Procedure below has been tested with  NoMachine 9 on Fedora 42, redhat 9.6 and Ubuntu 24.04.

All commands need to be executed as root from a terminal or use 'sudo su' to become root.

1. Install necessary packages with dependencies

RedHat based systems:
dnf install ykclient
dnf install ykpers
dnf install pam_yubico

or :
yum install ykclient
yum install ykpers
yum install pam_yubico

Note for CentOS/RHEL
It's necessary to install EPEL reposistory to install yubico libraries:
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install epel-release-latest-7.noarch.rpm

Debian based systems:
apt install libpam-yubico

2. Visit web site: https://upgrade.yubico.com/getapikey/ to generate Yubico client id and key.
This only requires to provide email address and key stored on YubiKey device (press 'y' button on the YubiKey dongle plugged into your machine).

3. Create /etc/yubikey_mappings file binding local accounts with Yubico keys.
   File should consists of <username>:<yubico_key> entries.

Example:
nomachine:uuccggddoopp
tester:uuccggddoopp
Where 'uuccggddoopp' are the first 12 letters of key stored on Yubico device.

4.  On CentOS/RHEL To allow yubikey to work with SELinux, execute:

setsebool -P authlogin_yubikey on

More details are available here: https://developers.yubico.com/yubico-pam/YubiKey_and_SELinux.html

5. Enable YubiKey authentication with NX protocol

Edit /etc/pam.d/nx file by adding line:

auth required pam_yubico.so id=50982 key="hY035n7E+di6N8hMQsSFmWa7PKM=" authfile=/etc/yubikey_mappings mode=client urllist=https://api.yubico.com/wsapi/2.0/verify
where:
id=50982 - is the client Id obtained from website at point 2.
key="hY035n7E+di6N8hMQsSFmWa7PKM=" - is the key generated at point 2.
mode=client
urllist=https://api.yubico.com/wsapi/2.0/verify - this argument is a workaround for a problem we reproduced on CentOS 7 and Ubuntu 22.04:  https://github.com/Yubico/yubico-pam/issues/31

 
After the editing, the /etc/pam.d/nx file will look like:
auth       include       su
auth       required pam_yubico.so id=50982 key="hY035n7E+di6N8hMQsSFmWa7PKM=" authfile=/etc/yubikey_mappings mode=client urllist=https://api.yubico.com/wsapi/2.0/verify
account    include       su
password   include       su
session    optional      pam_loginuid.so
session    include       su

6. Further configurations for Yubico and SSH protocol

Set the following values in /etc/ssh/sshd_config file:

PasswordAuthentication no
KbdInteractiveAuthentication yes

NOTE:
Since openssh 8.7, KbdInteractiveAuthentication replaces ChallengeResponseAuthentication. For systems running older versions of openSSH, for example CentOS 7, it should be used:
ChallengeResponseAuthentication yes

7. Then restart the sshd service.

For example on RedHat based systems:
service sshd restart

and on Debian based systems:
service ssh restart
 

How to enable Yubico + LDAP authentication with NoMachine on Linux

1. Download or clone this github repository on LDAP server host:
https://github.com/mludvig/yubikey-ldap

2. Enter yubikey-ldap-master/ldap-schema directory.

3. Install yubikey schema by following instructions of README file. Depending on type of ldap configuration, go to section:
"Installation - OLC aka cn=config"
or to section:
"Installation - slapd.conf"

4. Add yubiKeyUser and yubiKeyId attributes for users. This can be done manually or by using the python script.

Instructions for manually adding the attributes can be found in section:
"Storing the YubiKey IDs"

Instructions for using the python script are instead:

- Enter yubikey-ldap-master directory.

- Run command:

cp yubikey-ldap.conf.sample yubikey-ldap.conf

- Replace sample values in yubikey-ldap.conf with correct ones, matching your LDAP configuration.

- Run the script:

./yubikey-ldap

- Enter user names and Yubikey Ids for users for whom you want to enabled Yubikey authentication.
Yubikey Id can be passed by pressing 'Y' on your Yubikey dongle.

5. PAM configuration on NoMachine server host.

Add the following line in /etc/pam.d/nx in authentication stack:

auth required pam_yubico.so id=12345 key="+mwBIf=pGzofqVi6j+pNhwabcdefg=" \
debug debug_file=/var/log/pam_yubico_ldap.log ldap_uri=ldap://server \
ldapdn=cn=test-group,ou=test,dc=nxtestldap,dc=local user_attr=cn yubi_attr=yubiKeyId \
mode=client urllist=https://api.yubico.com/wsapi/2.0/verify

The line above is just an example, you will need to customize it according to your specific needs.

In particular, the 'required' control keyword will make yubikey authentication mandatory for all users connecting with NX protcol and it may be not always needed.

LDAP specific arguments need to be adjusted to match local LDAP configuration:
ldap_uri - uri of LDAP server
ldapdn - dn of directory in which users are stored

For example:
If user's dn (can be obtained using ldapsearch) is: cn=kratos,cn=test-group,ou=test,dc=nxtestldap,dc=local, ldapdn should be: cn=test-group,ou=test,dc=nxtestldap,dc=local
user_attr - Attribute used to identify user, in above example user kratos is stored in 'cn' attribute.
yubi_attr - Attribute storing key Id in LDAP server (stored on LDAP in points 3. and 4.).