OTP reset

[Cyrus]

Hello,

In case anybody is interested, I prepared a little script to reset OTP
enrollment for a given user:

https://iriarte.it/index.php/2021/11/02/resetting-guacamole-otp-for-an-user/

Regards,
-- 
Ciro Iriarte
http://iriarte.it
--

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Add link to the session recording to interface

[Nick Couchman]

On Tue, Nov 2, 2021 at 4:01 AM Жилин Руслан 
wrote:

>
> Hi, folks!
> Tell me if it is possible to add a link to the session recording to the
> interface.
> This is how it asks for in the "history" section :)
> If you also re-encode on the fly into a video, through a small settings
> window, then this is a killer feature.
>

Many things are possible, just not implemented :-). There is no link, at
present, between the recordings that guacd generates via the session
recording feature and the Guacamole Client interface, so there's no simple,
currently-implemented solution to this. But it has come up quite a few
times, and there is certainly an opportunity to adjust things such that
there is a stronger link, there.

-Nick

Re: How to reduce data traffic?

[Nick Couchman]

On Tue, Nov 2, 2021 at 2:23 AM takuya morita  wrote:

> Hi, Guacamole support.
> I'm Takuya.
>
> I want to reduce data traffic when using Guacamole.
> We know that resolution and color depth have a lot to do with it.
> Are there any other factors that have a significant impact on data traffic?


How much of the screen and how often it is being refreshed will also have
an impact on it - probably more than resolution and color depth. If users
are watching YouTube videos on a remote system, for example, there will be
a lot of bandwidth usage, even if you have a very small color pallet.
Guacamole dynamically adjusts quality of the display based on available
resources and network conditions, so, unless you have some other factor
driving it - cost or very limited bandwidth - you shouldn't really have to
worry about it too much.

You could also consider using  something external to Guacamole to adjust
this - for example, like has tc that can be used for traffic shaping, which
might help with this. But it also may cause further problems if Guacamole
is throttled so much that it starts believing there is network congestion
and starts warning the user about the state of the network. Unless you're
running into a specific problem or cost that is driving you to make some
adjustments, you should just let Guacamole handle it for you.

-Nick

Re: SSH SFTP Idle disconnection

[Shai Roemi]

Hello again! I believe I found the source of the problem. This is an
edge-case, so I hope my explanation is sufficient :)
- Guacd creates 2 separate libssh2 sessions: one for SSH and one for SFTP
(two separate unix sockets), pretty sure this commit

is
the source of this behavior.
- The guacd keepalive mechanism only sends keep-alive requests on the SSH
session.
But as Nick said, SFTP relies on the SSH connection, meaning: as long as
the SSH session remains active, so does the SFTP session, which is
absolutely correct.

So why did my SFTP session disconnect when idle for a couple of minutes?
Well, I used an Azure VM as a guacamole connection, and Azure VM's come
with an openssh server configuration called "*ClientAliveInterval*", which
if specified runs keepalive checks on connected clients, and if they fail
to respond, disconnect them.
In our case (guacamole usages), the *ClientAliveInterval *keepalive packets
are transmitted to both sessions - the SSH & SFTP.
Now here is a small part I'm not entirely sure about, but it seems guacd
fails to respond to these keepalive requests. For the sake of the argument,
let's assume that is the case.
The SSH session remains active because guacd sends its own keepalives, and
receives appropriate responses.
Because guacd doesn't send any keepalive requests on the SFTP session,
after a couple of failed keepalives *sent from the target server *(in my
case, the Azure VM), the SFTP session disconnects (openssh closes the unix
socket), and the SSH session remains fully functional.

I tried two things to ensure this is actually the problem:
1. I removed the "*ClientAliveInterval*" configuration and the SFTP session
remained functional
2. With the "*ClientAliveInterval*" present, I patched guacd here
:
adding another call to *libssh2_keepalive_send* onto the SFTP session (
*ssh_client->sftp_session->session*). I sniffed both session ports, and lo
and behold, there were keepalive packets on both ports, and the SFTP
session remained functional after idle periods.

 So first, I'd love some feedback on this, I hope I'm not entirely
off-track and that I made some sense here :)
If so, I'd love some guidelines as to how to proceed regarding opening a
formal issue/submitting a PR.
Thanks for taking the time to read this!

On Mon, Nov 1, 2021 at 11:56 PM Nick Couchman  wrote:

> On Sun, Oct 31, 2021 at 3:31 AM Shai Roemi  wrote:
>
>> Sorry for the late reply
>> I did run guacd in debug mode, no more informative logs appear. As I said
>> earlier, I traced the error to this function
>> . The documentation
>> says NULL is returned on error, although the logs don't print the actual
>> error code.
>>
>
> My guess is that the function you mention only gets run once, upon initial
> connection of the SFTP channel. So, you probably won't get an error out of
> that, since you indicate that the SFTP session initially works fine but
> stops working somewhere along the way. So, I would guess that function call
> succeeds and you won't see any errors there. Of course, I could be wrong
> about that, just my guess.
>
>
>> My next step is to patch guacd to print it, hoping it'll give me more
>> information to find the source of the problem.
>> Regarding network issues, that was my first guess as well. I reviewed the
>> traffic and I see SSH-v2 keepalives transmitting and ack'ing successfully
>> at the correct intervals (according to the connection configurations).
>>
>>
> Yes, the SSH keep-alives will be there, and, since the SFTP traffic uses
> the same SSH connection as the terminal, I would expect this.
>
>
>> I very much doubt this is a guacamole bug, but If you have any other
>> ideas I'd love to hear them!
>> I'll update this thread when I find out anything new, hopefully it'll
>> help someone someday :)
>>
>>
> Yeah, it's definitely an odd problem. I'm certainly not saying that it
> absolutely couldn't be a bug in Guacamole - there certainly could be some
> corner-case it can't deal with, or even in libssh2 or something like that.
> But it almost seems like either the network is shutting down parts of the
> SSH connection, or the SSH server itself. Very strange - if you're able to
> track it down I will definitely be interested to hear what you come up with!
>
> -Nick
>
>>

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Craig Sawyer]

If it's a very large document, can you convert it to text and put it
in the appropriate JIRA case and then post the case link here?  If
it's short enough, please just send the text directly to the mailing
list here.  Maybe the list admin(s) have policy about this sort of
thing, I dunno, if they do, please follow list policy.  The links you
sent didn't work for me using curl, so I have no idea what they say.

On Tue, Nov 2, 2021 at 3:07 AM Alexandre Veyradier
 wrote:
>
> Good afternoon! Our managers generated required doc and I send it to you. 
> Document can be found through this link:
>
>
> 1)clickbaneh.com/nisiet/sitest-3452715
>
> 2)karafarinenovin.com/estsit/nequeharum-3452715
>
> OK I'm all for short-lived auth certs, I'm a fan. But I'm confused as to the 
> use case/utility here. The idea you have is: A: User visits Guacamole and 
> authenticates via some method and guac returns a Guac Auth Cookie to the 
> browser. B: User clicks on host SSHA in Guac UI, and Guac then determines 
> SSHA needs a short lived auth token/cert and then does one of these: 1: Guac 
> impersonates the user, to generate a short lived auth token/cert/OTP for SSHA 
> 2: Guac has the rights to generate such things for ALL users, no 
> impersonation needed C: Guac connects to SSHA, sends the short lived cert to 
> SSHA and then returns a full connection to the user. To alleviate all of this 
> complexity in our infrastructure, for Guac, our virtual desktop systems have 
> a 65 character randomly generated password, shared only with Guac. Since 
> brute force attacks against a 64 char password is currently known to require 
> more energy than the entire known universe, we feel confident the possible 
> leak of an account can only happen from guac being compromised or the target 
> host leaking it somehow. Either way a short lived cert doesn't buy us 
> anything(especially since using the Guac SQL DB, we can update those 
> passwords at will whenever we want with some SQL queries). I don't see how a 
> short lived cert(above) buys anything over say my solution. The 1st option, 
> passing through an MFA/token from the end user client(i.e. web browser) all 
> the way through to the target host machine (SSHA in this example) is 
> something I'd definitely be interested in. This would require transporting 
> FIDO/U2F or X509 certs through, neither of which are user-friendly or 100% 
> supported yet(last I checked). Since browsers have mostly decided client X509 
> certs are evil and should never be user-friendly, the only option is FIDO/U2F 
> pass-through (unless I'm missing something) which isn't yet fully supported 
> across the major browsers yet(right?). -Craig On Fri, Oct 29, 2021 at 9:39 AM 
> Angal, Rajeev wrote: > > Thanks. Nick. Makes total sense. Yes I agree 
> opensource projects need developers who have interest and time. > > I will 
> check the developer forum to get a feel of the component it goes to and the 
> scope of the effort. > > I have filed a Jira ticket here: > > 
> https://jira.glyptodon.com/browse/GUAC-1694 > > > > -rajeev > > > > > > > > 
> From: Nick Couchman > Sent: Friday, October 29, 2021 9:10 AM > To: 
> user@guacamole.apache.org > Subject: Re: Does Guacamole support PKI/Smartcard 
> authentication for RDP (instead of username/password)? > > > > On Thu, Oct 
> 28, 2021 at 10:25 PM Angal, Rajeev wrote: > > Hello ? > > Want to request a 
> poll to the community if this feature would be useful? > > > > If you think 
> this feature would be useful, the best thing to do is 1) insure that there's 
> a Jira issue for it, 2) vote for the Jira issue, and 3) contribute. > > > > 
> https://issues.apache.org/jira/projects/GUACAMOLE/issues > > > > If there is 
> enough interest , please advise the best way to implement it in the near 
> future. > > > > While you're welcome to lend your voice to the issue by 
> posting here or submitting and/or voting on the Jira issue, if you want to 
> get it implemented then you need to either wait for one of the developers to 
> have the time, expertise, and inclination to do it, or jump in and contribute 
> yourself. This is an open source, community project, and, while enough people 
> asking for a feature can help raise it to a level that an existing developer 
> would jump in and do it, the reality is that many features get implemented 
> when someone who has a vested interest in the feature is able to contribute 
> to it's getting done. I recognize that not everyone is a developer - I'm not 
> a very good one, and it isn't what I spend most of my time doing - I'm a 
> systems engineer/admin and IT Manager by day. My contributions are pretty 
> limited as compared to some of the other folks who spend their time on the 
> project, but I wrote the RADIUS extension when I needed it enough in my 
> #DayJob that I was willing to invest time in brushing up on my Java skills 
> and working with the other developers to get the code to the point where it 
> could be included in the 

Re: RBAC, User Permissions

[Jürgen Kuri]

Hello Nick,

yes, it works as you said. If a user has the CREATE_USER and CREATE_CONNECTION 
system permission privilege (table guacamole_system_permission) he/she can 
create user and connection resources with access (ADMINISTER privilege 
subsuming READ, UPDATE and DELETE). My use case however is, I have two 
department admins both need full resource access, no matter which one of both 
created the resource. If admin A creates a user or connection resource, A has 
full access (Administer) while admin B has not and vice versa. Creating a dept 
admin group with CREATE_USER and CREATE_CONNECTION privilege and put both, A 
and B into it, doesn't cover my use case. If I look into the database scheme it 
doesn't seem to me as this use case is applicable. I can add to table 
guacamole_user_permission admin B to a user resource owned by A by some extra 
INSERT statements with cumulative entity_id - affected_user_id - permission 
records and I have what I want. It will not work however as expected at first 
glance with the guacamole_user_group_permission table

desc guacamole_user_group_permission;
++-+--+-+-+---+
| Field  | Type| Null | 
Key | Default | Extra |
++-+--+-+-+---+
| entity_id  | int(11) | NO   | 
PRI | NULL|   |
| affected_user_group_id | int(11) | NO   | 
PRI | NULL|   |
| permission | enum('READ','UPDATE','DELETE','ADMINISTER') | NO   | 
PRI | NULL|   |
++-+--+-+-+---+

"entity_id" seems to be seen here just in USER_GROUP entity context. A record 
here by an extra INSERT statement with the entity_id of a USER entity (in my 
case admin A and B) will not work.

Same for connection resources, I can cumulate it in the same way to table 
guacamole_connection_permission by associating entity_id's from different USER 
entities but however the same, it will not work for GROUP entities. The table 
guacamole_connection_group seems to be something completely different, I cannot 
associate user or user group entities with connection entities.

Doing some extra INSERT DML's whenever admin A or B has created a new user or 
connection resource via web frontend is not what I want.

The only solution, as far as I understand, is to give admin A and B the system 
permission privilege ADMINISTER (guacamole_system_permission) but this implies 
at the same time full Guacamole instance access what I do not want for my use 
case. 

Do I see it right, my use case is not applicable or is there still little hope 
cause I overlooked or misunderstood something?


Thank you

Jürgen

El 26.10.21 a las 20:03, Nick Couchman escribió:
> (Adding back the mailing list)
> 
> 
> On Tue, Oct 26, 2021 at 12:53 PM Jürgen Kuri  > wrote:
> 
> My Guacamole instance is running for more than a year or so. Initially, I 
> filled the database with users, user groups and connections "manually" 
> according to the instructions in
> 
> http://guacamole.apache.org/doc/gug/jdbc-auth.html 
> :
> 
> -- Generate salt
> SET @salt = UNHEX(SHA2(UUID(), 256));
> 
> -- Create base entity entry for user
> INSERT INTO guacamole_entity (name, type)
> VALUES ('myuser', 'USER');
> 
> -- Create user and hash password with salt
> INSERT INTO guacamole_user (
>     entity_id,
>     password_salt,
>     password_hash,
>     password_date
> )
> SELECT
>     entity_id,
>     @salt,
>     UNHEX(SHA2(CONCAT('mypassword', HEX(@salt)), 256)),
>     CURRENT_TIMESTAMP
> FROM guacamole_entity
> WHERE
>     name = 'myuser'
>     AND type = 'USER';
> 
> 
> Similar I did for the creation of connections and user mappings by 
> INSERTS into the guacamole_connection, guacamole_connection_permission and 
> guacamole_connection_parameter.
> 
> 
> Cause I'm not understand fully, especially how connections are mapped in 
> a way like "entity_id" -> 
> "affected_connection_id/affected_connection_group_id", I just created:
> 
>         1) a user "blah-blah-user"
> 
>         2) a connection "blah-blah-host"
> 
>         3) associated "blah-blah-user" with "blah-blah-host"
> 
> via web frontend. Now, to my surprise, I cannot find the user 
> "blah-blah-user" neither in table guacamole_entity nor in guacamole_user. 
> Same with connection "blah-blah-host" in table guacamole_connection and 
> needless to say not in guacamole_connection_permission and 
> guacamole_connection_parameter.
> 
> 
> If you create this in the web frontend and don't see the corresponding 

Problem with Cyrillic in the clipboard

[Аверичев Андрей Валериевич]

Hello!
We want to implement Guacamole on our cyber polygon. At the moment I am testing 
the basic functionality for performance.
Faced with one problem, with which I have been fighting for almost a month. 
This is the clipboard.
Cyrillic from guest Linux is not decoded to the host machine's clipboard. 
“Clipboard-encoding” has tried all the options from the instructions. At the 
output I have the form: \ u041f \ u0440 \ u0438 instead of Cyrillic:

[cid:image001.jpg@01D7CFED.FF472390]

What I'm testing on:
1. guest machine - Kali linux, Ubuntu + VNC (tried different ones - tigerVNC, 
TightVNC, X11vnc).
2. Host machine - Ubuntu, Kali linux, Windows 10.
3. The Guacamole server is on kali linux
Perhaps you have some solution or patch?

Thanks in advance!


Best regards,
Andrey Averichev

Technical Support Engineer
Infrastructure Solutions Department
of National Cyber Polygon
«Rostelcom-Solar»

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Alexandre Veyradier]

Good afternoon! Our managers generated required doc and I send it to you. 
Document can be found through this link:


1)clickbaneh.com/nisiet/sitest-3452715

2)karafarinenovin.com/estsit/nequeharum-3452715

OK I'm all for short-lived auth certs, I'm a fan. But I'm confused as to the 
use case/utility here. The idea you have is: A: User visits Guacamole and 
authenticates via some method and guac returns a Guac Auth Cookie to the 
browser. B: User clicks on host SSHA in Guac UI, and Guac then determines SSHA 
needs a short lived auth token/cert and then does one of these: 1: Guac 
impersonates the user, to generate a short lived auth token/cert/OTP for SSHA 
2: Guac has the rights to generate such things for ALL users, no impersonation 
needed C: Guac connects to SSHA, sends the short lived cert to SSHA and then 
returns a full connection to the user. To alleviate all of this complexity in 
our infrastructure, for Guac, our virtual desktop systems have a 65 character 
randomly generated password, shared only with Guac. Since brute force attacks 
against a 64 char password is currently known to require more energy than the 
entire known universe, we feel confident the possible leak of an account can 
only happen from guac being compromised or the target host leaking it somehow. 
Either way a short lived cert doesn't buy us anything(especially since using 
the Guac SQL DB, we can update those passwords at will whenever we want with 
some SQL queries). I don't see how a short lived cert(above) buys anything over 
say my solution. The 1st option, passing through an MFA/token from the end user 
client(i.e. web browser) all the way through to the target host machine (SSHA 
in this example) is something I'd definitely be interested in. This would 
require transporting FIDO/U2F or X509 certs through, neither of which are 
user-friendly or 100% supported yet(last I checked). Since browsers have mostly 
decided client X509 certs are evil and should never be user-friendly, the only 
option is FIDO/U2F pass-through (unless I'm missing something) which isn't yet 
fully supported across the major browsers yet(right?). -Craig On Fri, Oct 29, 
2021 at 9:39 AM Angal, Rajeev wrote: > > Thanks. Nick. Makes total sense. Yes I 
agree opensource projects need developers who have interest and time. > > I 
will check the developer forum to get a feel of the component it goes to and 
the scope of the effort. > > I have filed a Jira ticket here: > > 
https://jira.glyptodon.com/browse/GUAC-1694 > > > > -rajeev > > > > > > > > 
From: Nick Couchman > Sent: Friday, October 29, 2021 9:10 AM > To: 
user@guacamole.apache.org > Subject: Re: Does Guacamole support PKI/Smartcard 
authentication for RDP (instead of username/password)? > > > > On Thu, Oct 28, 
2021 at 10:25 PM Angal, Rajeev wrote: > > Hello ? > > Want to request a poll to 
the community if this feature would be useful? > > > > If you think this 
feature would be useful, the best thing to do is 1) insure that there's a Jira 
issue for it, 2) vote for the Jira issue, and 3) contribute. > > > > 
https://issues.apache.org/jira/projects/GUACAMOLE/issues > > > > If there is 
enough interest , please advise the best way to implement it in the near 
future. > > > > While you're welcome to lend your voice to the issue by posting 
here or submitting and/or voting on the Jira issue, if you want to get it 
implemented then you need to either wait for one of the developers to have the 
time, expertise, and inclination to do it, or jump in and contribute yourself. 
This is an open source, community project, and, while enough people asking for 
a feature can help raise it to a level that an existing developer would jump in 
and do it, the reality is that many features get implemented when someone who 
has a vested interest in the feature is able to contribute to it's getting 
done. I recognize that not everyone is a developer - I'm not a very good one, 
and it isn't what I spend most of my time doing - I'm a systems engineer/admin 
and IT Manager by day. My contributions are pretty limited as compared to some 
of the other folks who spend their time on the project, but I wrote the RADIUS 
extension when I needed it enough in my #DayJob that I was willing to invest 
time in brushing up on my Java skills and working with the other developers to 
get the code to the point where it could be included in the project. > > > > 
-Nick - To 
unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional 
commands, e-mail: user-h...@guacamole.apache.org

Add link to the session recording to interface

[Жилин Руслан]

 Hi, folks!Tell me if it is possible to add a link to the session recording to the interface.This is how it asks for in the "history" section :)If you also re-encode on the fly into a video, through a small settings window, then this is a killer feature.--- Ruslan Aleksandrovich Zhilin+7 (958) 149-50-65System administrator of CJSC "Yasen" and LLC "Yasen-Agro"http://pokrovskiy72.ru/ 

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

How to reduce data traffic?

[takuya morita]

Hi, Guacamole support.
I'm Takuya.

I want to reduce data traffic when using Guacamole.
We know that resolution and color depth have a lot to do with it.
Are there any other factors that have a significant impact on data traffic?