It is said in NoMachine NX setup and FreeNX ubuntu setup article that using the default SSH key for NX server is bad for security. How much is it bad?
Is it the case that the default SSH key is the same for every NX user in the world and everybody can login to an NX server which uses the default key?
It is only the NX 'server' and 'client' processes that uses a special user account named "nx". These accounts serve to setup the initial stage of the connection and use the keypair you mention, and this is all before the real user login happens. That key is NOT used for login of the real NX session user.
Once that initial stage is completed, there exists a secure, encrypted channel. It is then this encrypted channel (established with the help of the default NX SSH key) that is used to do the real user login.
Hence, with only knowing the default SSH key, nobody can login to an NX server. He can only start the initial 'handshake' phase and is then stucked.
That is just like if you login to a HTTPS server, which pops up the username+password dialog box... [And would you consider that to be particularly insecure: a password dialog box popping up before the HTTPS user login is completed?]
Of course, for a warm feeling of additional safety, you can create your own key and replace the default NX/NoMachine keys -- best if you create a separate keypair for each different NX server. Hmmm.... this user-known key(s) then you must distribute to all users of your respective NX servers. And you must now start to do more administrative work to manage all the keys for the different NX servers. Additional security comes with additional work....
To my knowledge, when you setup NoMachine it generates a key the same way the openssh-server package does, so I don't believe it is a problem there.
I haven't used FreeNX in a long time, so if it does in fact just use a bundled key instead of generating one, then it's obviously not the most secure thing in the world, and I would generate a new one.
Depends on what you want. If you merely want transport security, the default keys are sufficient. If you want user authentication, then you should not only use custom keys, you should only allow logins from authorised keys. The two issues are different.
The FreeNX server installation creates a user called nx during installation. If you stick with the default SSH key, anyone who knows the host name or IP address of your machine will be able to log into your server as the nx user with the default SSH key.
This is a particular risk if your machine is accessible from the internet, so you should create your own custom SSH key using the instructions at the bottom of the Ubuntu article.