Proper SSL/Encryption Setup Other Than for HTTPS?
Guac 1.2.0
Nginx: 1.18.0
Tomcat: 9.0.37
(CentOS/RHEL 8.x)
I am not talking about HTTPS in relation to accessing the domain/ip via a
browser, this I have setup and working via Nginx.
I am asking about:
1) Encrpytion between guac client and guac server (guacd) via the guacd-ssl
property in guacamole.properties
2) Encryption between Tomcat and Guac, via the server.xml file for tomcat in
a connector tag
2) Encryption for the MariaDB database via the mysql-ssl-* properties in
guacamole.properties (using MariaDB and MariaDB Connector J)
So the gist for above is basically whats the proper approach to each?
In more detail...
For #1:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html says:
"guacd-ssl...Note that if you enable this option, you must also configure
guacd to use SSL via command line options. These options are documented in
the manpage of guacd. You will need an SSL certificate and private key."
Would this mean its nessasary to modify the guacd service (when set to
enabled/auto start) to use certain switches in the commands used to launch
it?
Whats the proper place to put the keys (import to JKS or place in dir, etc)?
Most importantly, how do you confirm this is working once configured?
For #2:
I know in server.xml I can have a connector set to use TLS/https, etc. Would
I do this on the connector entry for port 8080 (not encrypted by default) or
would I do this as another connector block using another port (like 8443)
and then modify my Ngix config proxy_pass parameters to use 8443 (Ex:
proxy_pass http://${GUAC_LAN_IP}:8443/guacamole/;)?
Again, how would I confirm communication was being encrypted properly after
setting this up?
For #3:
https://guacamole.apache.org/doc/gug/jdbc-auth.html says:
"mysql-ssl-mode...This property sets the SSL mode that the JDBC driver will
attempt to use when communicating with the remote MySQL server..."
My concern here is it states "remote" server. My MariaDB database for
guacamole is on the guacamole server, do these settings still apply then?
As with before, how can it be confirmed that encryption is working here?
Thanks
--
Sent from:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Re-Authenticate Google TOTP on New Device
On Fri, Jul 10, 2020 at 9:39 AM eunosm3 wrote: > I bought a new device, so I will lose access to the codes displayed by > Google > Authenticator that I use for 2FA when I log into my Guacamole site. How do > I set up the google authenticator on my new device so it works with my > pre-existing setup? Is it a matter of displaying the QR code again? > Something different? idk. > > I suppose I could remove the totp extension, restart guacd, add the > extension back and restart guacd again. Any other methods, though? > > > See: https://issues.apache.org/jira/browse/GUACAMOLE-770 -Nick
Re: Is Guacamole RESTAPI AuthToken stored in memory ?
On Fri, Jul 10, 2020 at 6:26 AM faris backer wrote: > Hi, > We have deployed guacamole container under ECS fargate with loadbalancer in > front of it. > > While invoking RESTApi we are getting authentication(403) failure. > AuthToken > was generated successfully, But further request with authtoken failed wih > 403 error. By deep diving we understood that its because > both request was going to different container. Authtoken generated was only > valid for container in which it was invoked. > > Is Authtoken saved in memory ? Can authoken be used for both container ? > > Yes, the auth token is currently only stored in-memory. There have been discussions about finding other ways to store both auth tokens and connection information, but no significant progress. See: https://issues.apache.org/jira/browse/GUACAMOLE-283 > Workaround as of now, I am planning is to use cookies with request and > enable stickiness in loadbalancer. > > That seems like a reasonable approach. -Nick
RE: include a web browser in Guacamole
Stephane, As per your initial requirement(and if I have understood it correctly), you have to open a web-browser as a connection within guacamole. Guacamole has an excellent feature of RemoteApp which helps you do that. I have myself tried the same and it works. You could have web applications which may work only on your internal network or anywhere in the world, but your guacamole server should be able to access the same. You could then publish the link of your web-application as a browser shortcut on a Windows Session Host(what I tried with) and then create a guacamole connection with RemoteApp configured. And if it's just a browser that you want to publish(& not a web-application), you could do that too. The only thing which you would have to ensure is the network connectivity between your guacamole server and the application server where your web-application(s) are hosted. If how the end-user would perceive a browser within a browser is not something you are concerned about, this should work for you as well. Maybe there are better ways to do the same, but I have tried this and it works for me. -Original Message- From: stephane.lhotellier [mailto:stephane.lhotell...@cgi.com] Sent: 10 July 2020 01:45 PM To: user@guacamole.apache.org Subject: Re: include a web browser in Guacamole Changements à venir concernant l'historique L'historique de traduction ne sera bientôt disponible que lorsque vous serez connecté. Vous pourrez le gérer dans Mon activité. Votre historique existant sera effacé lors de cette mise à jour. Nous vous invitons à enregistrer les traductions que vous voulez conserver. OK bonjour Je suis désolé Tushar Jain mais je rejoint les avis de Vieri-2, vnick et shr0ded. Mes utilisateurs (environ 300 aujourd'hui) ont besoin de se connecter, non pas a des ressources internes, mais à des serveurs chez des clients ou dans des datacenter (quelques miliers). je n epeux donc pas utiliser un simple reverse proxy. Pour faire simple j'ai principalement 2 services : - Intégration - hotline 2 types d'environements : - production - pré-production 3 type de connexions : - RDP (de moins en moins) - SSH - web (HTTP et HTTPS)(pour des application, CUPS, ...) la hotline doit accèder à tout les environement de production le service integration est divisé en équipe par client. Les personnes travaillant sur le client A ne doivent pas avoir accès au client B mais l'équipe d'integration doit accèder à la production et à la pré-production. En ce sens, avoir un navigateur web à l'intérieur de Guacamole (comme le client RDP ou VNC) ou au moins un affichage d'URL pour servir de liens serait un bon complément. Cela permettrai d'avoir accès à plus de possibilité, un peu comme ce qui est fait dans MRemoteNG avec les outils externes. 1156/5000 Hello I'm sorry Tushar Jain but I agree with the opinions of Vieri-2, vnick and shr0ded. My users (around 300 today) need to connect, not to internal resources, but to servers with clients or in data centers (a few thousand). I therefore cannot use a simple reverse proxy. To make it simple I mainly have 2 services: - Integration - hotline 2 types of environments: - production - pre-production 3 types of connections: - RDP (less and less) - SSH - web (HTTP and HTTPS) (for applications, CUPS, ...) the hotline must access all production environments the integration service is divided into teams per client. People working on client A should not have access to client B but the integration team must have access to production and pre-production. In this sense, having a web browser inside Guacamole (like the RDP or VNC client) or at least a display of URLs to serve as links would be a good addition. This will allow access to more possibilities, a bit like what is done in MRemoteNG with external tools. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org -- **Disclaimer:* This message and any attachment may contain confidential, proprietary information and is intended only for the individual named. If you are not the original intended recipient and have erroneously received this message, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy
Re: LDAP Authentication not working
Thanks for the reply. I am using Windows AD not Azure AD and also I tried with MySQL on Ubuntu. The MySQL authentication works well, but the LDAP Authentication still gives me the same error:WARN o.a.g.e.AuthenticationProviderFacade - The "ldap" authentication provider has encountered an internal error which will halt the authentication process. If this is unexpected or you are the developer of this authentication provider, you may wish to enable debug-level logging. If this is expected and you wish to ignore such failures in the future, please set "skip-if-unavailable: ldap" within your guacamole.propertiesI have configured the logs to be at the debug level, but could not find anything helpful either for catalina.out or syslog -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
AW: Re-Authenticate Google TOTP on New Device
Take my this script guacamole_resetTOTP.sh:
Try also the hidden Option "-s"
#!/bin/bash
# wla, 06.06.2020: created
if [[ "$#" = "0" || "$#" -gt 2 || "$1" = "-h" ]] ; then
echo "$0 [GUAC_USER]"
exit 0
fi
SQL=/usr/bin/mysql
DB=guacamole
USER="$1"
# check if user exists
echo -e "Check user \"${USER}\" ... \c"
ENTITY_ID=$(${SQL} ${DB} -Bse "select entity_id from guacamole_entity where
name='${USER}';")
test -n "${ENTITY_ID}" && USER_ID=$(${SQL} ${DB} -Bse "select user_id from
guacamole_user where entity_id='${ENTITY_ID}';")
if [[ -z "${ENTITY_ID}" || -z "${USER_ID}" ]] ; then
echo -e "Not exist ... exit\n"
exit
else
echo -e "Found\n user ${USER}, entity_id=${ENTITY_ID}, user_id=${USER_ID}\n"
fi
# before reset
IS_TOTP=$(${SQL} ${DB} -Bse "select attribute_value from
guacamole_user_attribute where attribute_name='guac-totp-key-confirmed' and
user_id='${USER_ID}';")
if [ -z "${IS_TOTP}" ] ; then
echo "No TOTP initialization found for user \"${USER}\" ... nothing to do ...
exit"
exit
else
if [ "$2" = "-s" ] ; then
# dump the secret to stdout
${SQL} ${DB} -Bse "select attribute_value from guacamole_user_attribute
where attribute_name='guac-totp-key-secret' and user_id='${USER_ID}';"
exit
fi
echo -e "TOTP configured before reset: ${IS_TOTP}"
fi
# ask
read -p "Reset TOTP for user ${USER}? [ (y)es/(n)o ]: " KEY
if [ "${KEY}" != "y" -a "${KEY}" != "Y" ] ; then
echo -e "Cancel ...\n"
exit 0
fi
# new secret will be generated
${SQL} ${DB} -Bse "delete from guacamole_user_attribute where
user_id='${USER_ID}';"
# after reset
IS_TOTP=$(${SQL} ${DB} -Bse "select attribute_value from
guacamole_user_attribute where attribute_name='guac-totp-key-confirmed' and
user_id='${USER_ID}';")
if [ -n "${IS_TOTP}" ] ; then
echo "!!! Error, please check ... !!!"
exit 1
else
echo "TOTP reset for user \"${USER}\" was successful!"
fi
echo ""
RE: Re-Authenticate Google TOTP on New Device
Hello Search the key in the database : select guacamole_user.user_id, guacamole_user.entity_id, name, attribute_value from guacamole_entity,guacamole_user,guacamole_user_attribute where guacamole_user_attribute.user_id = guacamole_user.user_id and guacamole_user.entity_id = guacamole_entity.entity_id and attribute_name = "guac-totp-key-secret" and name like 'user_name'; and manually enter the key in Google Authentificator -Message d'origine- De : eunosm3 Envoyé : vendredi 10 juillet 2020 15:39 À : user@guacamole.apache.org Objet : Re-Authenticate Google TOTP on New Device I bought a new device, so I will lose access to the codes displayed by Google Authenticator that I use for 2FA when I log into my Guacamole site. How do I set up the google authenticator on my new device so it works with my pre-existing setup? Is it a matter of displaying the QR code again? Something different? idk. I suppose I could remove the totp extension, restart guacd, add the extension back and restart guacd again. Any other methods, though? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re-Authenticate Google TOTP on New Device
I bought a new device, so I will lose access to the codes displayed by Google Authenticator that I use for 2FA when I log into my Guacamole site. How do I set up the google authenticator on my new device so it works with my pre-existing setup? Is it a matter of displaying the QR code again? Something different? idk. I suppose I could remove the totp extension, restart guacd, add the extension back and restart guacd again. Any other methods, though? -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
RE: include a web browser in Guacamole
858/5000 Tushar Jain If I understand correctly, you suggest that I publish my webapps through RDP. The problem is that we are eliminating our Windows servers. Our goal is to have a free shared connection manager. We had some (homemade) which used RMI technonology to start sessions on client workstations. But the use of RMI is now prohibited, I am trying to recreate it in full web. I understand your approach very well, but it does not match my constraints. It's a good idea when you have an RDP server. I think I will submit an evolution request to integrate at least the provision of web links at best the integration of a web browser. The integration of the browser bringing in addition the possibility of using a remote GUACD to pass the firewalls. Stephane -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Is Guacamole RESTAPI AuthToken stored in memory ?
Hi, We have deployed guacamole container under ECS fargate with loadbalancer in front of it. While invoking RESTApi we are getting authentication(403) failure. AuthToken was generated successfully, But further request with authtoken failed wih 403 error. By deep diving we understood that its because both request was going to different container. Authtoken generated was only valid for container in which it was invoked. Is Authtoken saved in memory ? Can authoken be used for both container ? Workaround as of now, I am planning is to use cookies with request and enable stickiness in loadbalancer. Thanks, - Faris -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Altgr Key not working as expected in version 1.2.0
Thanks. I did tried workaround by using serverlayout Swedish which has AlrGr Key. It worked fine with initial login windows screen to server.But for proper keybinding to work inside the windows server,we have to change the keyboard setting of windows server to swedish. As we have developer from different location, it requires us to keep different layout based on developer origin country. It would bring complexity in our automation process. Parallel y I tried different combination. ALTGR key combination worked for below Server layout : Unicode, Windows Server Keyboard : ENG-Norwegian (this has to be set default keyboard input in windows) And for other user who are using normal English keyboard. Below combination seems working fine Server layout : Unicode, Windows Server Keyboard : ENG-US. Is this suggested way to tackle this situation ? - Faris -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: include a web browser in Guacamole
Changements à venir concernant l'historique L'historique de traduction ne sera bientôt disponible que lorsque vous serez connecté. Vous pourrez le gérer dans Mon activité. Votre historique existant sera effacé lors de cette mise à jour. Nous vous invitons à enregistrer les traductions que vous voulez conserver. OK bonjour Je suis désolé Tushar Jain mais je rejoint les avis de Vieri-2, vnick et shr0ded. Mes utilisateurs (environ 300 aujourd'hui) ont besoin de se connecter, non pas a des ressources internes, mais à des serveurs chez des clients ou dans des datacenter (quelques miliers). je n epeux donc pas utiliser un simple reverse proxy. Pour faire simple j'ai principalement 2 services : - Intégration - hotline 2 types d'environements : - production - pré-production 3 type de connexions : - RDP (de moins en moins) - SSH - web (HTTP et HTTPS)(pour des application, CUPS, ...) la hotline doit accèder à tout les environement de production le service integration est divisé en équipe par client. Les personnes travaillant sur le client A ne doivent pas avoir accès au client B mais l'équipe d'integration doit accèder à la production et à la pré-production. En ce sens, avoir un navigateur web à l'intérieur de Guacamole (comme le client RDP ou VNC) ou au moins un affichage d'URL pour servir de liens serait un bon complément. Cela permettrai d'avoir accès à plus de possibilité, un peu comme ce qui est fait dans MRemoteNG avec les outils externes. 1156/5000 Hello I'm sorry Tushar Jain but I agree with the opinions of Vieri-2, vnick and shr0ded. My users (around 300 today) need to connect, not to internal resources, but to servers with clients or in data centers (a few thousand). I therefore cannot use a simple reverse proxy. To make it simple I mainly have 2 services: - Integration - hotline 2 types of environments: - production - pre-production 3 types of connections: - RDP (less and less) - SSH - web (HTTP and HTTPS) (for applications, CUPS, ...) the hotline must access all production environments the integration service is divided into teams per client. People working on client A should not have access to client B but the integration team must have access to production and pre-production. In this sense, having a web browser inside Guacamole (like the RDP or VNC client) or at least a display of URLs to serve as links would be a good addition. This will allow access to more possibilities, a bit like what is done in MRemoteNG with external tools. -- Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/ - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
