RDP: self-signed certificates & cert management
Hello Guacamole team & users, To connect (via RDP) to servers using a self signed cert, Guacamole exposes the possibility to **ignore the certificate** (I assumed this is equivalent to the "/cert:ignore" option from xfreerdp. Is there any way to use another policy? Like the "/cert:tofu" from xfreerdp or /cert:fingerprint:xyz? Idea is to tolerate connecting to a self signed server but to make sure it does not change later on (one way or another but without editing the OS cert store of the host running guacd). Thanks, Toine. - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Le 22/02/2023 à 20:37, Michael Jumper - mjum...@apache.org a écrit : No, you understood correctly. The error you're seeing is from the database auth extension refusing to create/update a user with an empty username. Do you have "postgresql-auto-create-accounts" set? Good catch, Mike! I have this option set indeed (in the failing environment). Is there some extensions ordering to be done or are these two scenarios technically incompatible ? Toine - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
On 22/02/2023 17:02, Nick Couchman - vn...@apache.org wrote: Yes, I think you need to provide a non-blank username. That's what the error indicates, anyway. Well I'm now confused :) You suggested ealier to 'set the username to "" (empty string)' and now you suggest to 'to provide a non-blank username'. Did I understand your first suggestion the wrong way ? Antoine - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: guacamole-auth-json & simultaneous independent connections
Thanks Mike, I think you are heading me to the right way. It actually works in one of my environments but in another one, I get the following HTTP 400 error message when POSTing to /guacamole/api/tokens. Client side: {"message":"The username must not be blank.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"The username must not be blank."}},"statusCode":null,"expected":null,"type":"BAD_REQUEST" } Server side: DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: The username must not be blank. Config: guacamole-client 1.4.0 with: - guacamole-auth-header-1.4.0.jar - guacamole-auth-jdbc-postgresql-1.4.0.jar - guacamole-auth-json-1.4.0.jar Any idea where that could come from? (of course, in that latter environment, guacamole-auth-json works as planned, with a non-blank username) Using your tip, I now submit it this kind of JSON: ### { "username" : "", "expires" : TIMESTAMP_A, "connections" : { "connection_A" : { "protocol" : "rdp", "parameters" : {...} }, } } { "username" : "", "expires" : TIMESTAMP_B, "connections" : { "connection_B" : { "protocol" : "rdp", "parameters" : {...} }, } } ## Le 13/02/2023 à 22:11, Michael Jumper - mjum...@apache.org a écrit : No, but if you want that behaviour, you should set the username to "" (empty string), which represents an anonymous user. The tokens for anonymous users are stored only in memory, not in LocalStorage. - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Delegated administration setup
Hello, Le 18/01/2023 à 22:32, Spierings, Alphons - a.f.e.b.spieri...@tue.nl.INVALID a écrit : Acting as “administrator” we have so far not been able to setup any user or user-group with the privileges to READ/UPDATE users or connections apart from the ones they had created themselves. I'm also interested in the answer since I encountered roughly the same problem in my organization. We eventually decided to set up a management middleware (that has admin rights) to manage the users & connections. (because back then, I didn't have the time/knowledge to patch the whole Gucamole RBAC system to meet my needs). I had to play a bit with user groups to make my own RBAC without changing the Guacamole database schema patching the exising guacamole-client code. This solution has the drawback of not being integrated within the Guacamole management UI but it matched the need we have of giving people the autonomy they deserved. I might have been blind, and there might be a possibility to do this out of the box. But if so, I'm happy to see I was not the only blind one! Regards, Antoine - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue
On 08/03/2022 23:55, Mike Jumper - mjum...@apache.org wrote: Can you see in browser dev tools the specific request that is blocked unless "SAMEORIGIN" is set? Yes, of course. Firefox states: The loading of “https://guacamole.example.org/app/element/templates/blank.html” in a frame is denied by “X-Frame-Options“ directive set to “DENY“. - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Get connection URL
On 08/02/2022 10:08, Caleb Coverdale - calebcoverd...@me.com.INVALID wrote: I was wondering if there was a way I could get the connection URL’s encoded in the same format that the auth header json uses? As far as I know, yes (but it should be confirmed by Guacamole devs/maintainers). If your connection is called "joe_10.1.2.3_3389" (because you passed the JSON below to this Guacamole extension), you have to b64 its name + FF char + NUL char + "json". The result would be "/#/client/am9lXzEwLjEuMi4zXzMzODkAYwBqc29u". In Python3, a method to do generate that result could be: connection_id = "joe_10.1.2.3_3389" return base64.b64encode( connection_id.encode() + "\0c\0json".encode() ).decode() Toine --- { "username": "joe", "expires": 1644335456000, "connections": { "joe_10.1.2.3_3389": { "protocol": "rdp", "parameters": { "create-drive-path": "false", "hostname": "10.1.2.3", ... } ... } - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: [SECURITY] CVE-2021-41767: Apache Guacamole: Private tunnel identifier may be included in the non-private details of active connections
On 12/01/2022 22:32, Nick Couchman - vn...@apache.org wrote: We do not plan to release patches for lower versions. Essentially, 1.4.0 is the patch. Thank you for your answer. Just to be sure I understand the CVE and the stack, do you confirm that technically, upgrading only guacamole-client to 1.4.0 (and leaving guacd in 1.3.0) is enough to patch the CVE? - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Problem with File Transfer Protocol RDP behind nginx
Le 07/06/2021 à 22:43, tedd77 - i...@quantiss.com a écrit : > I even increased it to 20g , once it reaches the 1Mbyte it comes up with the > message And what does the nginx error log say? Antoine - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org