NoMachine version 4.0 has many key features. When you connected to NoMachine-enabled computer, you can work with any content such as documents, music, videos, as if you were in front of your computer.You can also have the same desktop environment from where ever you are connected. I an trying to connect to a node on my server and when I login through no-machine, only a black screen shows. How can I troubleshoot this? I'm using the Mac client to connect to a linux server.
On this page. How to secure VNC remote access with two-factor authentication VNC is the most popular remote access solution today. However, it was developed to provide remote access, not to provide secure remote access. Administrators have to add security to VNC by tunneling it through an encrpyted channel such as SSH and adding a layer of authentication.
In this article, we will show you how to combine the to encrypt VNC and remote X session combined with to create a secure, fast remote access solution. NoMachine and WiKID NoMachine is a Terminal Server and Remote Access solution optimized for speed and security. All connections are piped through SSH. NoMachine is far faster than just piping VNC through SSH thanks to their compression algorithms. Plus, they offer RDP and Remote X sessions and clients for Windows, Mac & Linux. WiKID is a dual-source two-factor authentication system optimized for security and ease-of-use.
WiKID uses public-key cryptography instead of shared secrets like most hardware-based solutions. WiKID relies on validation of a user-selected PIN at the server - making it stronger and much more manageable than certificates. In this configuration, WiKID will handle user authentication and NoMachine will handle tunnel encryption and compression. For VNC, I am using RealVNC's.
I did nothing to configure it, except add a password for authentication so details are not included. Both the WiKID server and your SSH/NoMachine server should be in the DMZ, with one card accepting connections from the Internet for client connections and the other configured for LAN access to exchange authentication requests and VNC connections respectively.
Configuring the WiKID Server Here's how it will work: to access to a remote desktop, start the NX client and enter a WiKID one-time passcode and username. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. SSH will route the username and one-time password to the WiKID server via pam radius. If the username and one-time password match what WiKID expects, the server will tell SSH to grant access. The NX client will then send the VNC password to the target VNC box. First, we add the SSH/NoMachine box to the WiKID Strong Authentication Server as a network client, then configure PAM radius on the SSH/NoMachine server.
I assume that you have already configured the WiKID server. More information on how to install and confgure WiKID can be. Start by creating a domain for remote access users:. Log into WiKID server web interface (. Click on the Domains Tab. Click on Create a New Domain.
Fill in the form for a new domain. Leave 'Registered URL:' blank that is just for SSL-based mutual authentication.
Also do not check 'Use TACACS+' and 'Password Reset Domain:'. Passcode lifetime should be set long enough for the user to be able to log in. The default is 60 seconds, but you can increase it.
The default PIN length is 6 digits, but you can set it for 4 if you prefer. 'Device Domain Name' is what the user sees on the token client. Click the 'Create' Button Now add a new Radius network client to the WiKID server that points to your SSH/NoMachine server:. Select Network Clients tab. Click on Create New Network Client.
Fill in the requested information. For the IP Address, use the SSH/NoMachine server IP address. For Protocol, select Radius.
Hit the Add button, and on the next page, enter a shared secret. Do not enter anything into the Return Attribute box. From the terminal or via ssh, run 'stop' and then 'start' to load the network client into the built-in WiKID radius server That is it for the WiKID server.
You can add users manually as the administrator or set up scripts in a secure location (your LAN, e.g.) to allow users to add their own tokens. Configuring NoMachine and SSH. For this example, we're using the NX Server Free Edition, which is very simple to configure - in fact it works out of the box. It is limited to 2 concurrent users, so companies will want to look to their Enterprise editions. Download the Server, NX node and client and install: rpm -ivh nx. Now, we configure SSH to use Radius: First, you need to install PAM Radius.
There is excellent documentation on this at the. Depending on your distribution, you might also be able to find a suitable binary. Edit /etc/pam.d/sshd to allow Radius authentication: vi /etc/pam.d/sshd Go to the second line of the file, hit the Insert key or the i key and insert this line: auth required /lib/security/pamradiusauth.so just above this line: auth required pamstack.so service=system-auth The 'Required' tag require two-factor authentication.
Because we are only editing the sshd file, it will not affect terminal log-ins. Write the file and quit. Hit the Esc key to exit insert mode and type:wq Edit or create your /etc/raddb/server file: vi /etc/raddb/server Below the line: 127.0.0.1 secret 1 Add this line, substituting the IP Address of the WiKID server: routableIPaddress sharedsecret 1.