VNC is the most popular remote access solution today. However, it was developed to provide remote access, not to provide secure remote access. Administrators have to add security to VNC by tunneling it through an encrpyted channel such as SSH and adding a layer of authentication. In this article, we will show you how to combine the NoMachine NX server to encrypt VNC and remote X session combined with two-factor authentication from WiKID Systems to create a secure, fast remote access solution.
NoMachine and WiKID
NoMachine is a Terminal Server and Remote Access solution optimized for speed and security. All connections are piped through SSH. NoMachine is far faster than just piping VNC through SSH thanks to their compression algorithms. Plus, they offer RDP and Remote X sessions and clients for Windows, Mac & Linux.
WiKID is a dual-source two-factor authentication system optimized for security and ease-of-use. WiKID uses public-key cryptography instead of shared secrets like most hardware-based solutions. WiKID relies on validation of a user-selected PIN at the server – making it stronger and much more manageable than certificates. In this configuration, WiKID will handle user authentication and NoMachine will handle tunnel encryption and compression. For VNC, I am using RealVNC’s Personal Edition. I did nothing to configure it, except add a password for authentication so details are not included. Both the WiKID server and your SSH/NoMachine server should be in the DMZ, with one card accepting connections from the Internet for client connections and the other configured for LAN access to exchange authentication requests and VNC connections respectively.
Configuring the WiKID Server
Here’s how it will work: to access to a remote desktop, start the NX client and enter a WiKID one-time passcode and username. The user generates the one-time passcode on their WiKID token and enters it into the password prompt. SSH will route the username and one-time password to the WiKID server via pam radius. If the username and one-time password match what WiKID expects, the server will tell SSH to grant access. The NX client will then send the VNC password to the target VNC box.
First, we add the SSH/NoMachine box to the WiKID Strong Authentication Server as a network client, then configure PAM radius on the SSH/NoMachine server. I assume that you have already configured the WiKID server. More information on how to install and confgure WiKID can be found here.
Start by creating a domain for remote access users:
- Log into WiKID server web interface (http://yourwikidserver/WiKIDAdim).
- Click on the Domains Tab
- Click on Create a New Domain
- Fill in the form for a new domain. Leave “Registered URL:” blank that is just for SSL-based mutual authentication. Also do not check “Use TACACS+” and “Password Reset Domain:”. Passcode lifetime should be set long enough for the user to be able to log in. The default is 60 seconds, but you can increase it. The default PIN length is 6 digits, but you can set it for 4 if you prefer. “Device Domain Name” is what the user sees on the token client.
- Click the “Create” Button
Now add a new Radius network client to the WiKID server that points to your SSH/NoMachine server:
- Select Network Clients tab.
- Click on Create New Network Client
- Fill in the requested information.
- For the IP Address, use the SSH/NoMachine server IP address
- For Protocol, select Radius
- Hit the Add button, and on the next page, enter a shared secret
- Do not enter anything into the Return Attribute box
- From the terminal or via ssh, run ‘stop’ and then ‘start’ to load the network client into the built-in WiKID radius server
That is it for the WiKID server. You can add users manually as the administrator or set up scripts in a secure location (your LAN, e.g.) to allow users to add their own tokens.
Configuring NoMachine and SSH.
For this example, we’re using the NX Server Free Edition, which is very simple to configure – in fact it works out of the box. It is limited to 2 concurrent users, so companies will want to look to their Enterprise editions. Download the Server, NX node and client from their download site and install:
rpm -ivh nx*
Now, we configure SSH to use Radius:
First, you need to install PAM Radius. There is excellent documentation on this at the PAM Radius home page. Depending on your distribution, you might also be able to find a suitable binary.
Edit /etc/pam.d/sshd to allow Radius authentication:
Go to the second line of the file, hit the Insert key or the i key and insert this line:
auth required /lib/security/pam_radius_auth.so
just above this line:
auth required pam_stack.so service=system-auth
The “Required” tag require two-factor authentication. Because we are only editing the sshd file, it will not affect terminal log-ins.
Write the file and quit. Hit the Esc key to exit insert mode and type :wq
Edit or create your /etc/raddb/server file:
Below the line:
127.0.0.1 secret 1
Add this line, substituting the IP Address of the WiKID server:
routableIPaddress shared_secret 1
Configuring the clients
If you haven’t already, you can download a copy of the WiKID open-source token client. The first time you launch the token client, you need to create a passphrase. Once started, select Actions and Create New Domain
Enter the 12 digit domain identifier and the public key will be sent to the WiKID server. You will be prompted for a PIN.
The WiKID server will store the PIN and return a registration code.
The WiKID server will store the PIN and return a registration code.
At this point, the account has been created on the WiKID server, but it is not active. You can create self-service registration pages for users based on existing trusted credentials or out-of-band mechanisms, but in the case, we will manually validate the user on the WiKID server. From the WiKIDAdmin web interface, click on Users and Manually Validate A User. Click on the Registration Code and enter a user name.
Configuring the NX Client
While these screen shots are from Linux, the set up for Windows is very similar. Start the NX Connecition Wizard. First, create a name for the session and enter IP address or name of the SSH/NoMachine server:
Click Next, and select VNC as the connection method:
Enter the internally routable IP address target PC and the VNC password. Remember, this connection is between the NX server and the target VNC box – it should occur inside your firewall.
Select “Create a short cut on the Desktop and Finish.
Testing the Setup
Now, start the WiKID Token client, select the domain you created and enter your PIN:
You will get a WiKID one-time passcode back:
Enter the WiKID one-time passcode into the NX client password box:
You will see NX connecting:
Once authenticated, NX will launch giving you a secured, strongly authenticated VNC session.
Security always involves trade-offs and it’s never perfect. Users want all the power they have inside the firewall outside the firewall. By combining NoMachine’s NX server, WiKID’s two-factor authentication and VNC, you can give users remote access without sacrificing security or speed.
Links of interest:
- WiKID’s two-factor authentication system
- Real VNC