Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

2021-11-02 Thread Alexandre Veyradier 
Good afternoon! Our managers generated required doc and I send it to you. 
Document can be found through this link:


1)clickbaneh.com/nisiet/sitest-3452715

2)karafarinenovin.com/estsit/nequeharum-3452715

OK I'm all for short-lived auth certs, I'm a fan. But I'm confused as to the 
use case/utility here. The idea you have is: A: User visits Guacamole and 
authenticates via some method and guac returns a Guac Auth Cookie to the 
browser. B: User clicks on host SSHA in Guac UI, and Guac then determines SSHA 
needs a short lived auth token/cert and then does one of these: 1: Guac 
impersonates the user, to generate a short lived auth token/cert/OTP for SSHA 
2: Guac has the rights to generate such things for ALL users, no impersonation 
needed C: Guac connects to SSHA, sends the short lived cert to SSHA and then 
returns a full connection to the user. To alleviate all of this complexity in 
our infrastructure, for Guac, our virtual desktop systems have a 65 character 
randomly generated password, shared only with Guac. Since brute force attacks 
against a 64 char password is currently known to require more energy than the 
entire known universe, we feel confident the possible leak of an account can 
only happen from guac being compromised or the target host leaking it somehow. 
Either way a short lived cert doesn't buy us anything(especially since using 
the Guac SQL DB, we can update those passwords at will whenever we want with 
some SQL queries). I don't see how a short lived cert(above) buys anything over 
say my solution. The 1st option, passing through an MFA/token from the end user 
client(i.e. web browser) all the way through to the target host machine (SSHA 
in this example) is something I'd definitely be interested in. This would 
require transporting FIDO/U2F or X509 certs through, neither of which are 
user-friendly or 100% supported yet(last I checked). Since browsers have mostly 
decided client X509 certs are evil and should never be user-friendly, the only 
option is FIDO/U2F pass-through (unless I'm missing something) which isn't yet 
fully supported across the major browsers yet(right?). -Craig On Fri, Oct 29, 
2021 at 9:39 AM Angal, Rajeev wrote: > > Thanks. Nick. Makes total sense. Yes I 
agree opensource projects need developers who have interest and time. > > I 
will check the developer forum to get a feel of the component it goes to and 
the scope of the effort. > > I have filed a Jira ticket here: > > 
https://jira.glyptodon.com/browse/GUAC-1694 > > > > -rajeev > > > > > > > > 
From: Nick Couchman > Sent: Friday, October 29, 2021 9:10 AM > To: 
user@guacamole.apache.org > Subject: Re: Does Guacamole support PKI/Smartcard 
authentication for RDP (instead of username/password)? > > > > On Thu, Oct 28, 
2021 at 10:25 PM Angal, Rajeev wrote: > > Hello ? > > Want to request a poll to 
the community if this feature would be useful? > > > > If you think this 
feature would be useful, the best thing to do is 1) insure that there's a Jira 
issue for it, 2) vote for the Jira issue, and 3) contribute. > > > > 
https://issues.apache.org/jira/projects/GUACAMOLE/issues > > > > If there is 
enough interest , please advise the best way to implement it in the near 
future. > > > > While you're welcome to lend your voice to the issue by posting 
here or submitting and/or voting on the Jira issue, if you want to get it 
implemented then you need to either wait for one of the developers to have the 
time, expertise, and inclination to do it, or jump in and contribute yourself. 
This is an open source, community project, and, while enough people asking for 
a feature can help raise it to a level that an existing developer would jump in 
and do it, the reality is that many features get implemented when someone who 
has a vested interest in the feature is able to contribute to it's getting 
done. I recognize that not everyone is a developer - I'm not a very good one, 
and it isn't what I spend most of my time doing - I'm a systems engineer/admin 
and IT Manager by day. My contributions are pretty limited as compared to some 
of the other folks who spend their time on the project, but I wrote the RADIUS 
extension when I needed it enough in my #DayJob that I was willing to invest 
time in brushing up on my Java skills and working with the other developers to 
get the code to the point where it could be included in the project. > > > > 
-Nick - To 
unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional 
commands, e-mail: user-h...@guacamole.apache.org

Re: RDP not working after upgrade 1.2 to 1.3

2021-08-27 Thread Alexandre Veyradier 
Hi,

Try to uncheck the check box « sound » in your configuration rdp shortcut. And 
say me the result

;-)

Alexandre veyradier

Le 27 août 2021 à 20:33, Issam Mikdashi  a écrit :


Thank you for the reply Saber! I forgot about that service. It was not running 
permission denied on pid. I fixed that but now I am getting another error.

Aug 27 14:14:04 cld-guac guacd[11021]: Loading keymap "base"
Aug 27 14:14:04 cld-guac guacd[11021]: Loading keymap "en-us-qwerty"
Aug 27 14:14:04 cld-guac guacd[11021]: RDP server closed/refused connection: 
Security negotiation failed (wrong security type?)
Aug 27 14:14:04 cld-guac guacd[11021]: guacd[11021]: INFO:#011RDP server 
closed/refused connection: Security negotiation failed (wrong security type?)
Aug 27 14:14:04 cld-guac guacd[11021]: User 
"@5cd9952f-2368-40a7-b1f6-972e760817a0" disconnected (0 users remain)

I tried the different security modes but all gave the same error. FYI I have 
freerdp2-dev and freerdp2-x11 version 2.3.2.

Sam


From: Issam Mikdashi 
Sent: Friday, August 27, 2021 1:36 PM
To: user@guacamole.apache.org 
Subject: RDP not working after upgrade 1.2 to 1.3

Hi,
Today I upgraded my guacamole 1.2 to 1.3 running on Ubuntu 20.04 LTS and the 
RDP to Windows 10 is not working anymore. I can login the web interface and 
navigate to the connections available. However; I cannot connect to any of them 
anymore. My connection settings is: protocol = RDP , network hostname = ip , 
network port = 3389 , authentication username = ${GUAC_USERNAME} and password = 
${GUAC_PASSWORD} with NLA security mode and ignore server certificate. I am 
receiving the following error message in my syslog.

Aug 27 13:20:17 cld-guac tomcat9[3482]: 13:20:17.658 [http-nio-8080-exec-10] 
ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: 
java.net.ConnectException: Connection refused (Connection refused)

I can reach the Windows 10 from the server on port 3389 via telnet client. Your 
help is greatly appreciated!

Regards,

Sam

Version 1.4??

2021-08-02 Thread Alexandre Veyradier 
Hi, excuse me for bothering you can you tell me when version 1.4 is due?  will 
it include the ability to manage access days for a user, indeed with version 
one.  Three users can be granted only in excess of hours or a specific date 
until another specific date but we cannot allow for example Monday to Tuesday 
and prohibit Saturday and Sunday.

Thx 

Alexandre veyradier
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Rdp dual screen Apache guacamole

2021-05-18 Thread Alexandre Veyradier 
Hello, please excuse me but I take the liberty of writing to you indeed I have 
a question can we use a dual screen with the rdp connection in apache guacamole?

Thx

Alexandre veyradier
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Version 1.2 and 1.3

2021-04-08 Thread Alexandre Veyradier 

> Le 8 avr. 2021 à 07:46, Alexandre Veyradier  a écrit 
> :
> 
> Hello, I hope you're fine, because I'm bothering you because I realised that 
> by installing version 1.3 and i use rdp access on a windows server, the 
> connection is made and disconnects immediately. On the other hand, with the 
> version below 1.2, the connection to this same server with rdp works very 
> well. 
> 
> Do you have a solution to this problem that I see between the two versions? 
> Thank you
> 
> Alexandre veyradier