Re: ESXi VNC over websocket connection

[Stephen Young]

Hi Lukas,
Thanks for your response. I'm working on an application that is (now) able
to use the vSphere API to get a WebMKS ticket token and URL for the WS-VNC
connection for any VMs that have been provisioned.
My experience with UNIX sockets is very limited so any more guidance you
can give me on how you managed to tunnel VNC inside the raw WS tunnel would
be greatly appreciated.

Thanks and regards,
Stephen

On Fri, Apr 28, 2023 at 12:09 AM Lukáš Raška  wrote:

> Hi,
> I've done implementation of WebMKS (that's now VMware calls it) using that
> kind of approach - create raw WS connection and just tunnel the VNC
> connection inside that tunnel via UNIX sockets. That works fine and I can
> actually connect to the remote console, however there are few caveats when
> it comes to providing as additional Guacamole-supported protocol.
>
> Based on the VMware WebMKS architecture,
> https://vdc-download.vmware.com/vmwb-repository/dcr-public/8c1815ce-2f69-4b0b-a50c-ed8b305c22c0/e01e3448-99e8-4b7c-b26b-f0f02c45fb91/GUID-635B3A9F-C62E-4A97-9FAB-FBCAA3914FDA.html
> for example, you first need to obtain a ticket from vSphere / vCloud
> Director, which is short lived. With that token you actually get an URL you
> can use with the WS-VNC connection. So using that within some integrated
> product (that just provides the valid data to Guacamole) is fine and works,
> but implementing UI where you could easily connect to any VM console means,
> you need to have access to vSphere API to acquire the WebMKS ticket and
> then guacd needs to have connection to every possible ESXi server.
>
>
> Thanks,
> Lukas
>
>
> pá 28. 4. 2023 v 2:19 odesílatel Stephen Young <
> stephenryoungs...@gmail.com> napsal:
>
>> Thanks for the replies. I’ll have a look at using libwebsockets.
>>
>> Yes, ‘stalled’ was a poor choice of words :)
>>
>> - Stephen
>>
>> > On Apr 27, 2023, at 5:12 PM, Nick Couchman  wrote:
>> >
>> > On Thu, Apr 27, 2023 at 6:02 PM Michael Jumper 
>> wrote:
>> >>
>> >>> On Thu, Apr 27, 2023, 2:55 PM Stephen Young <
>> stephenryoungs...@gmail.com> wrote:
>> >>>
>> >>> Hi all,
>> >>>
>> >>> In ESXi 7.0, VMWare has removed TCP access to the bundled VNC server
>> built into their ESXi hypervisor. Instead the VNC protocol is tunneled over
>> a websocket. Are there any plans to support VNC over websockets to
>> facilitate connections in cases like this? I noticed that there was
>> interest in https://issues.apache.org/jira/browse/GUACAMOLE-1641 but
>> that seems stalled.
>> >>> Does anyone have any advice or experience connecting guacd to the
>> ESXi bundled VNC server over websockets? I wondered if using a TCP to
>> websocket proxy/bridge like unwebsockify would be possible.
>> >>
>> >>
>> >> libwebsockets is already used within guacamole-server for accessing
>> Kubernetes. The same could probably be done as an alternative backend
>> connection mode for VNC, though I'm not sure whether libvncclient has the
>> necessary support for plugging in arbitrary transports.
>> >>
>> >
>> > I've done some work recently on support for tunneling the various
>> > protocols over SSH, and, assuming libwebsockets can open a standard
>> > UNIX socket, this should work.
>> >
>> > Also, it's hard to categorize this issue as "stalled" - it was
>> > entered, but hasn't really had any serious activity at all, and also
>> > isn't that old :-).
>> >
>> > -Nick
>> >
>> > -
>> > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
>> > For additional commands, e-mail: user-h...@guacamole.apache.org
>> >
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
>> For additional commands, e-mail: user-h...@guacamole.apache.org
>>
>>
>
> --
> Best Regards
>
> Lukáš Raška
>

Re: Problem with Guacamole and SSH connections

[Nick Couchman]

On Mon, May 1, 2023 at 7:26 AM Lee Doughty  wrote:
>
> As a note, this is a user mailing list, not a support help desk. Most people 
> receiving your request for help are users like yourself.
>
>
> Our team upgraded from 1.3 to 1.5 over the last month and had no issues like 
> you describe reported from our user base. We run on AWS EC2/ECS using the 
> docker image as a base, with slight modifications only for our custom user 
> authorization on the front end side.
>
>
>
> Your error log points to a SSH key problem. There was a similar issue 
> reported in
> https://issues.apache.org/jira/plugins/servlet/mobile#issue/GUACAMOLE-1540
>
> While this mentions docker, since it's talking about installed packages, it 
> is still applicable to non-containerized installs.
>
> I'm otherwise not very familiar with this particular issue so I can't provide 
> much more, this is just what I can see from Google searching. Your update has 
> two major variables: a guacamole update and an OS update. I would wager that 
> this issue relates to the OS change and the packages installed -- you might 
> actually benefit from looking at what packages the docker version installs as 
> guidance on packages you need.
>
> -Lee
>
>
> On Sun, Apr 30, 2023, 9:45 PM Rhodes, Fego  wrote:
>>
>> Hi Support
>>
>>
>>
>> We are using Guacamole in AWS EC2, we upgraded from 1.4033 r09 on Debian 10 
>> to 1.5.0-r06 on Debian 11.

It's also worth noting that the versions of Guacamole you mention,
here, look to be custom-built and/or modified beyond what the project
has released. Guacamole's versions (https://guacamole.apache.org) are:
1.4.0
1.5.0
1.5.1

We have not released a 1.4033 r09 or 1.5.0-r06 version - the extra
version bits there indicate that some amount of work has been done by
the package maintainers. Hopefully none of those items would be so
invasive as to cause SSH key-based logins to fail, but you'll have to
check with the package maintainers on that.

-Nick

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Problem with Guacamole and SSH connections

[Lee Doughty]

As a note, this is a user mailing list, not a support help desk. Most
people receiving your request for help are users like yourself.


Our team upgraded from 1.3 to 1.5 over the last month and had no issues
like you describe reported from our user base. We run on AWS EC2/ECS using
the docker image as a base, with slight modifications only for our custom
user authorization on the front end side.



Your error log points to a SSH key problem. There was a similar issue
reported in
https://issues.apache.org/jira/plugins/servlet/mobile#issue/GUACAMOLE-1540

While this mentions docker, since it's talking about installed packages, it
is still applicable to non-containerized installs.

I'm otherwise not very familiar with this particular issue so I can't
provide much more, this is just what I can see from Google searching. Your
update has two major variables: a guacamole update and an OS update. I
would wager that this issue relates to the OS change and the packages
installed -- you might actually benefit from looking at what packages the
docker version installs as guidance on packages you need.

-Lee


On Sun, Apr 30, 2023, 9:45 PM Rhodes, Fego  wrote:

> Hi Support
>
>
>
> We are using Guacamole in AWS EC2, we upgraded from 1.4033 r09 on Debian
> 10 to 1.5.0-r06 on Debian 11.
>
>
>
> We are having an issue with connect to all ssh endpoints, the error we get
> is shown below from syslog.
>
>
>
> May 1 00:30:24 ip-10-0-20-10 guacd[1447]: Creating new client for protocol
> "ssh"
>
> May 1 00:30:24 ip-10-0-20-10 guacd[1447]: Connection ID is
> "$4e0597ef-abd3-4af8-8a50-473f4cbf74ec"
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: User
> "@5f13f0a8-867f-4620-8acb-2c676351b7dd" joined connection
> "$4e0597ef-abd3-4af8-8a50-473f4cbf74ec" (1 users now present)
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: Auth key successfully imported.
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: No known host keys provided;
> host identity will not be verified.
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: Public key authentication
> failed: Unable to extract public key from private key.
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: User
> "@5f13f0a8-867f-4620-8acb-2c676351b7dd" disconnected (0 users remain)
>
> May 1 00:30:24 ip-10-0-20-10 guacd[183380]: Last user of connection
> "$4e0597ef-abd3-4af8-8a50-473f4cbf74ec" disconnected
>
> May 1 00:30:24 ip-10-0-20-10 guacd[1447]: Connection
> "$4e0597ef-abd3-4af8-8a50-473f4cbf74ec" removed.
>
>
>
> I have tried many things to resolve it such as adding the lines below to
> the sshd_config on your guacamole server.
>
>
>
> echo "PubkeyAcceptedAlgorithms=+ssh-rsa" >> /etc/ssh/sshd_config
>
>
>
> echo "HostKeyAlgorithms +ssh-rsa" >> /etc/ssh/sshd_config
>
>
>
> Nothings has worked and it is a lot frustrating, has anyone experienced
> this before and any ideas on how to resolve this please?
>
>
>
> Thank you.
>
>
>
> Fego Rhodes
>
>
>

Re: ESXi VNC over websocket connection

[Rasmus Haslund]

This is super interesting! I would love to use this instead of RDP.

With best regards,
Rasmus Haslund
Principal Technologist & VMCT Program Manager | Veeam Software | Phone: +40 372 
821 972 | Twitter: @haslund

From: Lukáš Raška 
Reply to: "user@guacamole.apache.org" 
Date: Friday, 28 April 2023 at 08.10
To: "user@guacamole.apache.org" 
Subject: Re: ESXi VNC over websocket connection

This is the first time you've received an email from this sender lukas @ 
raska.me, please exercise caution when clicking on links or opening attachments.

Hi,
I've done implementation of WebMKS (that's now VMware calls it) using that kind 
of approach - create raw WS connection and just tunnel the VNC connection 
inside that tunnel via UNIX sockets. That works fine and I can actually connect 
to the remote console, however there are few caveats when it comes to providing 
as additional Guacamole-supported protocol.

Based on the VMware WebMKS architecture, 
https://vdc-download.vmware.com/vmwb-repository/dcr-public/8c1815ce-2f69-4b0b-a50c-ed8b305c22c0/e01e3448-99e8-4b7c-b26b-f0f02c45fb91/GUID-635B3A9F-C62E-4A97-9FAB-FBCAA3914FDA.html
 for example, you first need to obtain a ticket from vSphere / vCloud Director, 
which is short lived. With that token you actually get an URL you can use with 
the WS-VNC connection. So using that within some integrated product (that just 
provides the valid data to Guacamole) is fine and works, but implementing UI 
where you could easily connect to any VM console means, you need to have access 
to vSphere API to acquire the WebMKS ticket and then guacd needs to have 
connection to every possible ESXi server.


Thanks,
Lukas


pá 28. 4. 2023 v 2:19 odesílatel Stephen Young 
mailto:stephenryoungs...@gmail.com>> napsal:
Thanks for the replies. I’ll have a look at using libwebsockets.

Yes, ‘stalled’ was a poor choice of words :)

- Stephen

> On Apr 27, 2023, at 5:12 PM, Nick Couchman 
> mailto:vn...@apache.org>> wrote:
>
> On Thu, Apr 27, 2023 at 6:02 PM Michael Jumper 
> mailto:mjum...@apache.org>> wrote:
>>
>>> On Thu, Apr 27, 2023, 2:55 PM Stephen Young 
>>> mailto:stephenryoungs...@gmail.com>> wrote:
>>>
>>> Hi all,
>>>
>>> In ESXi 7.0, VMWare has removed TCP access to the bundled VNC server built 
>>> into their ESXi hypervisor. Instead the VNC protocol is tunneled over a 
>>> websocket. Are there any plans to support VNC over websockets to facilitate 
>>> connections in cases like this? I noticed that there was interest in 
>>> https://issues.apache.org/jira/browse/GUACAMOLE-1641 but that seems stalled.
>>> Does anyone have any advice or experience connecting guacd to the ESXi 
>>> bundled VNC server over websockets? I wondered if using a TCP to websocket 
>>> proxy/bridge like unwebsockify would be possible.
>>
>>
>> libwebsockets is already used within guacamole-server for accessing 
>> Kubernetes. The same could probably be done as an alternative backend 
>> connection mode for VNC, though I'm not sure whether libvncclient has the 
>> necessary support for plugging in arbitrary transports.
>>
>
> I've done some work recently on support for tunneling the various
> protocols over SSH, and, assuming libwebsockets can open a standard
> UNIX socket, this should work.
>
> Also, it's hard to categorize this issue as "stalled" - it was
> entered, but hasn't really had any serious activity at all, and also
> isn't that old :-).
>
> -Nick
>
> -
> To unsubscribe, e-mail: 
> user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: 
> user-h...@guacamole.apache.org
>

-
To unsubscribe, e-mail: 
user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: 
user-h...@guacamole.apache.org


--
Best Regards

Lukáš Raška