During a browser-based remote desktop session, there are two protocols involved during the authentication process. The HTTPS protocol is used between the browser and the Web server (nxhtd). Then, between the Web server and the NoMachine server, and depending on the how the administrator configures the server.cfg , either the NX or SSH protocol is used. Authentication on the server, by default, is password-based. However, it is possible to use key-based authentication when NX has been configured.

How to make users to authenticate by private key

Support for key-based authentication is performed using RSA keytype and requires the public key to be added on the server side, in the user's home, to grant access. When you connect to the server the user will have to insert the private key in the NoMachine web User Interface.

Premises

You have already generated a key pair, for example by using the ssh-keygen tool on a Linux host. The keys must be in OpenSSH format.

If you have generated the key pair on Windows, for example by using 'PuTTYgen' (https://www.puttygen.com), be sure it's in OpenSSH format or convert it. To do that choose the key file in the PuTTYgen main window. Then go to Conversions->Export OpenSSH key to export your private key and save it.

First step:  Add the public key on the server

1. Navigate to the <user's home>/.nx/config directory.

2. You should find there the authorized.crt file. Create this file if it doesn't exist. On Linux/Mac, this file needs to have permissions set to 0600.

3. Append your public key at the end of the authorized.crt file. If you're using a text editor, be sure to not save the file in a different format.

4. Save changes.
 

This is an example of how the public key added to the authorized.crt file looks like:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDLPbAnTn+6UlZQEqudUChU9JMm2bZ92E7Pda313s6p/W89tFHV3MmG965
+OQKQcIFYDfSmF/dM+qKVrkcdLE8Vc2O+HiBxJmeaKYuDdcOZGeRvW2mhskULDmuVA5IFCqaOx+OINuiNYGzQYzl0vzFg9prvp
KmOVnXDjzsuMOTrLr45TPv3Vk5iFmsyYA3J69Z2VErc486lY5aU6Qqg21hd3Yh/4rflGPE4QWVBkpO9qIhynT5+qlT9JyXg9J+al0K
fcttgOYaApdhd/OiE4Nxycl7duwk4eXDm1Um/HHcO361VT9rznL8gU+Rm99CLiecW1FiB90s5TV9USXUz8Mqr

Second step:  Configure NoMachine to accept key-based authentication for web sessions

1. Edit the server configuration file:

BaseDirectory/NX/etc/server.cfg on Linux
BaseDirectory/NoMachine/etc/server.cfg on Windows
BaseDirectory/NoMachine.app/Contents/Frameworks/etc/server.cfg on Mac

where 'BaseDirectory' is path to the NoMachine installation, e.g. /usr/ on Linux.

2. Look for the Section "Server" and change from 'Authentication password' to  'Authentication private-key', for example:

Section "Server"

Name "Connection to localhost"
Host 127.0.0.1
Protocol NX
Port 4000
Authentication private-key

EndSection

Use the private key when connecting with your browser

On your device:

1. Point the browser to: http://SERVER:4080

    Where SERVER is either the name or IP address of the host you want to reach.

2. You will be prompted with a dialog asking to provide the private key to be used to log-in. The key should be a RSA key in OpenSSH format.

3. Click the '...' button, navigate directories on your device and provide path to your private key.

4. Click on 'OK' button and connect.

The client will prompt you for username and passphrase. If your key doesn't have a passphrase, provide only your username. You can also save the passphrase.