I'd agree that the nx user's authorized_keys file should contain this directive by default if it isn't needed by the protocol. Do you know the right place to post a bug?
I do, but this is something I only now realized. Still experimenting with how to fix this...
I think the following in /var/lib/nxserver/home/.ssh/authorized_keys2 works correctly and only leaves a resource DoS (while fixing the port forwarding and other issues):
for each (client host,key) pair enter:
from="client.fqdn",command="/usr/bin/nxserver",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAA...== anyone@client.fqdn
[you can also use an ip instead of client.fqdn]
for each global key enter (ie a key which works from any ip):
command="/usr/bin/nxserver",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-dss AAAA...== anyone@anywhere
using ssh-dss for dsa keys and ssh-rsa for rsa keys (I think rsa is better if I recall latest discussions)
Cheers, MaZe.