Cloud Server Kerberos auth to node

Forums / NoMachine Cloud Server Products / Cloud Server Kerberos auth to node

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #40261
    dav3r
    Participant

    Hello, I’m evaluating Cloud Server (LCSE 7.10.1) running on a Debian 11 (bullseye) server.  I’m able to successfully connect to the Cloud Server using my Kerberos credentials:

    NXSERVER User ‘myusername’ logged in from ‘10.10.10.10’ using authentication method NX-kerberos.

    My problem is that I cannot figure out how to authenticate via Kerberos when adding a new server to the Cloud Server. I want to connect to a Kali node (running LEDE 7.10.1 on Kali 2022.3) with Kerberos, but despite my best efforts, I have only seen it attempt to authenticate via NX-password and NX-private-key.

    Both the Cloud Server and the Kali node are part of the same Kerberos realm. I have confirmed that the Cloud Server is able to successfully communicate with the Kali node (I am able to connect by username/password, but that is not a feasible solution for my use case).

    I have also confirmed that I am able to use my local NoMachine player to successfully connect directly to the Kali node via Kerberos authentication. I just need to figure out how to do that from the Cloud Server.

    On the Kali node’s server.cfg, I have the following options configured:

    EnableNXKerberosAuthentication 1
    NXGssapiLibraryPath “/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2”
    NXKerberosLibraryPath “/usr/lib/x86_64-linux-gnu/libkrb5.so.3”

    And I have restarted the nxserver after making the config changes above.

    On the Cloud Server, when I attempt to create the connection to the Kali node, in the “advanced configuration for client forwarding”, I tried to use the “Only System” option for NX, which according to the help text “will adopt the same credentials and authentication method used for connecting to the parent server” (Kerberos in my case), but it never seems to work. I tried the default “Only Tunnel” option as well and saw the same results in the log:

    NXSERVER ERROR! Authentication with ‘NX-private-key’ from host ‘10.10.10.10’ failed. Error is ‘Public key not recognized’.

    NXSERVER ERROR! Authentication with ‘NX-password’ from host ‘10.10.10.10’ failed. Error is ‘Wrong password or login’.

    Please let me know if you have any ideas or suggestions or if I can provide any additional information.

    Thanks very much in advance for any assistance!
    -Dave

    #40464
    Britgirl
    Keymaster

    Hello and welcome 🙂

    firstly take a look a the latest Cloud Sever Family in version 8. There have been a lot of improvements in the navigation interface, so it’s easier to add/remove nodes and monitor your node machines as well (more about this is here http://www.nomachine.com/cloud-server-family). In your case, you should look at Enterprise Cloud Server or Enterprise Cloud Server Cluster. Both allow unlimited connections, the latter provides failover capabilities.

    Regarding kerberos support in add/remove and other admin operations (via GUI or CLI), this is planned. At the moment, adding and removing nodes to the cloud server is done via password authentication. We had planned to extend support for other authentication methods, including Kerberos, to the administrator procedures in the recent v8, but unfortunately other priorities meant that this got postponed to a later release.

    To allow users to connect using kerberos, you need set the following on your cloud server host:
    server.cfg – EnableNXKerberosAuthentication 1
    server.cfg – EnableNXKerberosForwardingToRemote 1
    server.cfg – NXGSSAPIStrictAcceptorCheck 0
    server.cfg – NXGssapiLibraryPath "/usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2"
    server.cfg – NXKerberosLibraryPath "/usr/lib/x86_64-linux-gnu/libkrb5.so.3"

    These last two paths can be slightly different depending on the system.

    The user, when creating a connection should do the following in the Player. Click ‘Add’, go to Configuration, select “Use kerberos ticket-based authentication”. If you want to use more options, click ‘Modify’. Choosing DNS translation will require an IP address in the Address Host field, otherwise provide a hostname.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.