?
Thanks.
Steve.
Hello,
I read again the page “Use Your Own Apache Web Server…”.
If I well understand the chain of components is:
[ Browser ] <= HTTPS => [ nxhtd ] <= ? => [ nxwebplayer ] <= NX/SSH => [ nxserver ]
Is it correct ? If not, what is the right one ?How [ nxhtd ], the web server, communicates (protocol, port) with [ nxwebplayer ], the web app. ?
Must [ nxhtd ] and [ nxwebplayer ] be on the same machine ?
Thanks,
Regards.
Steve.
Hello,
To summarize, according to ANSSI (French National Cyber Security Agency) and IETF, for TLS 1.2, only the following extensions should/must be used:
Extension Type: 0x000A (supported_groups)
Extension Type: 0x000B (ec_point_formats)
Extension Type: 0x000D (signature_algorithms)
Extension Type: 0x0016 (encrypt_then_mac)
Extension Type: 0x0017 (extended_master_secret)PLUS
signed_certificate_timestamp (0x0012) …. if SCT used
renegotiation_info (0xFF01)Regards,
Steve.