Re: Ad-hoc Connection escape character
On Wed, May 27, 2020 at 5:05 AM Ignacio Turegano < ignacio.tureg...@eu.equinix.com> wrote: > Is there a way to escape characters in the url for the quickconnect > extension? > > protocol://username:password@host:port/?parameters > > Example not working because of @ and /: > > rdp://guacamole:jx67YYY@Vf$YpoLkjiA/ > u...@fqdn.domain.com/?domain=LocalCross&security=nla&ignore-cert=true > > Empty password is not an option for NLA security type > > Yes, you would escape it using standard HTTP escape characters: https://www.december.com/html/spec/esccodes.html -Nick
Re: Force rdp drive_path to something like /basepath/$user_id via guacd
At the end we've managed (had to ask to a better-coder-colleague) to forcefully create a random path for the drive so the user cannot set his/hers path in the guacamole WebUI. for every session a disposable folder is created like /mnt/drive_path/1ebbeaf-a96f-4677-80 and we clear it from time to time via crontab (example for /etc/crontab to nuke folders older than 1 week) 4 42 * * * root find /mnt/drive_path/* -type d -ctime +7 | xargs -I {} rm -rf {} > /dev/null 2>&1 then edited "src/protocols/rdp/settings.c" ___ guac_rdp_settings* guac_rdp_parse_args(guac_user* user, int argc, const char** argv) { stuff /* Force drive path to avoid filesystem lookups */ char *usn = (char *)malloc(20); memcpy(usn, user->user_id+2, 20); char *drvpath=(char *) malloc(1+36); strcpy(drvpath, "/mnt/drive_path/"); strcat(drvpath,usn); settings->drive_path = guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv, IDX_DRIVE_PATH, drvpath); settings->drive_path = drvpath; ___other_stuff_ /* Free drive_path string */ free(drvpath); } ___ Compiled and worked nicely. Leaving this here since someone may find it useful. (or some developer can implement "auto-generate-random-drive-path" feature) cheers! Il giorno mer 27 mag 2020 alle ore 22:29 Nick Couchman ha scritto: > On Wed, May 27, 2020 at 12:54 PM Lorenzo Faleschini > wrote: > >> Hi everyone. >> >> I've edited the sources of guacamole-server-1.1.0 to fit my needs, for >> example: enable rdp drive, create drive, use NLA by default. >> I've edited "src/protocols/rdp/settings.c" file and changed the needed >> values (as here from 0 to 1) >> - >> /* Drive enable/disable */ >> settings->drive_enabled = >> guac_user_parse_args_boolean(user, GUAC_RDP_CLIENT_ARGS, argv, >> IDX_ENABLE_DRIVE, 1); >> - >> >> configured, maked, installed, restarted guacd --> all fine. >> >> Then I'm stucked at this point: since I let users create their >> connections and they need to use drives, I don't want to let them specify >> the path of the rdp drive. What I want is to have guacd to set the correct >> path for everyone like if they diligently type in >> "/correct/base/path/${GUAC_USERNAME}" in the Connection editor. >> >> > Yeah, if you are letting users create their own connections, then they > will be able to define the parameters however they wish. If guacd is > running under a non-root account you should be able to make sure that > filesystem permissions are set such that, no matter what users define, they > can only write to a certain set of directories. > > >> I've found a way that works to hardcode a path, but I can't figure out >> how to dynamically compose the string: >> >> settings->drive_path = >> guac_user_parse_args_string(user, GUAC_RDP_CLIENT_ARGS, argv, >>IDX_DRIVE_PATH, ""); >> >> /* Force drive path to avoid users setting what they like or sneak in >> other's users dirs*/ >> settings->drive_path = "/mnt/drive_path/${GUAC_USERNAME}"; >> >> >> this works in the sense that whatever a user sets in the connection the >> path is overwritten, but the variable is not parsed so I get all users in >> /mnt/drive_path/\$\{GUAC_USERNAME\}/ folder in the filesystem (marked the \ >> escape chars to say that's what the folder is called, it's not >> myuser@mydomain.whatever subfolder under /mnt/drive_path). >> >> > The problem, here, is the ${GUAC_USERNAME}, the token for the username, is > evaluated on the Guacamole Client side, by the Java application, and not > within guacd. So, if you use that substitution within a connection > parameter, by the time the parameter gets passed through to guacd the > substitution has already been made. guacd has no knowledge of the user > accounts used to access Guacamole Client, so it has no way of either > substituting these items in, nor enforcing limits for where users can point > this directory. > > Your best alternative in this case is to define your static top-level > directory (/mnt/drive_path) and then append the username value > (settings->username) to this to get the drive path. This *should* ensure > that they cannot enter funny values in the username box to try to escape > the directory or get access to other user's directories, because any > attempt to do so would also mean they are never logged on to the remote > system, and thus wouldn't ever gain access. > > However, I would caution that the situation you've described is not really > fundamentally secure - if you don't trust the users to configure any/all > options, you shouldn't allow them to create connections at all. If you > trust the users to create connections, then you should trust them to define > the correct values for any/all of these options. At this point in time > Guacamole does not contain any in-between permissions sets that would a
RE: MFA on RDP
Hi Nick, Well at least I do have some solid information to work with, I agree its not a good solution. But I guess we will be able to get some workaround for this. Thanks for the info, threat can be closed. Kind regards, Wesley. From: Nick Couchman Sent: Friday, May 29, 2020 1:55 PM To: user@guacamole.apache.org Subject: Re: MFA on RDP On Wed, May 27, 2020 at 3:35 AM Wesley de Graaf mailto:wes...@workspace365.net>> wrote: Hi, Sometimes we encounter an issue with the default timeout on the RDP connection in the guacamole. As far as we know the default is 15 seconds. But in some cases a user has to give an MFA consent on RDP connection and then the 15 seconds are to short and the connection is closed and reconnect attempt is started. Does anyone have a suggestion for this? This is something I've looked into in the past - in fact, I have a JIRA issue opened for the ability to configure timeouts. Unfortunately, the way RDP support works in Guacamole, leveraging the FreeRDP libraries, it relies on the FreeRDP libraries for the ability to set things like timeout, and the FreeRDP library does not support that, and they have basically refused to implement it. So, I'm not sure there's a good answer for this today, except to educate users that they'd better have MFA ready when they log in so that they can hit that 15 second window. And, yes, I know that's not a good answer -Nick
RDP enable-printing for Windows 7 servers
Hi, I've noticed that enabling printing via PDF redirection works fine for most of my RDP servers except Windows 7. Are there issues to enable PDF printing on this OS? I configured this for the sessions: guacConfigParameter: enable-printing=true guacConfigParameter: printer-name=Local PDF and I see this in the log: guacd[17268]: Registered device 0 (Local PDF) guacd[17268]: All supported devices sent. guacd[17268]: Device 0 (Local PDF) connected successfully However, the Windows 7 machines do NOT have the "Local PDF" printer. Windows 10, Windows 2012, 2016 and 2003 are all listing this printer just fine. Are there any known issues, or is there anything I can check on the Windows 7 machines? Regards, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: MFA on RDP
On Wed, May 27, 2020 at 3:35 AM Wesley de Graaf wrote: > Hi, > > > > Sometimes we encounter an issue with the default timeout on the RDP > connection in the guacamole. As far as we know the default is 15 seconds. > But in some cases a user has to give an MFA consent on RDP connection and > then the 15 seconds are to short and the connection is closed and reconnect > attempt is started. > > > > Does anyone have a suggestion for this? > > > This is something I've looked into in the past - in fact, I have a JIRA issue opened for the ability to configure timeouts. Unfortunately, the way RDP support works in Guacamole, leveraging the FreeRDP libraries, it relies on the FreeRDP libraries for the ability to set things like timeout, and the FreeRDP library does not support that, and they have basically refused to implement it. So, I'm not sure there's a good answer for this today, except to educate users that they'd better have MFA ready when they log in so that they can hit that 15 second window. And, yes, I know that's not a good answer -Nick >
Re: Need help to disable clipboard
On Fri, May 29, 2020 at 6:34 AM Madhukar Bhosale wrote: > Hi, > > > > Please help me to disable clipboard in Guacamole. > > > Support has been merged into the code, and it'll be in the 1.2.0 release: https://issues.apache.org/jira/browse/GUACAMOLE-381 -Nick
AW: Need help to disable clipboard
Hi Madhukar, I think this has been discussed several times already – there is no way to prevent malicious users to disclose data if they really want to. If the clipboard is disabled they just have to use other means. Probably this is the top candidate for a FAQ… Best Regards, Joachim Von: Madhukar Bhosale Gesendet: Freitag, 29. Mai 2020 12:34 An: user@guacamole.apache.org Betreff: Need help to disable clipboard Hi, Please help me to disable clipboard in Guacamole. Regards Madhukar
Need help to disable clipboard
Hi, Please help me to disable clipboard in Guacamole. Regards Madhukar