NoMachine NX: simple setup without adding users

Source: http://ubuntuforums.org/showthread.php?t=941530

After struggling with VNC for some years I finally tried out Nomachine's NX server instead. Overall it's much faster than VNC and very simple to set up. However, searching this forum and google turned up lots of conflicting instructions about how to configure things. So in the end I just waded through Nomachine's online documentation and help system. What I wanted was for the connection to a remote machine to be as secure as possible, and more usable than VNC through an ssh tunnel, without having to jump through too many configuration hoops. I'm posting what I did here in case someone else wants to give NX a try. I know there are other how tos on the forum, but most seem to include a step about adding users. This isn't strictly necessary, and so I haven't included it.

Just for information, both the server and client software were installed on Hardy, and I've used the latest version of the Nomachine packages and not the FreeNX packages. I believe FreeNX is very similar, but having never tried it I don't know if these instructions will work with that as well. So here goes:

1. Make sure openssh-server is installed on the server machine/s and that you can ssh into into those machines. See this link. Just one caveat. You must ensure that password based authentication is enabled in the /etc/ssh/sshd_config file of the server machine. Initially you should also use the standard port 22 for ssh as well.

2. Download these files from here

nxclient_3.2.0-14_i386.deb
nxnode_3.2.0-13_i386.deb
nxserver_3.2.0-16_i386.deb

3. Put the files in the home directory of the machine you want to use as the server, open a terminal, and install them:

sudo dpkg -i *.deb

note: make sure that these are the only .deb packages in your home directory when you do this.

4. Repeat the above on the client machine - on the client you only need the nxclient package and not the nxserver and nxnode packages

5. At this stage it's worth testing that everything works 'as is'. You may have to do a 'killall gnome-panel' before the NX entry appears in the menu, but once it has you'll find it under applications/internet. Open the NX connection wizard and follow along. You should be able to log in as a normal user with the user name and password that you normally log into the system with. If all goes well a session should open on your desktop displaying the server machine's desktop.

6. If all went well you will now want to change the default ssh keys that the NX server uses. When you first install the nx packages they ship with default keys that are the same for everyone. Potentially this means that anyone with the nxclient package installed could authenticate against your server. Not good! However, changing these keys is simple. Just log into the server (or ssh to the server) and do the following:

sudo su
/usr/NX/scripts/setup/nxserver --keygen
chown nx:root /usr/NX/home/nx/.ssh/authorized_keys2
chmod 0644 /usr/NX/home/nx/.ssh/authorized_keys2
chown nx:root /usr/NX/home/nx/.ssh/default.id_dsa.pub
chmod 0644 /usr/NX/home/nx/.ssh/default.id_dsa.pub

Then copy the default.id_dsa.pub file to the client. I did this using scp from the client machine, e.g.

scp user@server:/usr/NX/share/keys/default.id_dsa.key .

But you could just as easily copy it to a usb flash drive and transfer it to the client. Once you've saved it to the client machine's home directory you should rename the key from default (I use my user name) and copy it to the /usr/NX/share/keys/ directory:

sudo cp default.id_dsa.key /usr/NX/share/keys/user.id_dsa.key

Now test that you can connect to the nx user account on the server with this key:

ssh -i /usr/NX/share/keys/user.id_dsa.key nx@server

You shouldn't be prompted for a password. If you can connect as the nx user just type quit to exit. Then launch the nx client from the menu, hit configure, and then the key button on the general tab. Delete the exiting key and press the import button. Import the key that you've just saved in the /usr/NX/share/keys directory. Save everything and then try connecting with the client.

Optional steps

7. If all went well you can now change the default ssh port to a non-standard one (say 2222 for this example). Go back to the server machine (or shh to it) and edit three files to make the changes.

First edit the /usr/NX/etc/server.cfg file:

sudo gedit /usr/NX/etc/server.cfg

Look for these entries:

#SSHDPort = "22"
#SSHDAuthPort = "22"

Uncomment and change 22 to 2222. Save and close.

Then edit /usr/NX/etc/node.cfg:

sudo gedit /usr/NX/etc/node.cfg

Look for this entry:

#SSHDPort = "22"

And again uncomment and change the port number. Save and close.

Finally edit /etc/ssh/sshd_config

sudo gedit /etc/ssh/sshd_config

Look for this entry:

Port 22

And again change the port, save and close.

Finally, restart ssh:

sudo /etc/init.d/ssh restart

On the client machine you should then launch the nx client, press the configure button, and enter the new port in the general tab.

That's it. You should now be able to connect to the nxserver on a non-standard port with a custom ssh key.

8. For added security you might also want to go back to the server machine and edit the /usr/NX/etc/server.cfg file again. Find this line:

#EnableUnencryptedSession = "1"

Uncomment it and change the "1" to a "0"

This will force nx to use ssl encryption at all times.

That's basically it. The only problem I have with nx so far is not being able to disable password based authentication in my sshd_config. There is a work around which involves adding system users to the nx server and then using the nx database rather than ssh to authenticate. However, I haven't tried this, so I'm not able to comment on how well it works, What I've done instead is limit the number of users who can ssh into the server machine (nx must be a listed user), and restricted access in my firewall to only allow certain machines through.

Hope this helps someone.