February 15, 2016 at 12:27 #10065andrewaParticipant
Hello. I’m connecting to NoMachine free server 5.0.63 for Fedora23 from Windows 10 same version. All works fine when I use user & password with NX protocol for system login authentication (as root). But when I try to connect via NX protocol with private key I get the error : The session negotiation failed. Error: Cannot accept public key
https://www.nomachine.com/AR02L00785 was strictly followed: I added /root/.nx/config folder (both .nx and config have 0700 owner root) and authorized.crt (0600 owner root). In Edit connection – Advanced – Private key – Settings I input private key file.
Tried generating keys 1024bit with PuTTYgen.exe, with nxkeygen (2048bit), with XCA (2048bit). Tried to edit public key in one line as recommended for PuTTY – same result.
PuTTY and WinSCP authenticate OK with key pair generated by PuTTYgen.exe and public key in /root/.ssh/authorized_keys
AcceptedAuthenticationMethods is ALL (default)
Switched debugging into level 7 but the log is growing like a mushroom and I find no clue in this mess. In debug level 6 I see:
WARNING! Process ‘/usr/NX/bin/nxexec –cat –user root –path config/authorized.crt’ with pid ‘18560/18560’ finished with exit code 1 after 0,17 seconds.
WARNING! Cannot write to FD#8.
WARNING! Error is: 32, ‘Broken pipe’.
What am I missing?
Thanks. Andrei.February 16, 2016 at 09:48 #10089andrewaParticipant
I solved the problem after some head banging. The correct setup is:
1. Public key in /root/.nx/config/authorized.crt (.nx and .nx/config have 0700 permissions, authorized.crt has 0600 permissions, owner root) should be the same format as in /root/.ssh/authorized_keys:
ssh-rsa AAAA .. in-one-line .. Bis= <comment>
This is the output of PuTTYgen generate window (not the saved file) and is different from SSH / XCA format of the generated public key .crt file. SSH seems to have some setup allowing it to generate the pulic key in this format, but I am not sure about the syntax. The .crt format used to input certificates in browsers and mail clients should not be used:
2. In NX client under WIN select Session – Edit – Advanced – Private key – Settings file field: browse for private key file in SSH format, not the file saved by PuTTYgen. Private key file format should be:
—–BEGIN ENCRYPTED PRIVATE KEY—–
—–END ENCRYPTED PRIVATE KEY—–
Hope this naive explanation helps someone like me who is not on the professional side.
I wonder if authorized.crt file allows to place restrictions for IP, command etc. like the ones which can be added at the beginning of the line of each pulic key in /root/.ssh/authorized_keys. If “yes”, should one use the same sytax, are all restrictions in authorized_keys applicable?
<p style=”border-width: medium medium 1px; border-style: none none solid; border-color: currentColor currentColor #000000; padding: 0cm 0cm 0.04cm; margin-bottom: 0cm;” align=”LEFT”></p>February 16, 2016 at 11:40 #10096HavenContributor
NoMachine require keys to be in OpenSSH format. PuTTYgen.exe could be indeed hard to use to generate a proper pare of keys. I am glad that you worked this out! We don’t support additional option keys in authorized.crt. The key must be in format: key-type data comment.
This topic was marked as solved, you can't post.