...making Linux just a little more fun!

<-- prev | next -->

Nomachine NX server

By Peter Knaggs

In this article, I'm going to describe my first attempt at installing and trying out CentOS's packages on RHEL4 for Nomachine's NX server. I never had time to do it before, but it was well worth the journey of discovery.

Compared to VNC, it's amazingly fast, and quite straightforward to set up using the CentOS packages for RHEL4, so you can make all your "hosted" C developers much happier by giving them speedy access to the desktop of their RHEL4 hosted box, right from their "standard-issue" Microsoft Windows desktop machines. As I understand it, the NX client that Nomachine make available for free download is still proprietary; however, Nomachine makes the sources for Linux available under GPL, so I'm not quite sure how all that works out.

I have stumbled across NX server briefly a year ago when I used Kanotix, because at the time I was surprised to find an unexpected authorized_keys file sitting in "nx" user's home directory. I thought that some wiley hacker had been fiddling with my laptop, but on closer inspection it turned out to be the standard way NX package is installed (will be explained in more detail at the end of this article).

In the following writeup, I use the term "Linux hosted box" to mean a Linux box hosted far away in a datacenter somewhere.

Benefits of the Nomachine NX server

NX Server/Client Installation

1. Server side (your RHEL4 Linux hosted box)
Download the NX and FreeNX packages from the CentOS4 repository. CentOS is Community Enterprise Linux, a "whitebox" rebuild of RHEL, so it is fully compatible with Red Hat Enterprise Linux 4, and supported to the same level.

wget http://mirror.centos.org/centos/4/extras/i386/RPMS/nx-1.5.0-1.centos4.i386.rpm
wget http://mirror.centos.org/centos/4/extras/i386/RPMS/freenx-0.5.0-10.c4.noarch.rpm

Install NX and FreeNX packages as follows:

sudo rpm -Uvh nx-1.5.0-1.centos4.i386.rpm
sudo rpm -Uvh freenx-0.5.0-10.c4.noarch.rpm

This also adds a new user called "nx" to your Linux hosted box (extract from /etc/passwd follows):

nx:x:499:11::/var/lib/nxserver/home:/usr/bin/nxserver

Note that the "shell" of this new "nx" user is "/usr/bin/nxserver", so it is dedicated to the purpose of serving NX clients, and isn't a general-purpose user account.

The package installation also generates a new OpenSSH keypair in the home directory of the new "nx" user. Please make sure the permissions are as follows after the install, in order to to allow OpenSSH work properly:

bash-3.00# ls -l /var/lib/nxserver/home/.ssh
total 16
-r--------  1 nx root 602 Dec 16 10:33 authorized_keys2
-rw-------  1 nx root 668 Dec 16 09:50 client.id_dsa.key
-rw-r--r--  1 nx root 220 Dec 16 09:50 known_hosts
-rw-------  1 nx root 602 Dec 16 09:50 server.id_dsa.pub.key

2. Client side for Microsoft Windows
A nice guide can be found here:

http://wiki.centos.org/FreeNX

After installing the NX server as shown in Section 1., copy /var/lib/nxserver/home/.ssh/client.id_dsa.key to your Microsoft Windows client machine. This is the key you'll need to gain access to the nxserver you installed in section 1.

Download the NX client from Nomachine's website:

http://www.nomachine.com/download.php

Click on the green arrow next to "NX Client for Windows"; now click the same arrow again, and then click the "Download package" button. Install it as usual, then start it up.

Click on "Configure", and under the "General" tab, click on the "Key..." button; then, click on "Import" to read in contents of client.id_dsa.key that was mentioned above.

For "Host", enter name of your Linux hosted box; for "Port", enter "22"; for "Desktop", choose "Unix" "GNOME".

Make sure to select "GNOME" as the window manager, as the default ("KDE") is missing KDE panel, making it awkward to use. Looks like a bug, but GNOME window manager is preferred by Red Hat, so it is fine for now.

For the network speed setting, the default "ADSL" is suitable if you're working from home, but for working from office "WAN" might be better.

Set "Display" setting to suit your needs, depending on your client machine's current desktop resolution. Start with 1024x768. Once things are working properly, you can go back, choose "Custom" and enter 1280x1024, as this will give you a larger desktop.

On "Advanced" tab, make sure to select the option

[x] Enable SSL encryption on all traffic
It's important because not only is the traffic encrypted, but then NX client-server connection uses only that port you have configured above. No ports need to be open on your client box (or on any firewall in between).

In the "Services" tab, printing and audio (multimedia) support can be configured, but that's somewhat more involved to explain; I suggest experimenting with it if you're interested.

Click [OK] once you've finished configuration. When you're prompted to save it, click [Yes].

Now enter your regular username and password that you use to log in to your Linux hosted box.

Note that once the desktop has started up, /usr/NX/bin/nxclient exits. In order to be able to reconnect to your desktop session later, click "X" in the top-right-corner to "kill" the NXclient window. A dialog box will pop up within the desktop session as follows:

  Press the suspend button to disconnect the running session.
  You will be able to resume the session at later time. Press the
  terminate button to exit the session and close all the running
  programs.
    (Suspend)  (Terminate)  (Cancel)

Click on "Suspend".

The next time you log in via NXclient, you will see this message:

  "Resuming the suspended session"
and your desktop will be just where you left it earlier.

3. Client side for Ubuntu Linux (Dapper Drake 6.06LTS)
A nice guide can be found here:

http://wiki.centos.org/FreeNX

After installing the NX server as shown in Section 1, copy /var/lib/nxserver/home/.ssh/client.id_dsa.key to your client machine in order to gain access to the nxserver.

Copy the key where it should be on client machine:

cp $HOME/client.id_dsa.key $HOME/.ssh/id_dsa

Test whether you can use OpenSSH to gain access to the nxserver you installed on your Linux hosted box. Essentially, just do a plain 'ssh' login to your Linux hosted box as user "nx" (no password should be necessary, because you will be using your private client key from $HOME/.ssh/id_dsa), and what you should see is the "shell" of the "nxserver":

ssh nx@linux_hosted_box
Last login: Sat Dec 16 18:48:53 2006 from client.your.domain
which: no xauth in (/usr/local/bin:/bin:/usr/bin)
HELLO NXSERVER - Version 1.5.0-50-SVN OS (GPL)
NX> 105

Now install the client package for Ubuntu Linux. The source for this package is not available, it's a proprietary NX client from the Nomachine company (with the logo "!M"). You can do this straight from the command line:

  wget http://64.34.161.181/download/2.1.0/Linux/nxclient_2.1.0-9_i386.deb
  sudo dpkg -i nxclient_2.1.0-9_i386.deb

Or, if you're a fan of doing things GUI way, you can go to http://www.nomachine.com/download-client-linux.php, search for "NX Client DEB for Linux", click on the green arrow, and then click the "Download package" button.

Launch the client using command

  /usr/NX/bin/nxclient

and configure it as described in Section 2.

Note that cut-and-paste works properly between the nxclient environment and your client's desktop, so it is a much cleaner working experience than what you get when using VNC viewer to remotely control your Linux hosted box.

Understanding the security aspects of NX server

The OpenSSH key is only used to gain access to the NX server which runs as a "shell" of "nx" user. It is the NX server that performs actual PAM authentication using your supplied username and password.

The client.id_dsa.key is actually an additional layer of precaution, which secures access to the "shell" of "nx" user, i.e. to NX server itself, in case NX server had any security holes in its PAM authentication layers.

This is why client.id_dsa.key isn't usually further secured with a passphrase; however, if you are familiar with use of 'ssh-agent', you may feel it worthwhile to add a passphrase to client.id_dsa.key.

Talkback: Discuss this article with The Answer Gang


Bio picture I studied engineering at Université de Liège for a year, then at Trinity College Dublin for four more (and where I wish I had paid more attention during the networking lectures). I've always been curious about audio and video on computers, and Linux has been truly an amazing platform for learning about these areas.

Copyright © 2007, Peter Knaggs. Released under the Open Publication License unless otherwise noted in the body of the article. Linux Gazette is not produced, sponsored, or endorsed by its prior host, SSC, Inc.

Published in Issue 135 of Linux Gazette, February 2007

<-- prev | next -->
Tux