Knowledge Base
All KB
Documents DT Documents
Articles & FAQs AR Articles
Trouble Reports TR Trouble Reports
Software Updates SU Software Updates
Searching in : Article
ID: AR02S01108
Applies to: NoMachine Server
Added on: 2021-02-25
Last Update: 2021-10-13

How to use smartcard readers with NoMachine on Linux (OpenSSH 8.4/8.4p1 or later)

This article applies to users running NoMachine client on Linux with OpenSSH 8.4/8.4p1 or later, which introduces some changes aimed at increasing the ssh-agent security level.

Symptom of the new behaviour of ssh-agent is that the local smartcard reader is properly connected inside the NoMachine session (see https://www.nomachine.com/DT10R00168#4.5) but it cannot be used to forward the security ticket since OpenSSH blocks it.

OpenSSH now blocks the execution of PKCS#11 libraries when they are not in the default path or in a verified path, as it happens with the NoMachine module  which is: /usr/NX/lib/libpkcs11.so.

Users need to configure manually their ssh-agent to be able to use the NoMachine PKCS#11 module necessary for smartcard readers support inside the session. 

From the man page of ssh-agent:
-P allowed_providers
Specify a pattern-list of acceptable paths for PKCS#11
provider and FIDO authenticator middleware shared libraries
that may be used with the -S or -s options to ssh-add(1).
Libraries that do not match the pattern list will be
refused. See PATTERNS in ssh_config(5) for a description
of pattern-list syntax. The default list is
“/usr/lib/*,/usr/local/lib/*”.
Ref.
https://www.openssh.com/releasenotes.html OpenSSH 8.4/8.4p1 (2020-09-27)
https://man7.org/linux/man-pages/man1/ssh-agent.1.html
 

In order to use a smartcard reader, the NoMachine user needs before to configure the ssh-agent to accept the path to the NoMachine PKCS#11 module.

To do that, open a terminal inside your NoMachine session and run:
eval `ssh-agent -s -P/usr/NX/lib/*`

This command will start a fresh ssh-agent ready for using /usr/NX/lib/libpkcs11.so from the NoMachine library path.
You will be then able to use properly your smartcard reader within the NoMachine sessions.

Or (advanced), use a pre-defined communication socket between helper and ssh-agent. Run in a terminal inside the NoMachine session:
ssh-agent -a /tmp/nxlibpkcs11.sock -s -P/usr/NX/lib/*
export SSH_AUTH_SOCK=/tmp/nxlibpkcs11.sock

After that, you can use the libpkcs11.so provided by NoMachine to correctly forward the PKCS#11 module provider, run:
ssh-add -s /usr/NX/lib/libpkcs11.so