When accessing the NX remote desktop service at nx.reading.ac.uk:4443 from off-campus, you may be prompted to enter a one-time “Authorization Code.” This code is either generated by an authentication app (if configured) or sent to your University of Reading (UoR) email address.
Off-campus access to NX requires prior registration. If you’re not registered, after entering your UoR credentials and they are verified, you’ll receive an error message similar to:
If you’ve entered your password correctly but still see this message, you need to request access. Submit a ticket to the Digital Technology Services (DTS) to be added to the arc-remote-users group, which grants access to Linux/ARC remote services, including NX.
Important: Use your UoR email address or the self-service portal to submit your request. This ensures we can verify the authenticity of your application. Additional verification steps may be necessary in some cases.
When connecting from the UoR campus network, via VPN, or through arc-ssh.reading.ac.uk, only your UoR password is required—no additional authentication is needed.
After successfully entering your UoR password, you’ll be prompted for an authorization code, like in the following example:
If you haven’t set up an authenticator app, a 6-digit code will be sent to your university email with the subject line: arc-remote.reading.ac.uk off-campus access
To proceed:
Open the email and locate the 6-digit code.
Enter this code into the “Authentication code” field.
If the code is mistyped or expires, a new code will be sent automatically.
Note: The code is valid only for the current authentication attempt and expires after 60 seconds. Ensure your email client is open and ready to receive the code to avoid delays. If the code expires, you’ll need to restart the login process to receive a new code.
New users of UoR Linux systems can stop here and just use the email codes to login. However, we recommend that all users, once they have some experience in using our systems, set up a more robust method for two-factor authentication. The method of authentication following in the next section will replace the email code authentication.
For a more reliable and efficient authentication method, we recommend setting up an authenticator app on your mobile phone, such as Microsoft Authenticator (this is preferred because it is already used with other UoR services) or Google Authenticator. Once configured, these apps generate time-based codes, eliminating the need for email-based authentication.
We recommend to replace email codes with Google Authenticator codes because email is not a reliable way to deliver the authentication code on time. There is a risk you might not be able to login when there is some delay with your email delivery. Note the authentication code for NX is the same as the one as used by arc-ssh so if you have already setup arc-ssh you just use those codes.
Some additional information: The general idea of Google Authenticator is as follows: A secret key is placed in a file on the server. On the ACT systems using this method of authentication the file is located at /var/authenticator/<UoR username>/.google_authenticator. The secret key is also transferred to your mobile device when you scan the QR code (you can also achieve this by copying the secret key by hand, or by using the URL to have the QR code displayed in a web browser), and it is stored in the authenticator app. The secret key plus the current time is used to generate time based verification codes. Comparing those verification codes confirms the identity of the device used to authenticate the connection.
Setup Instructions:
Install the Microsoft Authenticator or Google Authenticator app on your mobile device (both apps are compatible and the setup instructions are the same in both cases).
Log in to the NX service and open a terminal window. Alternatively, you can also follow the same process on arc-ssh.
Run the setup script /usr/local/bin/google-authenticator to generate a QR code (see the example below).
Scan the QR code using your authenticator app to link your account.
Once set up, your authenticator app will generate 6-digit codes required for future logins. This method is also compatible with arc-ssh.reading.ac.uk, allowing for a unified authentication approach across our remotely accessible servers.
We initially login to https://nx.reading.ac.uk:4443 using the email code as the two-factor authentication method. Once we are connected, we run the script which replaces the email codes with Google Authenticator codes in a mate terminal, as follows:
ab123456@nxnode3:~$ /usr/local/bin/google-authenticator Warning: pasting the following URL into your browser exposes the OTP secret to Google: https://www.google.com/chart?chs=200x200&chld=M|0&cht=qr&chl=otpauth://totp/ab123456@arc-remote.reading.ac.uk%3Fsecret%3DFOO3L3KAPLYPSA7WG3D6YSJBAA%26issuer%3Darc-remote.reading.ac.uk
Your new secret key is: FOO3L3KAPLYPSA7WG3D6YSJBAA Your verification code is 843654 Your emergency scratch codes are: 27275024 33549668 50127586 91900156 28478521
It makes sense to save a copy of the emergency scratch codes. You can use them in case you are not able to login with the standard, time based, verification codes.
The URL, the QR code and the secret key contains the same secret, they should not be revealed, printed or stored in a file.
If you have problems with the QR code displayed in the text console, you can use the provided URL, or you can copy the secret key as text. The configuration script is modified to store the Authenticator files in custom shared location, not in your shared home directory. This way, the secret used for off-campus authentication is more secure, and also setting it up on NX or arc-ssh will not affect how you login to other UoR services.
Note that every time you run the script, a new secret code is created and the old one is overwritten. That means that each time you run the script, you need to scan the QR code again.
If you want to revert to using email codes, you will need to remove the file /var/authenticator/<UoR login>/.google_authenticator.