from:"Joachim Lindenberg"

AW: Please join us in testing "staging/1.6.0"

2024-10-04 Thread Joachim Lindenberg

Hello Mike,
is this change contained in the "latest" version of the docker containers? Or 
do you require manual build?
Thanks,
Joachim

> -Ursprüngliche Nachricht-
> Von: Michael Jumper 
> Gesendet: Donnerstag, 3. Oktober 2024 19:28
> An: user@guacamole.apache.org
> Betreff: Please join us in testing "staging/1.6.0"
> 
> Hello fellow Guacamole enthusiasts,
> 
> We recently merged a massive rewrite of the way guacamole-server handles
> rendering that *should* improve responsiveness, framerate, and bandwidth
> usage in several cases. The change specifically affects the VNC and RDP
> protocol support.
> 
> If anyone is interested in testing, please do. The branch containing these
> changes is "staging/1.6.0":
> 
> https://github.com/apache/guacamole-server/tree/staging/1.6.0
> 
> These changes do not depend on anything in guacamole-client, but please by
> all means test the "staging/1.6.0" branch of that, too, if you feel up to the
> task.
> 
> Beware that part of these changes adds support for the RDP "Graphics
> Pipeline Extension" (GUACAMOLE-377). This is generally a good thing, but
> testing has shown that XRDP's implementation of this uses lossy compression
> more often than the Windows RDP implementation, resulting in the new scroll
> detection not recognizing things as well as otherwise. If using XRDP, I would
> recommend using the "staging/1.6.0" version of guacamole-client, as well,
> and selecting the "Disable Graphics Pipeline Extension" option in the
> connection settings. It's otherwise enabled by default.
> 
> - Mike
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: AW: Assistance in troubleshooting unsuccessful RDP Connection

2024-07-23 Thread Joachim Lindenberg

I am using NLA for all RDP connections and I do see the benefit in that there 
is mutual authentication of both parties (Kerberos) without any password being 
disclosed to an attacker. I´d not advise to turn it off therefore.

Regards,

Joachim

 

Von: Sean Hulbert  
Gesendet: Dienstag, 23. Juli 2024 20:53
An: user@guacamole.apache.org
Betreff: Re: AW: Assistance in troubleshooting unsuccessful RDP Connection

 

Correct you are, NTLM; however I did validate on my own settings, NLA is 
disabled, we have it set to Any on Guac and with the VM it is disabled.  
However we do have FIPS 140-2 enabled on guac and on Windows OS.

OpenSSL 3.0.x FIPS 140-2 certified. 

 

 

 

 

Thank You
Sean Hulbert


Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
StormCloud Gov, Protected CUI Environment!



Industry's most secure CMMC virtual desktops! 


FedRAMP MIL4 in process (RAR)
System Award Management
CAGE: 8AUV4
SAM ID: UMJLJ8A7BMT3

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the hacker you 
haven’t heard of!

CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the use of 
the intended recipient(s). Unauthorized interception, review, use or disclosure 
is prohibited and may violate applicable laws including the Electronic 
Communications Privacy Act. If you are not the intended recipient, please 
contact the sender and destroy all copies of the communication. Content within 
this email communication is not legally binding as a contract and no promises 
are guaranteed unless in a formal contract outside this email communication.

igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

On 7/23/2024 11:01 AM, Joachim Lindenberg wrote:

Hello Sean,

do you have any reference for Microsoft deprecating NLA? Or are you confusing 
NLA with NTLM?

Thanks,

Joachim

 

Von: Sean Hulbert  <mailto:shulb...@securitycentric.net.INVALID> 
 
Gesendet: Dienstag, 23. Juli 2024 17:58
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org> 
Betreff: Re: Assistance in troubleshooting unsuccessful RDP Connection

 

Appears you have Security mode: NLA enabled, you can either make sure the 
Windows VDI/system has it enabled or disable on both ends. It provides no real 
protection and is being depreciated by Microsoft.

Thank You
Sean Hulbert

Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
StormCloud Gov, Protected CUI Environment!



Industry's most secure CMMC virtual desktops! 


FedRAMP MIL4 in process (RAR)
System Award Management
CAGE: 8AUV4
SAM ID: UMJLJ8A7BMT3

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the hacker you 
haven’t heard of!

CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the use of 
the intended recipient(s). Unauthorized interception, review, use or disclosure 
is prohibited and may violate applicable laws including the Electronic 
Communications Privacy Act. If you are not the intended recipient, please 
contact the sender and destroy all copies of the communication. Content within 
this email communication is not legally binding as a contract and no promises 
are guaranteed unless in a formal contract outside this email communication.

igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

On 7/23/2024 8:44 AM, Brad Turnbough wrote:

I should add the following:  

Ubuntu 20.04

Guac 1.5.0

 

I created a whole new connection in Guac – no change in outcome.

 

Here is output of /var/log/syslog for the connection (tail –f /var/log/syslog | 
grep –I guacd)

 

Jul 23 10:37:09 knx-guacamole-01 guacd[831]: Creating new client for protocol 
"rdp"

Jul 23 10:37:09 knx-guacamole-01 guacd[831]: Connection ID is 
"$9a8cb86d-bd6f-4f69-b871-6952461a1129"

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: Security mode: NLA

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: Resize method: none

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: No clipboard line-ending 
normalization specified. Defaulting to preserving the format of all line 
endings.

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: User 
"@14b966a9-36c7-4b89-aa77-d8966ad6ae88" joined connection 
"$9a8cb86d-bd6f-4f69-b871-6952461a1129" (1 users now present)

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: Loading keymap "base"

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: Loading keymap "en-us-qwerty"

Jul 23 10:37:20 knx-guacamole-01 guacd[831]: Creating new client for protocol 
"rdp"

Jul 23 10:37:20 knx-guacamole-01 guacd[831]: Connection ID is 
"$89ab8eb3-b5a5-431f-816f-fa7393db319f"

Jul 23 10:37:20 knx-guacamole-01 guacd[667554]: Security mode: NLA

Jul 23 10:37:20 k

AW: Assistance in troubleshooting unsuccessful RDP Connection

2024-07-23 Thread Joachim Lindenberg

Hello Sean,

do you have any reference for Microsoft deprecating NLA? Or are you confusing 
NLA with NTLM?

Thanks,

Joachim

 

Von: Sean Hulbert  
Gesendet: Dienstag, 23. Juli 2024 17:58
An: user@guacamole.apache.org
Betreff: Re: Assistance in troubleshooting unsuccessful RDP Connection

 

Appears you have Security mode: NLA enabled, you can either make sure the 
Windows VDI/system has it enabled or disable on both ends. It provides no real 
protection and is being depreciated by Microsoft.

Thank You
Sean Hulbert

Security Centric Inc.
A Cybersecurity Virtualization Enablement Company
StormCloud Gov, Protected CUI Environment!



Industry's most secure CMMC virtual desktops! 


FedRAMP MIL4 in process (RAR)
System Award Management
CAGE: 8AUV4
SAM ID: UMJLJ8A7BMT3

AFCEA San Francisco Chapter President
If you have heard of a hacker by name, he/she has failed, fear the hacker you 
haven’t heard of!

CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the use of 
the intended recipient(s). Unauthorized interception, review, use or disclosure 
is prohibited and may violate applicable laws including the Electronic 
Communications Privacy Act. If you are not the intended recipient, please 
contact the sender and destroy all copies of the communication. Content within 
this email communication is not legally binding as a contract and no promises 
are guaranteed unless in a formal contract outside this email communication.

igitur qui desiderat pacem, praeparet bellum!!!

Epitoma Rei Militaris

On 7/23/2024 8:44 AM, Brad Turnbough wrote:

I should add the following:  

Ubuntu 20.04

Guac 1.5.0

 

I created a whole new connection in Guac – no change in outcome.

 

Here is output of /var/log/syslog for the connection (tail –f /var/log/syslog | 
grep –I guacd)

 

Jul 23 10:37:09 knx-guacamole-01 guacd[831]: Creating new client for protocol 
"rdp"

Jul 23 10:37:09 knx-guacamole-01 guacd[831]: Connection ID is 
"$9a8cb86d-bd6f-4f69-b871-6952461a1129"

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: Security mode: NLA

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: Resize method: none

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: No clipboard line-ending 
normalization specified. Defaulting to preserving the format of all line 
endings.

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: User 
"@14b966a9-36c7-4b89-aa77-d8966ad6ae88" joined connection 
"$9a8cb86d-bd6f-4f69-b871-6952461a1129" (1 users now present)

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: Loading keymap "base"

Jul 23 10:37:09 knx-guacamole-01 guacd[667528]: Loading keymap "en-us-qwerty"

Jul 23 10:37:20 knx-guacamole-01 guacd[831]: Creating new client for protocol 
"rdp"

Jul 23 10:37:20 knx-guacamole-01 guacd[831]: Connection ID is 
"$89ab8eb3-b5a5-431f-816f-fa7393db319f"

Jul 23 10:37:20 knx-guacamole-01 guacd[667554]: Security mode: NLA

Jul 23 10:37:20 knx-guacamole-01 guacd[667554]: Resize method: none

Jul 23 10:37:20 knx-guacamole-01 guacd[667554]: No clipboard line-ending 
normalization specified. Defaulting to preserving the format of all line 
endings.

Jul 23 10:37:20 knx-guacamole-01 guacd[667554]: User 
"@6386d3c3-cee0-4689-bc52-b10b48d9e9a5" joined connection 
"$89ab8eb3-b5a5-431f-816f-fa7393db319f" (1 users now present)

Jul 23 10:37:20 knx-guacamole-01 guacd[667554]: Loading keymap "base"

Jul 23 10:37:20 knx-guacamole-01 guacd[667554]: Loading keymap "en-us-qwerty"

Jul 23 10:37:27 knx-guacamole-01 guacd[667528]: RDP server closed/refused 
connection: Disconnected.

Jul 23 10:37:29 knx-guacamole-01 guacd[667528]: User 
"@14b966a9-36c7-4b89-aa77-d8966ad6ae88" disconnected (0 users remain)

Jul 23 10:37:29 knx-guacamole-01 guacd[667528]: Last user of connection 
"$9a8cb86d-bd6f-4f69-b871-6952461a1129" disconnected

Jul 23 10:37:29 knx-guacamole-01 guacd[831]: Connection 
"$9a8cb86d-bd6f-4f69-b871-6952461a1129" removed.

Jul 23 10:37:30 knx-guacamole-01 guacd[667554]: Connected to RDPDR 1.13 as 
client 0x0025

Jul 23 10:37:34 knx-guacamole-01 guacd[667554]: RDPDR user logged on

 

 

 

Thank you,

Brad Turnbough
Senior Technology Analyst 



P: 309.272.2739 F: 309.272.2839 

www.betterbanks.com  
www.statestreetbank.com  

NOTICE: The information contained in this email and any document attached 
hereto is intended only for the named recipient(s). If you are not the intended 
recipient, nor the employee or agent responsible for delivering this message in 
confidence to the intended recipient(s), you are hereby notified that you have 
received this transmittal in error, and any review, dissemination, distribution 
or copying of this transmittal or its attachments is strictly prohibited. If 
you have received this transmittal and/or attachments in error, please notify 
me immediately by reply e-mail and then delete this message, including any 
attachments. 

 

From: Brad Turn

AW: Companies Using Guacamole

2024-07-19 Thread Joachim Lindenberg

Hello Justin,

I am using Guacamole with my backup solution as documented in 
https://software.lindenberg.one/backup/en/documentation/guacamole-integration.

I am also running several instances myself.

Best Regards,

Joachim

 

Von: Justin Kocian  
Gesendet: Freitag, 19. Juli 2024 17:59
An: user@guacamole.apache.org
Betreff: Companies Using Guacamole

 

Hello,

 

I'm working on a writeup for our move to Apache Guacamole from AWS Workspaces, 
and am trying to locate a list of companies using Guacamole. Does anyone know 
of such a thing, or can anyone provide examples? We're a relatively small 
company, with less than 100 users, so the comparison doesn't need to be large 
companies (though that helps my case).

 

Thanks!!

 

-- 

 


  

Justin Kocian


IT 


Direct:

AW: Documentation for custom authentication provider

2024-07-02 Thread Joachim Lindenberg

I have never had a need to compile Guacamole myself to just add an extension to 
the docker container. I just add my extensions in a build file used via docker 
compose. 

What I always felt missing is advice on how to map the extension and 
configuration paths of the guacamole container to host directories in order to 
eliminate the build file.

Regards,

Joachim

 

Von: David Lomas  
Gesendet: Dienstag, 2. Juli 2024 12:07
An: user@guacamole.apache.org
Betreff: Re: Documentation for custom authentication provider

 

Hi Nick,

 

One more followup—based on your original email:

 

* Adjust 
extensions/guacamole-auth-header/src/main/java/org/apache/guacamole/auth/header/user/AuthenticatedUser.java
 to override getUserGroups() to return the groups you're looking for. 

 

I wasn't able to get that to work, as the compiler said "method does not 
override or implement a method from a supertype". But I was able to override 
getEffectiveUserGroups() and return a simple Set of Strings of group names, and 
that seems to be working in the way we want, so thanks for the pointers :).

 

Kind regards,

 

David

 

On Fri, 28 Jun 2024 at 09:40, David Lomas mailto:d...@pale-eds.co.uk> > wrote:

Thanks Nick—the errors when building the stock header extension were:

 

[ERROR]   The project org.apache.guacamole:guacamole-auth-header:1.5.4 
(/home/test/guacamole-auth-header/pom.xml) has 1 error
[ERROR] 'dependencies.dependency.version' for com.google.inject:guice:jar 
is missing. @ line 44, column 21

 

and:

 

[ERROR] COMPILATION ERROR :
[INFO] -
[ERROR] Source option 5 is no longer supported. Use 6 or later.
[ERROR] Target option 1.5 is no longer supported. Use 1.6 or later.

 

I had assumed that I needed to target the version of Java installed:

 

$ mvn --version
Apache Maven 3.6.3
Maven home: /usr/share/maven
Java version: 11.0.23, vendor: Ubuntu, runtime: 
/usr/lib/jvm/java-11-openjdk-amd64
Default locale: en_GB, platform encoding: UTF-8
OS name: "linux", version: "5.15.0-112-generic", arch: "amd64", family: "unix"

 

But having changed it to 8 / 1.8 from what you said, the extension now compiles 
and loads. 

 

The pom for this extension doesn't include a version line for Guice, and I've 
'successfully' built and loaded with version 7 using source 8 / target 1.8, 
which you seemed to suggest shouldn't work? I haven't actually tested that the 
extension is working properly, only that it loads when guac starts. But what 
version of Guice should I be using? Perhaps it's specified somewhere else in 
the main project, not in this extension?

 

Many thanks,

 

David

 

 

On Fri, 28 Jun 2024 at 02:37, Nick Couchman mailto:vn...@apache.org> > wrote:

On Fri, Jun 21, 2024 at 6:03 AM David Lomas mailto:d...@pale-eds.co.uk.invalid> > wrote:

Thanks Nick—to test my basic setup, I tried copying that extension from the 
1.5.4 branch (to match the current version of gauc I'm running in docker), and 
built it. I had to make 2 changes—not sure if this is expected, but it required 
a 7.0.0 entry in the Guice dependency (not sure if the 
latest version is correct), and I also had to add these lines to the pom:

 


11
11


 

I was then able to compile and install the extension in 
guacamole-home/extensions/ before rebuilding and restarting the container. But 
during startup, I see this in the logs:

 

guacamole_compose  | 09:54:10.264 [localhost-startStop-1] ERROR 
o.a.g.extension.ExtensionModule - Extension "guacamole-auth-header-1.5.4.jar" 
could not be loaded: Authentication provider class cannot be loaded (wrong 
version of API?).

 

I'm guessing this (and the earlier changes I had to make (including removing 
the  entry from the pom) is because I'm trying to build this 
in isolation outside the main source tree; is that right? If so, do I need to 
just install the whole client to build this extension, or is it something else?

 

 

It isn't so much that you're trying to build outside of the main code tree, 
it's more likely that the pom.xml changes you've made - in particular to the 
Guice version - are likely going to cause you to end up with very different 
code, and you'll probably need to load, not just the module you've compiled, 
but the entirety of the WAR file and other extensions, from code compiled with 
the same dependencies, particularly Guice and the Java target.

 

I'm not sure what issues you were running into that caused you to bump the 
Guice version up, but the versions we've got in there, now, are very much 
designed to maintain Java 1.8 (Jara 8) compatibility. Once you go to Guice 7 
you then are required to bump Java up to version 11, as you've found out, and 
both of those changes are going to cause widespread compatibility issues 
between the "stock" versions that we provide as downloads and anything you 
compile.

 

-Nick

AW: How to get client IP address ?

2024-04-20 Thread Joachim Lindenberg

Hi Stephan,
I´d agree if authentication were the only goal of the API. However it also 
allows to authorize users, and to provide (including create) configuration data 
entirely not in the standard database. I visualized that capability and how I 
use it in 
https://software.lindenberg.one/backup/en/documentation/guacamole-integration.
I am not telling it cannot be done differently, but asking just for 
authentication is too limiting. 
Regards,
Joachim

-Ursprüngliche Nachricht-
Von: Stephan von Krawczynski  
Gesendet: Sonntag, 21. April 2024 00:16
An: user@guacamole.apache.org
Betreff: Re: How to get client IP address ?

On Sat, 20 Apr 2024 15:52:58 -0400
Nick Couchman  wrote:

> >
> >  
> > > I believe the issue that Stephan is describing is that, when the 
> > > user
> > logs
> > > in to Guacamole, and the remote LDAP server that is authenticating 
> > > the
> > user
> > > logs a client IP address, it should log the IP address of the 
> > > browser
> > (far
> > > end client) and not the IP address of the Guacamole Client 
> > > (tomcat)
> > system.  
> > > I'm just trying to get clarity from Stephan on whether this is 
> > > what he's actually trying to do and why.
> > >
> > > -Nick
> >
> > Yes, Nick, you are exactly on the right track here. And I am really 
> > not in a logging question, but truely in the authentication process 
> > where I want to know the far end client.
> >
> >  
> After looking at this a bit more, I cannot find a way, at least in the 
> Apache LDAP API that we use, to configure a client IP or send any sort 
> of a message that will pass that information through to the client, so 
> I'm not sure how feasible this actually is. RADIUS uas the NAS IP 
> designed specifically for this type of scenario, but I'm not finding 
> any sort of feature similar to NAS IP that allows for this kind of messaging.
> 
> -Nick

Hello Nick,

first of all, thank you for looking into the issue. So please let me ask this 
as a real question and no offence.
Why does the project _at all_ use a rather complicated API for authentication 
instead of "outsourcing" the function into a simple called hook (call it a 
script), and let this implement the wanted api to ldap, mysql, radius or just 
about anything that might be needed. Still in the end an authentication is no 
more than giving parameters (like username, password, or client ip or whatever 
the caller (i.e. guacamole) has) and getting the simple answer: yes
(authenticated) or no (login failed).
If you cut off the whole process at this point the whole story gets a lot more 
flexible, as anyone can then implement his needed hook (script) for his needs.
You may then distribute such hooks inside the project for standard APIs like 
ldap or the like - or leave it to the users to make/find their own.
To me, designing (and coding) software since the 1980s, this is a pretty clear 
design decision to be taken.

Regards,
Stephan

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Options for hardware acceleration/vaapi for guacd

2024-01-19 Thread Joachim Lindenberg

Hi Antony,

Can you please elaborate more on how you achieved that and what blocks open 
sourcing that solution?

I am convinced that a lot users would be interested as today users can remote 
access company resources but not really participate in video conferences via 
Guacamole.

Thanks,

Joachim

 

Von: Antony Awaida - CEO, Apporto  
Gesendet: Freitag, 19. Januar 2024 00:52
An: user@guacamole.apache.org
Betreff: Re: Options for hardware acceleration/vaapi for guacd

 

Hi Steven:

 

At Apporto we have extended Guacamole so it uses H264 all the way to the 
browser. Our users can get up to 60 fps video.  Even with very low specs on 
the rdp server. 

 

Our business model does not unfortunately, allow us to open source this 
extension. 

 

However, if this is of interest, we can license it to you

 

Regards,

Antony Awaida

www.apporto.com  

ᐧ

 

On Thu, Jan 18, 2024 at 11:20 AM Barnhart, Steven mailto:barnhart@osu.edu> > wrote:

Hi there,

 

We have some use cases where (unfortunatelty) users are reviewing videos from a 
remote machine and using Guacamole to connect. The viewing of videos is where 
the problem lies. A 720p sample video viewed through Guacamole is very laggy 
and the audio pops in/out. It is not reliable. During video playback, all other 
mouse movements or commands are delayed on the server as well. I see on the 
server side when viewing a video that a guacd process spikes to 80-100%. We are 
also using Docker.

 

1.  I assume Guacamole encodes the rdp and sends it as video in some way? 
Is there a way to use hardware accelertation such as intel vaapi/quicksync for 
this process and could it maybe help?
2.  Is it believed Docker vs native would have any real difference in 
playing and streaming a video from an RDP session?

 

Thank you.

 

Steven T. Barnhart

Solutions Engineer
The Ohio State University
OTDI Research Technology and Infrastructure
(614) 688-1013 Office

AW: Guacamole HA

2023-10-09 Thread Joachim Lindenberg

>We do have a Jira ticket open for improving things from an HA perspective in 
>Guacamole, 

>but it hasn't had much activity. Every now and then I take a run at building 
>something for

>the web front-end that would at least allow active connections to be seen 
>across multiple

>instances, and every time I start down that path I end up running into some 
>issue that

>prevents me from making any progress. I'm sure it isn't impossible, just not 
>something 

>I've figured out, yet.

> 

>-Nick

 

Are you willing to share the ticket id? Did you document any insights of your 
issues?

Maybe we can share/collect/discuss scenarios/ideas?

 

Thanks,

Joachim

AW: Guacamole with Docker, LDAPS and Self-Signed certificate

2023-10-05 Thread Joachim Lindenberg

Afaik there are three options:

*   update the Java keystore to include the root certificate used to sign 
the certificate used by LDAP
*   change your LDAP to use a certificate by one of the standard root 
certification authorities like Letsencrypt
*   set up a proxy next to guacamole (same host) that proxies the ldap 
connection to ldaps.

Regards,

Joachim

 

Von: BLANCHOUIN Sylvain  
Gesendet: Donnerstag, 5. Oktober 2023 13:11
An: user@guacamole.apache.org
Betreff: Guacamole with Docker, LDAPS and Self-Signed certificate

 

Hello everyone,

 

I deployed Guacamole with Docker and LDAP authentication. Everything works 
perfectly. I want to switch to LDAPS, but I can't. I have an error message:

 

"unable to find valid certification path to requested target"

 

My authentication is done on Windows AD, and my certificate is issued by ADCS. 
How do I add my certificate to the trusted certificates?

 

I've been stuck on this for several days...

 

Thanks for your help,

 

 




Sylvain  BLANCHOUIN | Responsable Production Informatique


HYPERION Développement – Parc Saint Fiacre, 53200 CHATEAU-GONTIER


Mobile : 06.62.47.59.24


Mail :   sblancho...@hyperion-dev.com


 

    
  

   
Continuer la conversation sur Teams

AW: Captcha protection to stop brute force attacks

2023-10-01 Thread Joachim Lindenberg

Hi Molina,

 

can you please do us a favor and explain what cloudflare can do to protect 
against brute force attacks?

 

Hi Madhusudan,

 

afaik captchas are solved faster by AI than by humans.

 

afaik the standard approach to stop brute force attacks is to use something 
like fail2ban or similiar, blocking the source IP or network of any bots after 
some failed attempts. Go the extra mile and block not just locally but also at 
your outer perimeter firewall. Obviously there is the risk to block regular 
users in the same network. 

Another approach is to use the device cookie approach published by OWASP, but 
due to the complexity you probably want to do this only with 
single-sign-on-solutions.

 

Regards, 

Joachim

 

 

Von: Molina de la Iglesia, Manuel 
 
Gesendet: Sonntag, 1. Oktober 2023 11:58
An: user@guacamole.apache.org
Betreff: Re: Captcha protection to stop brute force attacks

 

You could use cloudflare.

 

El sáb, 30 sept 2023 7:10, khmadhu mailto:khma...@gmail.com> > escribió:

Hi,

I am looking for a feature that can prevent brute force attacks or stopping 
bots, is there a possibility  that captcha /recaptcha can be integrated with 
any module?.

 

 

 

 




 

-- 

Thanks & Regards
Madhusudan

AW: How to disable File transfers globally for users in connection group?

2023-09-16 Thread Joachim Lindenberg

Helle,

if you also consider webdav or any other cloud service evil as well, then 
essentially you have to turn off network connectivity of the target system. I 
have been doing this with VMs on Hyper-V (no network connection) and accessing 
them via Guacamole via the hypervisor (VM connect) successfully, but I doubt it 
is feasible with a standard RDP connection, as the open network connection 
could be abused.

Regards,

Joachim

 

Von: khmadhu  
Gesendet: Samstag, 16. September 2023 15:36
An: user@guacamole.apache.org
Betreff: Re: How to disable File transfers globally for users in connection 
group?

 

Hi,

 

Can anyone give me an idea, how can we achieve this?.

 

On Fri, Sep 15, 2023 at 4:02 PM khmadhu mailto:khma...@gmail.com> > wrote:

Hi,

 

I am looking for an option to disable ALL file transfers like shared drives / 
SFTP, for all default users in a connection group, even though if user have the 
option to create connections, the file transfer options must be disabled, is 
that possible?, how can we achieve this?.




 

 




 

-- 

Thanks & Regards
Madhusudan

9844117475
Bengaluru-12.

AW: Re: [EXT] RSPAM Guacamole SSH with already MFA for SSH

2023-08-17 Thread Joachim Lindenberg

Hello Frank,

imho implementing MFA (or multi-step-authentication if you want to use PCI 
compliant terminology) should be done with single-sign-on-mechanism only as 
otherwise you run into 

a.  users have to authenticate all day when navigating to different systems,
b.  admins have the issue of enabling each and every backend separately.

Typically some central portal will authenticate the user using MFA and issue a 
token or assertion, be it JWT or SAML or something else, and almost any backend 
can be configured to verify these. And of course you can pass tokens through 
Guacamole.

Regards,

Joachim

 

Von: Frank Müller  
Gesendet: Mittwoch, 16. August 2023 07:15
An: user@guacamole.apache.org
Betreff: WG: Re: [*EXT*] **RSPAM** Guacamole SSH with already MFA for SSH

 

Hello together, 

does somebody still have an idea how to get this running? 
Thanks 
Frank 


- Weitergeleitet von Frank Müller/RR/Roland am 16.08.2023 07:13 - 

Von:Frank Müller/RR/Roland 
An:user@guacamole.apache.org   
Datum:11.08.2023 09:51 
Betreff:Antwort: Re: [*EXT*] **RSPAM** Guacamole SSH with already MFA 
for SSH 

  _  



Hi, 

we have two different mechanism. 

One is using an app. On the app you have to click on an approve button. After 
that, in the ssh session, you only have to push enter on your keyboard and you 
where logged in. 
Or we are using MFA with mail. Some users are getting an e-mail with an pin 
that they have to type inside the ssh window after they have successfully enter 
their username and password. 

Frank 




Von:"Ionel GARDAIS" mailto:ionel.gard...@tech-advantage.com> > 
An:"user" mailto:user@guacamole.apache.org> 
> 
Datum:11.08.2023 09:21 
Betreff:Re: [*EXT*] **RSPAM** Guacamole SSH with already MFA for SSH 

  _  




Hi Frank, 

What kind of MFA is it ? 
A TOTP token to be input ? 
A validation on the app or a click-on-link that notify the authentication 
server on a side-channel ? 

Ionel

  _  


De: "Frank Müller" mailto:frank.muel...@roland-rechtsschutz.de> >
À: "user" mailto:user@guacamole.apache.org> >
Envoyé: Vendredi 11 Août 2023 09:04:18
Objet: [*EXT*] **RSPAM** Guacamole SSH with already MFA for SSH 

Hello all, 

i have a question about ssh connection in guacamole. 

I have installed guacamole as a container and it is working. I can rdp and ssh 
into servers. 

But for our linux servers that already have a MFA software running, i am not 
able to login to. 

The MFA process looks like this: 

1. SSH into the Server. 
2. Apply the MFA with an mobile app 
3. On the server, there is an text displayed, that the second factor is sending 
via app or mail. 
4. After you have applied the second factor or type the code inside the ssh 
session, you are logged into the server. 

And that is not working. If i ssh into the server with guacamole, it ask me for 
my username and passwort. I receive the mfa on my smartphone. But the ssh 
session directly get an time out. 
The message in the container logs look like this: 


guacd[7447]: ERROR: Password authentication failed: Authentication failed 
(username/password) 
guacd[7447]: INFO:  User "@667789b9-71f1-4e73-bc63-8f6ee891f255" 
disconnected (0 users remain) 
guacd[7447]: INFO:  Last user of connection 
"$5658b16e-ae8b-4d09-8382-cdfe8fdfe7f1" disconnected 

Also i did not see the login message that i will normaly see if i ssh into the 
server. 



How can i get this up and running with guacamole? 

Thanks all 
Frank 

Weitere Informationen unter www.roland-rechtsschutz.de. Alles Wichtige zum 
Datenschutz finden sie unter  
 
https://www.roland-rechtsschutz.de/datenschutz/datenschutz.html

ROLAND Rechtsschutz-Versicherungs-AG | Vorsitzender des Aufsichtsrats: Dr. 
Thilo Schumacher | Vorstand: Rainer Brune (Vorsitzender), Dr. Ulrich Eberhardt, 
Tobias von Mäßenhausen | Handelsregister Köln HRB 2164

Der Inhalt dieser E-Mail (einschließlich etwaiger beigefügter Dateien) ist 
vertraulich und nur für den Empfänger bestimmt. Sollten Sie nicht der 
bestimmungsgemäße Empfänger sein, ist Ihnen jegliche Offenlegung, 
Vervielfältigung, Weitergabe oder Nutzung des Inhalts untersagt. Bitte 
informieren Sie in diesem Fall unverzüglich den Absender und löschen Sie die 
E-Mail (einschließlich etwaiger beigefügter Dateien) von Ihrem System. Vielen 
Dank. 


[Anhang "att8qz7z.gif" gelöscht von Frank Müller/RR/Roland] 


Weitere Informationen unter www.roland-rechtsschutz.de 
 . Alles Wichtige zum Datenschutz finden sie 
unter https://www.roland-rechtsschutz.de/datenschutz/datenschutz.html

ROLAND Rechtsschutz-Versicherungs-AG | Vorsitzender des Aufsichtsrats: Dr. 
Thilo Schumacher | Vorstand: Rainer Brune (Vorsitzender), Dr. Ulrich Eberhardt, 
Tobias von Mäßenhausen | Handelsregister Köln HRB 2164

Der Inhalt dieser E-Mail (einschlie

AW: Guacamole Extensions troubles

2023-06-29 Thread Joachim Lindenberg

Imho you have a big issue already with authentication using no encryption at 
all.

Best Regards,

Joachim

 

Von: Tifaine RIVOIRE OPTI Sécurité  
Gesendet: Donnerstag, 29. Juni 2023 11:22
An: user@guacamole.apache.org
Betreff: RE: Guacamole Extensions troubles

 

Hi,

 

After conducting further research following Nick's response, I discovered that 
I don't need a search filter, so I removed it. My goal is to allow all users in 
my Active Directory (AD) to connect to Guacamole.

 

However, I'm still encountering issues with LDAP authentication. Specifically, 
when I attempt to connect with a user named l.coelho from my AD, the following 
logs are generated:

 

08:29:44.881 [http-nio-8080-exec-2] INFO  
o.a.g.a.l.AuthenticationProviderService - Unable to determine DN of user 
"l.coelho" using LDAP server "192.168.87.20". Proceeding with next server...

08:29:44.882 [http-nio-8080-exec-2] INFO  
o.a.g.a.l.AuthenticationProviderService - User "l.coelho" did not successfully 
authenticate against any LDAP server.

08:29:44.883 [http-nio-8080-exec-2] WARN  o.a.g.r.auth.AuthenticationService - 
Authentication attempt from [X.X.X.X, 192.168.254.10] for user "l.coelho" 
failed.

 

 

I have already verified that I can successfully telnet to port 389 of my LDAP 
server, the encryption method is set correctly as "none," and I tested the LDAP 
connectivity using the ldapsearch command, which worked fine.

 

Interestingly, my admin can connect to the AD without any issues, as confirmed 
by the successful log entries in my AD logs.

 

I suspect that there might be a problem with my LDAP configuration in the 
Docker Compose file. Could you assist me in resolving this issue?

My users are in : OU=AMG,OU=Utilisateur,DC=AMG,DC=lan

My admin in :  OU=Users,DC=AMG,DC=lan

 

 # LDAP Connection

  LDAP_HOSTNAME: 192.168.87.20

  LDAP_PORT: 389

  LDAP_ENCRYPTION_METHOD: "none"



  # Mapping Guacamole usernames to LDAP DN’s

  LDAP_USER_BASE_DN: "dc=AMG,dc=LAN"



  # Indirect Username Mapping

  LDAP_SEARCH_BIND_DN: CN=admin,CN=Users,DC=AMG,DC=lan

  LDAP_SEARCH_BIND_PASSWORD: password

  LDAP-USERNAME-ATTRIBUTE: sAMAccountName

 

 

Best regards,

T. RIVOIRE

 

De : Nick Couchman mailto:vn...@apache.org> > 
Envoyé : mercredi 14 juin 2023 14:46
À : user@guacamole.apache.org  
Objet : Re: Guacamole Extensions troubles

 

On Wed, Jun 14, 2023 at 8:26 AM Tifaine RIVOIRE OPTI Sécurité 
mailto:t.rivo...@optisecurite.fr> > wrote:

Hi,

 

I’m testing Guacamole and I want to configure some extensions.
I already set up guacamole with docker-compose and TOTP Extension.

 

I have some troubles with the LDAP extension. In fact, I follow a lot of 
tutorials that show me how I can set up this one.

I copy the .jar file in extension directory but after a restart I can’t log in 
with an AD user. I’va seen that a new directory called ldap was created (just 
like totp) with .jar & .ldif file.
I also try to create a user with same AD name and blank password in guacamole, 
I make sure to select create connection permission.


When I connect, Guacamole tell me wrong password but this is the correct one in 
my AD.
I also see some forwarded communications (through firewall) from my Guacamole 
server to my AD.

 

Can you help me to understand why I can’t log with an AD account ?

 

You'll need to take a look at the logs for the Guacamole Client container and 
see what errors might be logged to the container. You may also have to change 
the log level of Guacamole Client (LOGBACK_LEVEL environment variable) to get 
more useful information out of the system.

 

I do notice in the Docker Compose file you posted that you appear to be using a 
search filter that is supposed to make LDAP search nested AD groups. I'm not 
sure that this will actually work - I think there are some things that need to 
be implemented within Guacamole to support this, and I don't think those 
currently exist. You might, at the very least, try changing your search filter 
to something else - just create a single group with the users you want to have 
access and search that group, only - and see if that helps.

 

-Nick

AW: Displaying both active and disconnected remote desktop sessions on the home screen

2023-05-24 Thread Joachim Lindenberg

I think it can be done in an extension mixing in additional status information. 
My extension - targeting Hyper-V hosts - doesn´t keep track of disconnected 
sessions, but mixes in status information like VM running, saved, or shut down, 
to the connection list and the thumbnails.
However I am wondering whether the limited space with thumbnails makes it 
useful if you consider adding to thumbnails only.
Also getting active/disconnected state requires you to run qwinsta against all 
targets frequently and cache that list, or otherwise building the connection 
list will be slowed down a lot.
Cheers,
Joachim

-Ursprüngliche Nachricht-
Von: Nick Couchman  
Gesendet: Mittwoch, 24. Mai 2023 13:59
An: user@guacamole.apache.org
Cc: Sigovich, Jon ; Kempf, Severin 
Betreff: Re: Displaying both active and disconnected remote desktop sessions on 
the home screen

On Wed, May 24, 2023 at 3:08 AM Bianconi, Luca  wrote:
>
> Hello,
>
>
>
> we currently have a guacamole server running on Rocky Linux 8, managing 
> several RDP connections set up in organizational groups, and everything is 
> functioning as expected.
>
>
>
> I wanted to inquire if it would be feasible to have both active and 
> disconnected sessions displayed as thumbnails on the home screen. This 
> feature would provide a convenient overview of all sessions, allowing us to 
> easily identify and manage the status of each connection.
>

I don't think so, because Guacamole doesn't keep track of disconnected sessions 
- the remote server is actually what keeps track of that, and Guacamole doesn't 
have any knowledge of those sessions after you disconnect.

-Nick

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: [ANNOUNCE] Apache Guacamole 1.5.0

2023-02-21 Thread Joachim Lindenberg

Hello all,
I tried to upgrade my docker compose scenario to 1.5, but the guacamole 
container fails to start with error message "/opt/guacamole/bin/start.sh: 1169: 
unzip: not found". I am using two custom extensions - is it possible that 
custom extensions are an issue after the change to Alpine images?
Thanks, 
Joachim

-Ursprüngliche Nachricht-
Von: Michael Jumper  
Gesendet: Sonntag, 19. Februar 2023 19:40
An: annou...@guacamole.apache.org; d...@guacamole.apache.org; 
user@guacamole.apache.org; annou...@apache.org
Betreff: [ANNOUNCE] Apache Guacamole 1.5.0

The Apache Guacamole community is proud to announce the release of Apache 
Guacamole 1.5.0.

Apache Guacamole is a clientless remote desktop gateway which supports standard 
protocols like VNC, RDP, and SSH. We call it "clientless"
because no plugins or client software are required; once Guacamole is installed 
on a server, all you need to access your desktops is a web browser.

The 1.5.0 release features support for in-browser playback of session 
recordings, retrieving secrets from key vaults, SSH support for elliptic-curve 
cryptography (ECC) keys, and support for authenticating against multiple LDAP 
or Active Directory servers. Users also will now automatically receive 
notification of users joining a shared connection, including when 
administrators join an active connection via the "Active Sessions" screen.

A full list of the changes in this release, along with links to downloads and 
updated documentation, can be found in the release
notes:

http://guacamole.apache.org/releases/1.5.0/

For more information on Apache Guacamole, please see:

http://guacamole.apache.org/

Thanks!

The Apache Guacamole Community

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Race?

2022-12-23 Thread Joachim Lindenberg

Hello Mike,

how exactly? Can this please be added to 
https://guacamole.apache.org/doc/gug/guacamole-docker.html ?

Thanks,

Joachim

 

Von: Michael Jumper  
Gesendet: Freitag, 23. Dezember 2022 18:29
An: user@guacamole.apache.org
Betreff: Re: Race?

 

On Fri, Dec 23, 2022, 9:00 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

... Also because guacd trace does not have any timestamps and thus correlation 
is difficult.

It's not guacd that would need to add timestamps but rather the logging backend 
(syslog or the systemd journal), which should already do so. For the Docker 
images, where things go instead to the Docker logs, you need to provide Docker 
with an additional "--timestamps" parameter to its "logs" command to see the 
timestamps that were recorded.

 

- Mike

AW: Race?

2022-12-23 Thread Joachim Lindenberg

Hello Mike,

thanks for hinting me to guacd logs.

Actually it was a combination of assumptions that all kind of failed:

*   all my hosts use letsencrypt certificates for RDP and VMConnect, except 
that the script failed on the specific host,
*   I do have property analogous to ignore-cert and it was set to true, but 
not processed in code,
*   the exceptions are unrelated, actually they even occur during 
successful connection establishment, but who cares.

Guacd logs spotted the certificate to be untrusted. Once I fixed the setup 
script on the host, it was back running.

Would it be possible to forward some of the error information to guacamole to 
make this easier? Also because guacd trace does not have any timestamps and 
thus correlation is difficult.

Thanks,

Joachim

 

Von: Michael Jumper  
Gesendet: Freitag, 23. Dezember 2022 00:12
An: user@guacamole.apache.org
Betreff: Re: Race?

 

I don't think you're looking at a race condition. The only error shown is from 
WebSocket, and that only indicates that the connection was closed. Depending on 
timing, the socket can be closed just before a message is sent. It doesn't mean 
that anything is wrong or even that the closure itself is unexpected.

 

Can you describe what specifically isn't working? If it's the connection itself 
failing to establish, what about your guacd logs?

 

- Mike

On Thu, Dec 22, 2022, 3:19 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello,

 

I am encountering an issue that I am right now unable to resolve. I am running 
my own extension that does authentication and connection management and that 
used to work. It doesn´t any more – neither in the version I used for quite 
some time nor the version I did to implement a custom field. Thus I assume it 
is not related to the changes I did recently…

 

With the newer version I have the following output in guacamole trace:

 

guacamole| 10:41:39.448 [http-nio-8080-exec-1] 
LindenbergBackup:LindenbergBackupConnection.connect():protocol=rdp,.name=Cobra 
(Running),.enhancedmode=false,.vm=true,.user=null,.id=a563f81a-8a58-4627-abca-a047739d31e7,.state=Running,.group=(Virtual
 
Machines),.backup=null,hostname=***,security=vmconnect,preconnection-blob=a563f81a-8a58-4627-abca-a047739d31e7,.image=null,port=2179,domain=samba,.identifier=Cobra,username=Joachim,

guacamole| 10:41:39.448 [http-nio-8080-exec-1] INFO  
o.a.g.tunnel.TunnelRequestService - User "Joachim" connected to connection 
"Cobra".

guacamole| 10:41:39.448 [http-nio-8080-exec-1] 
LindenbergBackup:LindenbergBackupConfiguration.connect()-Cobra (Running)

guacamole| 10:41:39.522 [http-nio-8080-exec-3] DEBUG 
o.a.g.rest.RESTExceptionMapper - Client request rejected: No readable active 
connection for tunnel.

guacamole| 10:41:39.524 [http-nio-8080-exec-2] DEBUG 
o.a.g.rest.RESTExceptionMapper - Client request rejected: Protocol of tunnel is 
not known/exposed.

guacamole| 10:41:40.170 [http-nio-8080-exec-6] 
LindenbergBackup:LindenbergBackupConfiguration.close()-Cobra (Running)

guacamole| 10:41:40.181 [http-nio-8080-exec-6] INFO  
o.a.g.tunnel.TunnelRequestService - User "Joachim" disconnected from connection 
"Cobra". Duration: 723 milliseconds

 

in other words, the connection is established or about to be established 
(10:41:39.448 is the last “location” in my extension before returning) and then 
two other threads report errors and yet another thread closes the connection.

 

In order to find the cause, I also tried throwing an exception and the stack 
trace is 

guacamole| Exception in thread "Thread-6" java.lang.IllegalStateException: 
Message will not be sent because the WebSocket session has been closed

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:441)

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:314)

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:254)

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:195)

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37)

guacamole|  at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152)

guacamole|  at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53)

guacamole|  at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253)

guacamole| java.io.IOException: who closes this?

guacamole|  at 
one.lindenberg.guacamole.LindenbergBack

Race?

2022-12-22 Thread Joachim Lindenberg

Hello,

 

I am encountering an issue that I am right now unable to resolve. I am running 
my own extension that does authentication and connection management and that 
used to work. It doesn´t any more – neither in the version I used for quite 
some time nor the version I did to implement a custom field. Thus I assume it 
is not related to the changes I did recently…

 

With the newer version I have the following output in guacamole trace:

 

guacamole| 10:41:39.448 [http-nio-8080-exec-1] 
LindenbergBackup:LindenbergBackupConnection.connect():protocol=rdp,.name=Cobra 
(Running),.enhancedmode=false,.vm=true,.user=null,.id=a563f81a-8a58-4627-abca-a047739d31e7,.state=Running,.group=(Virtual
 
Machines),.backup=null,hostname=***,security=vmconnect,preconnection-blob=a563f81a-8a58-4627-abca-a047739d31e7,.image=null,port=2179,domain=samba,.identifier=Cobra,username=Joachim,

guacamole| 10:41:39.448 [http-nio-8080-exec-1] INFO  
o.a.g.tunnel.TunnelRequestService - User "Joachim" connected to connection 
"Cobra".

guacamole| 10:41:39.448 [http-nio-8080-exec-1] 
LindenbergBackup:LindenbergBackupConfiguration.connect()-Cobra (Running)

guacamole| 10:41:39.522 [http-nio-8080-exec-3] DEBUG 
o.a.g.rest.RESTExceptionMapper - Client request rejected: No readable active 
connection for tunnel.

guacamole| 10:41:39.524 [http-nio-8080-exec-2] DEBUG 
o.a.g.rest.RESTExceptionMapper - Client request rejected: Protocol of tunnel is 
not known/exposed.

guacamole| 10:41:40.170 [http-nio-8080-exec-6] 
LindenbergBackup:LindenbergBackupConfiguration.close()-Cobra (Running)

guacamole| 10:41:40.181 [http-nio-8080-exec-6] INFO  
o.a.g.tunnel.TunnelRequestService - User "Joachim" disconnected from connection 
"Cobra". Duration: 723 milliseconds

 

in other words, the connection is established or about to be established 
(10:41:39.448 is the last “location” in my extension before returning) and then 
two other threads report errors and yet another thread closes the connection.

 

In order to find the cause, I also tried throwing an exception and the stack 
trace is 

guacamole| Exception in thread "Thread-6" java.lang.IllegalStateException: 
Message will not be sent because the WebSocket session has been closed

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:441)

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:314)

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:254)

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:195)

guacamole|  at 
org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37)

guacamole|  at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152)

guacamole|  at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53)

guacamole|  at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253)

guacamole| java.io.IOException: who closes this?

guacamole|  at 
one.lindenberg.guacamole.LindenbergBackupConfiguration.close(LindenbergBackupConfiguration.java:119)

guacamole|  at 
one.lindenberg.guacamole.LindenbergBackupConfiguration.stateChange(LindenbergBackupConfiguration.java:124)

guacamole|  at 
one.lindenberg.guacamole.LindenbergBackupAuthenticationProvider.requestChange(LindenbergBackupAuthenticationProvider.java:164)

guacamole|  at 
one.lindenberg.guacamole.LindenbergBackupAuthenticationProvider.handleEvent(LindenbergBackupAuthenticationProvider.java:365)

guacamole|  at 
org.apache.guacamole.rest.event.ListenerService.handleEvent(ListenerService.java:53)

guacamole|  at 
org.apache.guacamole.tunnel.TunnelRequestService.fireTunnelClosedEvent(TunnelRequestService.java:114)

guacamole|  at 
org.apache.guacamole.tunnel.TunnelRequestService.access$000(TunnelRequestService.java:51)

guacamole|  at 
org.apache.guacamole.tunnel.TunnelRequestService$1.close(TunnelRequestService.java:277)

guacamole|  at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.onClose(GuacamoleWebSocketTunnelEndpoint.java:364)

guacamole|  at 
org.apache.tomcat.websocket.WsSession.fireEndpointOnClose(WsSession.java:759)

guacamole|  at 
org.apache.tomcat.websocket.WsSession.onClose(WsSession.java:740)

guacamole|  at 
org.apache.tomcat.websocket.WsFrameBase.processDataControl(WsFrameBase.java:367)

guacamole|  at 
org.apache.tomcat.websocket.WsFrameBase.processData(WsFrameBase.java:296)

guacamole|  at 
org.apache.tomcat.websocket.WsFrameBase.processInputBuffer(WsFrameBase.java:133)

guacamole|  at 
org.apache.tomcat.websocket

AW: Adding JavaScript to your Guacamole extension

2022-12-21 Thread Joachim Lindenberg

Hello Willem,

I tried and succeeded, you may wish to review 
https://lists.apache.org/thread/78qhjzg79fb9y6435ym1hxmol0lbvzlp. 

Best Regards,

Joachim

 

Von: Willem van de Mheen  
Gesendet: Mittwoch, 21. Dezember 2022 12:16
An: user@guacamole.apache.org
Betreff: Adding JavaScript to your Guacamole extension

 

Hi,

 

I’m trying to build a Guacamole extension and I want to include some 
JavaScript. Unfortunately, I can’t really find any documentation on this 
subject. I can include a JavaScript file in the guac-manifest.json but when I 
define an Angular module, I need to refer to a template HTML file and you can’t 
simply add an HTML file to a Guacamole extension. How is this supposed to work?

 

Best regards,

Willem van de Mheen

AW: Additional field (select options) on login screen?

2022-12-15 Thread Joachim Lindenberg

Learned more – this depends on the exception I throw. I was using
GuacamoleInsufficientCredentialsException, but
GuacamoleInvalidCredentialsException works a lot better.

Joachim

Von: Joachim Lindenberg
Gesendet: Donnerstag, 15. Dezember 2022 09:28
An: user@guacamole.apache.org
Betreff: AW: Additional field (select options) on login screen?

I got this kind of resolved by using redundant URL parameter names but then
discovered that Guacamole uses different classes initial vs continuation that
actually have different boxes, spacing, etc..

Can this be turned off easily from an extension (the “hard” way is modifying
html dom at runtime)?

Thanks,

Joachim

Von: Joachim Lindenberg mailto:guacam...@lindenberg.one> >
Gesendet: Dienstag, 13. Dezember 2022 17:32
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
Betreff: AW: Additional field (select options) on login screen?

Hello Mike,

I ran through an AngularJS course and with some more experiments I got the
field to work, except for the second issue, the field missing when prefilled.
Is this Guacamole or AngularJS?

Any suggestion what to look for?

Thanks,
Joachim

Von: Joachim Lindenberg mailto:guacam...@lindenberg.one> >
Gesendet: Montag, 12. Dezember 2022 23:16
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
Betreff: AW: Additional field (select options) on login screen?

Hello Mike,

I got my module, config, and controller to load – seeing console.log() output.

I am struggling with two issues right now:

* While rendering the template I want to call methods in my controller,
similar to ng-options="option as getFieldOption(option)" I have seen in other
places. Unfortunately when I add this to my template, I always get an exception
rather than a call to a controller method. How is this supposed to work? I have
to admin I am newbie in ng and also unsure what is guacamole, what ng…
* When I add my field/parameter name to the URL, the field gets omitted
while rendering. How can I turn this off as I´d prefer that to be just a
default?

Thanks,
Joachim

Von: Michael Jumper mailto:mjum...@apache.org> >
Gesendet: Freitag, 9. Dezember 2022 02:25
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
Betreff: Re: Additional field (select options) on login screen?

On Thu, Dec 8, 2022 at 8:34 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Mike,

thanks for that. I started trying out that route. I figured out I probably
also need an html template, a controller, probably additions to manifest,
but cannot get the field to be displayed yet, and also don´t see any errors
in the browsers console I can attribute to that. I enabled debug logging in
guacamole container. I can tell that my module.js (referenced from manifest)
is included and executes, but I cannot find my config, controller and
template within the network trace. Should they be included in manifest (totp
doesn´t)?

Everything has to be in the manifest somehow. The TOTP support doesn't include
those specific files in the manifest because part of that extension's build
process is JavaScript minification and concatenation. They're there implicitly
via the single file that it does include.

Any tip what to watch out for? Is there any debug support for the browser
parts?

You need to make sure your module is added as a dependency of the "index"
module or your module's config, etc. will not be loaded with the rest of the
app. You need to also make sure that all relevant files are part of the
manifest (either through being explicitly included or through a concatenation
step). You should also double check that the field type name defined in the
Java half of your field exactly matches the field type name that you're
registering - if they don't match, the webapp won't be able to locate and
render your field.

If things still are not behaving as expected, I recommend adding some
console.log() calls around the various parts of your code to see what files are
loaded vs. not, what parts of your module are loaded vs. not, etc. That might
give you an idea where to look for the problem.

- Mike

AW: Additional field (select options) on login screen?

2022-12-15 Thread Joachim Lindenberg

I got this kind of resolved by using redundant URL parameter names but then
discovered that Guacamole uses different classes initial vs continuation that
actually have different boxes, spacing, etc..

Can this be turned off easily from an extension (the “hard” way is modifying
html dom at runtime)?

Thanks,

Joachim

Von: Joachim Lindenberg
Gesendet: Dienstag, 13. Dezember 2022 17:32
An: user@guacamole.apache.org
Betreff: AW: Additional field (select options) on login screen?

Hello Mike,

I ran through an AngularJS course and with some more experiments I got the
field to work, except for the second issue, the field missing when prefilled.
Is this Guacamole or AngularJS?

Any suggestion what to look for?

Thanks,
Joachim

Hello Mike,

I got my module, config, and controller to load – seeing console.log() output.

I am struggling with two issues right now:

Thanks,
Joachim

On Thu, Dec 8, 2022 at 8:34 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Mike,

Any tip what to watch out for? Is there any debug support for the browser
parts?

- Mike

AW: Additional field (select options) on login screen?

2022-12-13 Thread Joachim Lindenberg

Hello Mike,

I ran through an AngularJS course and with some more experiments I got the
field to work, except for the second issue, the field missing when prefilled.
Is this Guacamole or AngularJS?

Any suggestion what to look for?

Thanks,
Joachim

Von: Joachim Lindenberg
Gesendet: Montag, 12. Dezember 2022 23:16
An: user@guacamole.apache.org
Betreff: AW: Additional field (select options) on login screen?

Hello Mike,

I got my module, config, and controller to load – seeing console.log() output.

I am struggling with two issues right now:

Thanks,
Joachim

On Thu, Dec 8, 2022 at 8:34 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Mike,

Any tip what to watch out for? Is there any debug support for the browser
parts?

- Mike

AW: Additional field (select options) on login screen?

2022-12-12 Thread Joachim Lindenberg

Hello Mike,

I got my module, config, and controller to load – seeing console.log() output.

I am struggling with two issues right now:

Thanks,
Joachim

Von: Michael Jumper
Gesendet: Freitag, 9. Dezember 2022 02:25
An: user@guacamole.apache.org
Betreff: Re: Additional field (select options) on login screen?

On Thu, Dec 8, 2022 at 8:34 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Mike,

Any tip what to watch out for? Is there any debug support for the browser
parts?

- Mike

AW: Additional field (select options) on login screen?

2022-12-08 Thread Joachim Lindenberg

Hello Mike,

thanks for that. I started trying out that route. I figured out I probably
also need an html template, a controller, probably additions to manifest,
but cannot get the field to be displayed yet, and also don´t see any errors
in the browsers console I can attribute to that. I enabled debug logging in
guacamole container. I can tell that my module.js (referenced from manifest)
is included and executes, but I cannot find my config, controller and
template within the network trace. Should they be included in manifest (totp
doesn´t)?

Any tip what to watch out for? Is there any debug support for the browser
parts?

Thanks, Joachim

 

 

Von: Michael Jumper  
Gesendet: Mittwoch, 7. Dezember 2022 06:08
An: user@guacamole.apache.org
Betreff: Re: Additional field (select options) on login screen?

 

There isn't currently any specific documentation on registering custom
field types, but there are some examples in the source that might be
instructive. You don't need to modify the guacamole-client source - there is
a system built-in intended for custom field types. You can do this purely
with an extension.

 

Take a look at the TOTP extension, which uses a fairly involved custom
field type for the enrollment process:

 

https://github.com/apache/guacamole-client/blob/master/extensions/guacamole
-auth-totp/src/main/java/org/apache/guacamole/auth/totp/form/AuthenticationC
odeField.java (Java definition)

 

https://github.com/apache/guacamole-client/blob/master/extensions/guacamole
-auth-totp/src/main/resources/config/totpConfig.js (JavaScript registration
of the type)

 

https://github.com/apache/guacamole-client/blob/master/extensions/guacamole
-auth-totp/src/main/resources/totpModule.js (JavaScript registration of the
AngularJS module handling the custom field registration)

 

The Java field will be automatically serialized into JSON, included in the
auth response, and then processed and passed to your custom field when
received by the browser.

 

The Duo extension also leverages custom fields for similar purposes.

 

- Mike

 

On Mon, Dec 5, 2022, 10:23 PM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Mike,

is there any documentation or example on how to add a custom field type? I
assume this would require to clone or contribute to guacamole-client?

Thanks,
Joachim

 

Von: Michael Jumper < <mailto:mjum...@apache.org> mjum...@apache.org> 
Gesendet: Dienstag, 6. Dezember 2022 00:42
An:  <mailto:user@guacamole.apache.org> user@guacamole.apache.org
Betreff: Re: Additional field (select options) on login screen?

 

On Mon, Dec 5, 2022 at 3:01 PM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Mike,

 

I modified my code to show an addition filed using that exception, however
the result is not exactly what I was looking for.

With code like… 

 

   static final String backupserver = "backup-server-to-connect-to";

private static Field BACKUPSERVER = null;

private static CredentialsInfo SERVER_USERNAME_PASSWORD = null;

…

  if (BACKUPSERVER == null) BACKUPSERVER = new EnumField(backupserver,
getBackupServerCollection());

  if (SERVER_USERNAME_PASSWORD == null) SERVER_USERNAME_PASSWORD =

new CredentialsInfo(Arrays.asList(

 BACKUPSERVER,

  CredentialsInfo.USERNAME,

  CredentialsInfo.PASSWORD

  ));

  throw new GuacamoleInsufficientCredentialsException ("server, user &
password required", SERVER_USERNAME_PASSWORD);

 

… I get a drop down with the content
LOGIN.FIELD_OPTION_BACKUP_SERVER_TO_CONNECT_TO_BACKUP2_LINDENBERG_ONE in the
UI.

Looks like the client application takes my field name and values,
concatenates them, and probably also tries to translate them, whereas I want
to use the Values in EnumField as provided. How can I achieve that?

 

You cannot do this with EnumField. All of the standard field types included
with Guacamole that allow you to specify possible values will expect
translation strings for each of those possible values. You would have to
define your own custom field type if you cannot provide translation strings
for the possible values ahead of time.

 

Is there some other UI element more appropriate?

 

Also while the exception provides an easy way to define fields, the
Credentials type does not reflect that. I figured out I have to use
something like

credentials.getRequest().getParameter(backupserver))

correct?

 

Yes, convenience functions are provided only for username and password. You
need to use the generic getParameter() for anything more specialized.

 

- Mike

 

<>
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Additional field (select options) on login screen?

2022-12-05 Thread Joachim Lindenberg

Hello Mike,

is there any documentation or example on how to add a custom field type? I 
assume this would require to clone or contribute to guacamole-client?

Thanks,
Joachim

 

Von: Michael Jumper  
Gesendet: Dienstag, 6. Dezember 2022 00:42
An: user@guacamole.apache.org
Betreff: Re: Additional field (select options) on login screen?

 

On Mon, Dec 5, 2022 at 3:01 PM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Mike,

 

I modified my code to show an addition filed using that exception, however the 
result is not exactly what I was looking for.

With code like… 

 

   static final String backupserver = "backup-server-to-connect-to";

private static Field BACKUPSERVER = null;

private static CredentialsInfo SERVER_USERNAME_PASSWORD = null;

…

  if (BACKUPSERVER == null) BACKUPSERVER = new EnumField(backupserver, 
getBackupServerCollection());

  if (SERVER_USERNAME_PASSWORD == null) SERVER_USERNAME_PASSWORD =

new CredentialsInfo(Arrays.asList(

 BACKUPSERVER,

  CredentialsInfo.USERNAME,

  CredentialsInfo.PASSWORD

  ));

  throw new GuacamoleInsufficientCredentialsException ("server, user & 
password required", SERVER_USERNAME_PASSWORD);

 

… I get a drop down with the content 
LOGIN.FIELD_OPTION_BACKUP_SERVER_TO_CONNECT_TO_BACKUP2_LINDENBERG_ONE in the UI.

Looks like the client application takes my field name and values, concatenates 
them, and probably also tries to translate them, whereas I want to use the 
Values in EnumField as provided. How can I achieve that?

 

You cannot do this with EnumField. All of the standard field types included 
with Guacamole that allow you to specify possible values will expect 
translation strings for each of those possible values. You would have to define 
your own custom field type if you cannot provide translation strings for the 
possible values ahead of time.

 

Is there some other UI element more appropriate?

 

Also while the exception provides an easy way to define fields, the Credentials 
type does not reflect that. I figured out I have to use something like

credentials.getRequest().getParameter(backupserver))

correct?

 

Yes, convenience functions are provided only for username and password. You 
need to use the generic getParameter() for anything more specialized.

 

- Mike

AW: Additional field (select options) on login screen?

2022-12-05 Thread Joachim Lindenberg

Hello Mike,

 

I modified my code to show an addition filed using that exception, however the 
result is not exactly what I was looking for.

With code like… 

 

   static final String backupserver = "backup-server-to-connect-to";

private static Field BACKUPSERVER = null;

private static CredentialsInfo SERVER_USERNAME_PASSWORD = null;

…

  if (BACKUPSERVER == null) BACKUPSERVER = new EnumField(backupserver, 
getBackupServerCollection());

  if (SERVER_USERNAME_PASSWORD == null) SERVER_USERNAME_PASSWORD =

new CredentialsInfo(Arrays.asList(

 BACKUPSERVER,

  CredentialsInfo.USERNAME,

  CredentialsInfo.PASSWORD

  ));

  throw new GuacamoleInsufficientCredentialsException ("server, user & 
password required", SERVER_USERNAME_PASSWORD);

 

… I get a drop down with the content 
LOGIN.FIELD_OPTION_BACKUP_SERVER_TO_CONNECT_TO_BACKUP2_LINDENBERG_ONE in the UI.

Looks like the client application takes my field name and values, concatenates 
them, and probably also tries to translate them, whereas I want to use the 
Values in EnumField as provided. How can I achieve that? Is there some other UI 
element more appropriate?

 

Also while the exception provides an easy way to define fields, the Credentials 
type does not reflect that. I figured out I have to use something like

credentials.getRequest().getParameter(backupserver))

correct?

 

Thanks, Joachim

 

Von: Michael Jumper  
Gesendet: Montag, 5. Dezember 2022 19:25
An: user@guacamole.apache.org
Betreff: Re: Additional field (select options) on login screen?

 

You can accept arbitrary credentials as a part of the auth process. The content 
of the login screen is determined by the credentials requested by the 
GuacamoleInvalidCredentialsException thrown, so you would just include 
username, password, and the desired select field in the set of fields:

 

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/credentials/GuacamoleInvalidCredentialsException.html

 

A select field is represented by an EnumField:

 

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/form/EnumField.html

 

- Mike

 

On Mon, Dec 5, 2022, 9:42 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Mike,

my current auth extension calls to my backup software (which also manages 
virtual machines created from backups), authenticates the user, and creates a 
list of configurations (existing vms or to-be-created-vms) for the user to pick 
from. As I am in fact running multiple backup servers, I want to allow the 
users to choose the server to use from a list that could be stored in 
guacamole.properties or similar.

Thanks,

Joachim

 

Von: Michael Jumper mailto:mjum...@apache.org> > 
Gesendet: Montag, 5. Dezember 2022 18:28
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org> 
Betreff: Re: Additional field (select options) on login screen?

 

On Mon, Dec 5, 2022, 9:26 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello,

I´d like to add an additional field to the login screen. The field should be a 
select option (at least that is the html I would use, regardless of how it is 
generated) and ideally the field can be prepopulated via the url (subject to 
available options).

To what end?

I assume something like this can be done via an authentication extension and I 
already have one, but so far it does not add the additional field, nor is clear 
to me, how to make any additional UI element depend on configuration or backend 
information.

What does your auth extension currently do?

 

- Mike

AW: Additional field (select options) on login screen?

2022-12-05 Thread Joachim Lindenberg

Hello Mike,

my current auth extension calls to my backup software (which also manages 
virtual machines created from backups), authenticates the user, and creates a 
list of configurations (existing vms or to-be-created-vms) for the user to pick 
from. As I am in fact running multiple backup servers, I want to allow the 
users to choose the server to use from a list that could be stored in 
guacamole.properties or similar.

Thanks,

Joachim

 

Von: Michael Jumper  
Gesendet: Montag, 5. Dezember 2022 18:28
An: user@guacamole.apache.org
Betreff: Re: Additional field (select options) on login screen?

 

On Mon, Dec 5, 2022, 9:26 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello,

I´d like to add an additional field to the login screen. The field should be a 
select option (at least that is the html I would use, regardless of how it is 
generated) and ideally the field can be prepopulated via the url (subject to 
available options).

To what end?

I assume something like this can be done via an authentication extension and I 
already have one, but so far it does not add the additional field, nor is clear 
to me, how to make any additional UI element depend on configuration or backend 
information.

What does your auth extension currently do?

 

- Mike

Additional field (select options) on login screen?

2022-12-05 Thread Joachim Lindenberg

Hello,

I´d like to add an additional field to the login screen. The field should be a 
select option (at least that is the html I would use, regardless of how it is 
generated) and ideally the field can be prepopulated via the url (subject to 
available options).

I assume something like this can be done via an authentication extension and I 
already have one, but so far it does not add the additional field, nor is clear 
to me, how to make any additional UI element depend on configuration or backend 
information. At least 
https://guacamole.apache.org/doc/gug/guacamole-ext.html#updating-existing-html 
addresses only static html changes.

Does anybody have a working example, how-to, or similar?

Thanks, Joachim

AW: Apache Guacamole html page edit

2022-06-01 Thread Joachim Lindenberg

Two questions:

*   can this be done with an extension rather than a modification?
*   didn´t this come up several times earlier and could be a configuration 
option that the webapp addresses out-of-the-box?

Thanks, Joachim

 

Von: Suat Toksöz <> 
Gesendet: Wednesday, 1 June 2022 17:56
An: user@guacamole.apache.org
Betreff: Re: Apache Guacamole html page edit

 

Thanks Nick,

 

So İ need to get the apache guacamole client source code , then change the html 
tag ten compile and generate the war file for tomcat right?

 

The change that we newd is this, admin user should not able to intersep the 
active connections. So the link for each active session should be #. 





On 1 Jun 2022, at 18:05, Nick Couchman mailto:vn...@apache.org> > wrote:



On Wed, Jun 1, 2022 at 10:47 AM Suat Toksöz mailto:stok...@gmail.com> > wrote:

Also, I am not able to find the file location on apache guacamole source code.

https://dlcdn.apache.org/guacamole/1.4.0/source/



 

 

That's the guacamole-server (guacd) source code - the code for the web 
interface is in the guacamole-client source code. For the connection history 
and active sessions, the code is specifically, here:

 

https://github.com/apache/guacamole-client/tree/master/guacamole/src/main/frontend/src/app/settings/templates

 

Please note those are the HTML templates that are used by AngularJS to fill in 
the data. So, whatever modifications you want to do will likely need to be a 
combination of edits to those HTML templates as well as the AngularJS files 
that actually populate data.

 

-NIck

AW: File Encryption for RDP Redirected Folders

2022-05-07 Thread Joachim Lindenberg

Hi Gabriel,

imho, asking for encryption via Guacamole or even end users is a dead-end here. 
Protect the server itself (full encryption close to hardware is always a good 
idea), and audit administrative access reasonably. Guacamole cannot do better 
as it would have to store a key somewhere, and end users are notoriously bad in 
key management.

How do you solve that issue with other shares? I´d be surprised if there are 
none or that Guacamole is more critical than anything else.

Best Regards,

Joachim

 

Von: gabriel sztejnworcel <> 
Gesendet: Friday, 6 May 2022 21:10
An: user@guacamole.apache.org
Betreff: Re: File Encryption for RDP Redirected Folders

 

Hi Joachim,

 

We use Guacamole with some customizations (code changes). The way we 
implemented it - the redirected folder is a per-session temporary folder, it 
has a unique name and it's deleted at the end of the session, so other users in 
RDP sessions (or even the same user from another session) can't see the files 
from within the session, but if someone gets access to the server with the 
right  permissions they would get access to the files, this what we are trying 
to mitigate.

 

Thanks,

Gabriel

 

On Wed, 4 May 2022 at 17:59, Nick Couchman mailto:vn...@apache.org> > wrote:

On Wed, May 4, 2022 at 10:44 AM Joachim Lindenberg mailto:guacam...@lindenberg.one> > wrote:

Hello Nick & Gabriel,

before thinking about encryption, what is the user and authorization concept 
for that share? Can every user see and change all other users files? Or are the 
paths somehow distinct for all users, disallowing sharing? The doc only states, 
the guacd process needs to be able to read/write the directory, nothing else.

 

It's important to understand that the access to the redirected folder is done 
by the user running guacd. So, if you point all users to the same exact folder 
in the redirection, everyone will have access to all of the files. This can be 
mitigated in a couple of ways:

* Use tokens in Guacamole to point users to their own folders - for example, 
the path in the redirection could be /files/guacamole/${GUAC_USERNAME}, which 
means each user logging into Guacamole (not necessarily the remote system) will 
have their own folder.

* Instead of using folder redirection, use SSH on a server with Samba 
installed, so you can transparently share that folder both with the remote 
system (via SMB) and with the Guacamole browser (via SSH).

 

In fact I never enabled that drive, because I never understood and thus 
referred my users to using standard shares that support ACLs (and all the 
shares are ultimately protected by Bitlocker, as is my Guacamole setup as it 
runs on Hyper-V).

 

Yes, folder redirection is different than a file share.

 

 

Thanks for your answer Nick!

It's not so clear to me how this can be implemented only on the remote server 
side since files are uploaded by Guacamole without any involvement of the 
remote server, unless it somehow monitors the folder and each time a new file 
is created it encrypts it immediately.

I will look into it, thanks!

 

Yeah, you're correct about that - it wouldn't work for the remote access from 
Guacamole (the browser) to the remote server. So, there'd have to be some 
additional work (coding) done to make it work for both the remote system 
(server via RDP) and the web browser.

 

-Nick

AW: File Encryption for RDP Redirected Folders

2022-05-04 Thread Joachim Lindenberg

Hello Nick & Gabriel,

before thinking about encryption, what is the user and authorization concept 
for that share? Can every user see and change all other users files? Or are the 
paths somehow distinct for all users, disallowing sharing? The doc only states, 
the guacd process needs to be able to read/write the directory, nothing else.

In fact I never enabled that drive, because I never understood and thus 
referred my users to using standard shares that support ACLs (and all the 
shares are ultimately protected by Bitlocker, as is my Guacamole setup as it 
runs on Hyper-V).

Thanks,

Joachim

 

Von: gabriel sztejnworcel <> 
Gesendet: Wednesday, 4 May 2022 13:16
An: user@guacamole.apache.org
Betreff: Re: File Encryption for RDP Redirected Folders

 

Thanks for your answer Nick!

It's not so clear to me how this can be implemented only on the remote server 
side since files are uploaded by Guacamole without any involvement of the 
remote server, unless it somehow monitors the folder and each time a new file 
is created it encrypts it immediately.

I will look into it, thanks!

 

On Wed, 4 May 2022 at 00:04, Nick Couchman mailto:vn...@apache.org> > wrote:

On Tue, May 3, 2022 at 3:50 PM gabriel sztejnworcel mailto:gabriel@gmail.com> > wrote:

Hi,

 

Was there ever a discussion or suggestion to implement encryption for files 
transferred in RDP sessions through redirected folders? So that if someone gets 
access to the Guacamole server, they won't be able to get these files, which 
might contain sensitive information.

I thought of creating a key for each session, when the file is uploaded - use 
the key to encrypt it. When the file is read from within the RDP session - 
decrypt the requested portion. The encryption itself might be challenging as it 
needs to be in parts.

 

For download - maybe it's possible to stream the file to Guacamole client 
immediately and not store it on disk instead of encrypting it.

 

Wondering if someone ever tried it or if someone else thinks it's useful.

 

 

Well, you could do this entirely on the remote desktop side and it shouldn't be 
a problem, you'd just have to install some sort of encryption software that 
encrypts the files before they land on the redirected folder. The redirected 
folder is really just an internal file share presented by the RDP client 
(\\tsclient\share  ), so you just need some way to 
enable, encourage, and/or enforce encryption on the RDS host. It's been a 
little while since I messed around with client encryption software, but back in 
the day there were Open Source items like TrueCrypt and VeraCrypt that could do 
this cross-platform, and I know there are also commercial solutions. While this 
method is somewhat disruptive - it means additional software/steps for the user 
- it is the most secure, as it allows for encryption on a per-user basis, which 
means that no one, not even the root user of the guacd server, can decrypt the 
files.

 

Beyond that I suppose guacd could be extended to support transparent encryption 
of the files as they land; however, this would mean that the encryption keys 
for the files would be stored on the guacd server, so if someone compromised 
that server, they could still get access to the files and decrypt them. I think 
some filesystems - like ZFS - support transparent at-rest encryption and can 
manage access to keys, use hardware keys, etc., so there may be some 
possibilities, there, as well. This is a bit out of my areas of 
experience/expertise, though.

 

-Nick

AW: Support protocols

2022-03-31 Thread Joachim Lindenberg

Hello Yang,

I´d be interested as well what and how you did it.

Thanks,

Joachim

 

Von: Yang Yang  
Gesendet: Thursday, 31 March 2022 05:14
An: user@guacamole.apache.org
Betreff: Re: Support protocols

 

Hi Cyrus,

 

It is much more than an add-on to Guacamole, otherwise I believe the Guacamole 
team would have added the support.

 

Our solution is not open source, and let me check with you off line.

 

Thanks,

Yang 





On Mar 31, 2022, at 09:24, Cyrus mailto:cyru...@gmail.com> 
> wrote:

 

I'm not from an Space Agency, but I'm curious about your implementation. 

 

Is there public documentation somewhere?, is that something publicly 
available?, paid addon?

 

Regards,

CI.-

On Tue, Mar 29, 2022, 22:33 Yang Yang mailto:yy8...@icloud.com.invalid> > wrote:

We have build a solution to extend Guacamole with http(s) support with a 
similar approach/concept, which Nick actually had mentioned in this mailing 
list for a couple of times as I remembered. The user experience with 
Chrome/Firefox in kiosk mode cannot not provide plausible user experience, e.g. 
upload and download issues, inconvenient when accessing hyperlinks that open a 
new tab, without buttons to check previous or next page, and we had to build a 
customized browser core for this case.

 

With our solution, per user request to a connection, a virtual environment with 
customized browser core will be instantly created and launch the URL specified 
and then we have Guacamole connecting to the virtual environment and taking 
care of user actions. When the user access session ends, the virtual 
environment will be destroyed and released.

 

Although efforts invested on this project were more than we had originally 
planed, the overall experience is actually beyond our expectation, easy to use 
and much better security. Please feel free to let me know if you are interested 
to know more.

 

Thanks,

Yang





On Mar 29, 2022, at 21:23, Guillermo Vargas-Dellacasa 
mailto:gvargas-dellac...@nhvweb.net> > wrote:

 

I was going to suggest the same as a workaround. Launching a browser in kiosk 
mode as a webapp on an RDP session should accomplish restricted https access to 
a particular application (haven't tried but sounds plausible). One possible 
advantage of this approach vs a standard proxy will be that you eliminate any 
possible issues that sometimes come up with proxies (e.g. WebRTC or Certs 
issues).

 

Every solution has its pros and cons. I have used Fortinet's SSL VPN Web mode 
for RDP and it has limitations vs Guac (no print redirect, no file sharing, no 
integrated copy-paste). The workaround for Fortinet's is to use it in tunnel 
model, but then that requires a client. So, everything has pros/cons. As a side 
note, in my experience Guac RDP is way faster than Fortinet's RDP over SSL VPN 
Web mode (or even tunnel mode; again, in my experience). The main advantage of 
Fortinet is that it is all done in a firewall unit (which you anyway need). 
That's Fortinet's approach: trying to offer everything under the sun on the 
firewall. Judging from one of the responses before, it might be that Guac 
doesn't want to go that route as a project. That would be fine with me.




G.

 

On Tue, Mar 29, 2022 at 7:52 AM Vendel Colja mailto:colja.ven...@allysca.de> > wrote:

But what’s your problem? Just access a single webbrowser on a RDP host as an 
application an you can access whatever http/https site via that browser. If 
you’d like to restrict the range of pages, let’s say to a single site, that’s 
subject to that browser and system you are accessing via guacamole and RDP.

 

Colja 

 

Von: Stefan Bogdan Cimpeanu [mailto:bog...@cimpeanu.org 
 ] 
Gesendet: Dienstag, 29. März 2022 13:28
An: user@guacamole.apache.org  
Betreff: Re: Support protocols

 

I will get so much hate for this, but, there are other commercial solutions 
that allow you to access webpages defined or user-provided from within the 
solution, such as Fortinet.

Different ACL’s can be implemented, 2FA, and all the bells and whistles.

 

Bogdan

 

On 29 Mar 2022, at 11:38, Ricardo García Arroyo mailto:rgarr...@gmv.com> > wrote:

 

Hello, good morning.

 

We ask because aur client is the ESA (European Space Agency).

Is it possible to create a future release with ESA requirement with an 
estimation (in time and value) of your work? My team and ESA would evaluate 
your estimation.

 

Thanks and regards.

Ricardo

 

From: Alessandro Sironi mailto:a.sir...@me.com.INVALID> > 
Sent: martes, 29 de marzo de 2022 9:18
To: user@guacamole.apache.org  
Subject: Re: Support protocols

 

Hello, if you mean to be able to direct open a webpage in http(s) than it’s 
definitely not possibile and not in any future release.

Inviato da iPhone





Il giorno 29 mar 2022, alle ore 09:14, Ricardo García Arroyo < 
 rgarr...@gmv.com> ha scritto:

 

Hello.

 

We

AW: Building an extension module: guacamole-ext 1.4.0 not found

2022-01-12 Thread Joachim Lindenberg

Hello Nick, all,

when switching to 1.4 I had to fiddle with permissions of my extensions in the 
docker containers. I guess the user for the containers changed, but I didn´t 
really analyze in detail.

Thanks for the good work!

Joachim

 

Von: Nick Couchman  
Gesendet: Tuesday, 11 January 2022 22:22
An: user@guacamole.apache.org
Betreff: Re: Building an extension module: guacamole-ext 1.4.0 not found

 

On Tue, Jan 11, 2022 at 4:11 PM Dustin Lang mailto:dstnd...@gmail.com> > wrote:

Hi,

 

I'm trying to update my custom authentication module to use 1.4.0.

 

In my pom.xml I first tried just changing the 1.3.0 to 1.4.0, that didn't work, 
then I re-read the manual 
(https://guacamole.apache.org/doc/gug/custom-auth.html), copy-pasting the 
suggested pom.xml, and that also fails.  If I edit the 1.4.0 to 1.3.0, it works.

 

Below, it looks like maven is looking for "guacamole-client" instead of 
"guacamole-ext" ... I have no idea why that would be!  Nothing in my directory 
contains the string "guacamole-client"  I tried removing my ~/.m2 
directory, no effect.  I'm new to all this, so apologies if this is something 
naive I'm doing wrong.

 

 

I think there's an issue that's been identified with Maven artifacts, and the 
guacamole-client one is missing. You can solve this in one of two ways:

1) Just use the 1.3.0 extension with the 1.4.0 Guacamole Client install - it 
should work, unless there's something specific from 1.4.0 that you're trying to 
leverage.

2) Build the entire Guacamole Client code on the system where you're trying to 
build that module, which should give you the JAR artifacts you need.

 

-Nick

AW: User session locked in use and cannot reset?

2020-12-29 Thread Joachim Lindenberg

I am getting the same error message occasionally with a RDP connection using 
mstsc.exe or vmconnect.exe instead of Guacamole, also targeting a Windows 10 
(virtual) system. Usually I restart the target system and after restart the 
connection is working fine again. Therefore it may be a bug in Windows and not 
Guacamole. Did you try to restart the target system already?

Regards, Joachim

 

Von: Joe Gullo  
Gesendet: Tuesday, 29 December 2020 17:26
An: user@guacamole.apache.org
Betreff: User session locked in use and cannot reset?

 

Per the recommendation on the Jira tracker, I'm posting this issue to the 
mailing list.  I don't think this is a bug per se, but I can't figure out how 
to unlock this session.  I thought it would be something in the database, but 
no amount of searching found anything that looked like it would help.

 

An RDP session is locked, when I try to connect I get the following message:

The Guacamole server is denying access to this connection because you have 
exhausted the limit for simultaneous connection use by an individual user. 
Please close one or more connections and try again.

I have logged out of that computer, I have restarted that computer.  It is a 
Windows 10 computer.  My user is able to connect to other computers (Windows 10 
and Windows Server 2016) using the same guacamole session.  >From the other 
computers, I am able to successfully RDP into the original problematic 
computer.  From a different (admin) user account I get the same message trying 
to log into the problematic computer.  I logged out of guacamole completely and 
logged back in, same message.  I closed the chrome session entirely, upon 
trying again, same message.  I closed chrome completely, opened an incognito 
tab, same message. 

I have restarted guacd AND rebooted the guacamole server.  I have edited the 
session for this computer to allow "Maximum Number of Connections" to be 5 and 
"Maximum Number of connections per user" to be 5.  From my admin user I have 
been able to kill the user session of the problematic user/computer (or, 
confirm it isn't there) and when I re-start the whole process I get the same 
connection error.

The windows system logs show no errors, but I do believe I am seeing a 
successful authentication attempt.

Somehow, this RDP session is locked and I can't unlock it; my worry is there is 
some database artifact triggering guacd to think the session is alive when it 
isn't.

The logs in catalina.out show the following:

16:11:18.825 [http-nio-8080-exec-9] ERROR 
o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Creation of WebSocket tunnel to 
guacd failed: Cannot connect. Connection already in use by this user.
16:11:18.896 [http-nio-8080-exec-6] WARN o.a.g.s.GuacamoleHTTPTunnelServlet - 
HTTP tunnel request rejected: Cannot connect. Connection already in use by this 
user.

 

Joe Gullo

Sysadmin, Web Designer, Artist

http://www.surfrock66.com

surfroc...@surfrock66.com  

(714)926-0336

AW: Keyboard/Mouse session stream corruption in Linux/xRDP sessions

2020-11-17 Thread Joachim Lindenberg

Maybe that is totally unrelated to Guacamole. I am encountering freezing RDP 
connections (no random input however) without using Guacamole as well, and I 
suspect it is due to low memory in the VM. It is more likely to happen if you 
render complex websites than with office products, but your mileage may vary of 
course. Unfortunately I am short on memory on my host (cannot add more RAM due 
to hardware limitations).

Best Regards, Joachim

 

Von: Nick Couchman  
Gesendet: Tuesday, 17 November 2020 18:17
An: user@guacamole.apache.org
Betreff: Re: Keyboard/Mouse session stream corruption in Linux/xRDP sessions

 

On Tue, Nov 17, 2020 at 12:05 PM Weeks, Thomas mailto:t.we...@vt.edu> > wrote:

Are Mike or Nick lurking in here?  Carl Sent me here to see if anyone else is 
seeing this (or can reproduce) this guac/RDP KB/mouse corruption issue.

 

T.Weeks at the Cyber Range here.. We maintain several thousand VDI (virtual 
dekstop for instruction) AWS VMs.. mainly RDP sessions to Linux/xRDP and Win 
VMs.. and Guac has been really great for us.  However.. after upgrading to guac 
1.2 (earlier this year), we started seeing teachers and students complaining 
about "random keyboard" and mouse garbage & actions in their Linux RDP sessions 
(nothing on the VMs changed), or sometimes the KB and mouse just completely 
stop working (users complain of "VM freezing", which is not accurate).  

 

For example, a terminal (on an xRDP/sesman/X11 Linux VM desktop on AWS) will 
suddenly echo garbage when the user moves the mouse, or the cursor jumps around 
randomly open/close/maximize windows, and trying to type in a focused terminal 
session will seemingly type garbage into the terminal.  You can't "reset" the 
terminal.. so this is not normal terminal state issues.. the raw keyboard and 
mouse stream within guac seems to get corrupted.  Here's a video of it 
happening to both a teacher as well as his student, both using guac (and 
sharing their screens in zoom):
https://photos.app.goo.gl/fQwe8TjmMZyH6pdk9

 

A work around seems to be to close the guac session and re-connect. The desktop 
session is usually still there and as you left it.. but re-connecting (or 
someone else connecting and bumping your session off) seems to re-establish 
normal kb/mouse session control.

 

FYI.. We've run the same xRDP setup (with guac connecting to Linux VMs) for 
three years just fine before we started seeing this (soon after upgrading toe 
guac 1.2 iirc).

 

I see it the most bc I work with our clients in support.. but our devs have not 
been able to reproduce it.  (if you use a session for 8 hrs/day, you might 
encounter this 1-2 times / day. But some sinstructors (with classes of 30-50 
kids) are obviously seeing it much more often.

 

Anyone here seen or heard of this?.. or have been able to reproduce (reliably)? 
 I didn't see anything in the guac jira issues area 

 .

 

 

I use Guac 1.2 on a daily basis to connect to both Windows and xRDP (mainly 
Windows), and I've not encountered the issue you're seeing. Can you provide 
details on the platform of both the Guacamole services and your xRDP instances? 
I'm running both Guacamole and xRDP on CentOS7, generally up-to-date. Anything 
in system logs (Tomcat or guacd or xRDP) at the time it occurs?

 

-Nick

AW: securing connection passwords

2020-07-20 Thread Joachim Lindenberg

Hi Marcel.

When searching I found Azure can sync password HASHES, not passwords, and also
offers pass-through authentication against your local AD. Where did you read it
syncs passwords?

Best Regards, Joachim

Von: Marcel Pruijn
Gesendet: Monday, 20 July 2020 20:05
An: user@guacamole.apache.org
Betreff: Re: securing connection passwords

Hi there,

Interesting thoughts!

Ik have not had any experience with Azure Key Vault myself, but I would be
great if it could offer SSO login to Guacamole and pass stored user credentials
for the connections. I would not need OpenID or any other extension as the user
has as already proven his or her identity. Azure itself can sync AD passwords
and even offer password writeback. If these credentials could be made available
to Azure Key Vault the user only has to maintain their AD credentials. BTW: SSO
is not a deal breaker but it helps getting rid of users entering passwords.

Kind regards,

Marcel

Op ma 20 jul. 2020 om 12:53 schreef Joachim Lindenberg mailto:joac...@lindenberg.one> >:

Hello Mike,

Sure one can directly authenticate against AD on Guacamole and then leverage
credential pass-through.

However my take is that others on this list, e.g. Marcel in
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/securing-connection-passwords-tp9001p9010.html,
would like to leverage some other authentication mechanism like OpenID, SAML
or the like, where credential pass-through is not supported, and do not want to
re-enter passwords (irrespective of whether initial authentication is against
AD or not). Using a password vault in that scenario is imho degrading security
significantly. And whether users maintain their password on their own or not
merely affects usability, not security.

Best Regards, Joachim

Von: Mike Jumper mailto:mjum...@apache.org> >
Gesendet: Monday, 20 July 2020 11:44
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
Betreff: Re: securing connection passwords

On Mon, Jul 20, 2020, 00:56 Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello all,

I have been thinking about the issue a little.

Afai understand using a key vault implies a user (assuming we talk about user
specific credentials rather than connection specific) has to deposit and then
change his/her password in two locations consistently: the active directory (as
RDP usually authenticates against that) plus the new key vault. It is not
unlikely that a user will forget and lock out himself/herself., calling for
additional support. Imho it is also questionable that the key vault worsens
your security properties as it has reversable encryption compared to the active
directory using one way functions.

I don't imagine users would ever be expected to maintain their own passwords in
a vault, nor have access to the vault itself. Use of a vault would make sense
only when its contents are maintained independently by some other system,
presumably the same system which creates and controls the accounts being used.

If Active Directory is in use, there is no need for a vault at all. You can
just point Guacamole at Active Directory using LDAP and leverage credential
pass-through.

- Mike

AW: WoL with Docker/bridged network

2020-07-20 Thread Joachim Lindenberg

Hi Stefan,

are you sure you are not mixing up  a “bridged” (layer 2) vs “routed” (layer 3) 
network configuration? With bridged, WoL should work, with routed, WoL usually 
works in the same subnet only.

Best Regards,
Joachim

 

Von: Stefan Unverricht  
Gesendet: Saturday, 18 July 2020 20:35
An: user@guacamole.apache.org
Betreff: WoL with Docker/bridged network

 

Hi all.

 

We have integrate Guacamole as Docker with bridged network.

 

Is there a possibility to get WoL work without change the network-mode?



Stefan

EGroupware Community Manager

AW: securing connection passwords

2020-07-20 Thread Joachim Lindenberg

Hello Mike,

Sure one can directly authenticate against AD on Guacamole and then leverage
credential pass-through.

Best Regards, Joachim

Von: Mike Jumper
Gesendet: Monday, 20 July 2020 11:44
An: user@guacamole.apache.org
Betreff: Re: securing connection passwords

On Mon, Jul 20, 2020, 00:56 Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello all,

I have been thinking about the issue a little.

If Active Directory is in use, there is no need for a vault at all. You can
just point Guacamole at Active Directory using LDAP and leverage credential
pass-through.

- Mike

AW: securing connection passwords

2020-07-20 Thread Joachim Lindenberg

Hello all,

I have been thinking about the issue a little.

A better approach would be to leverage a “token to ticket” service that takes
whatever authentication token, validates it, and then obtains a Kerberos ticket
for RDP.

Googling around I came across https://directory.apache.org/kerby/ which
probably solves part of the scenario via “Supports Token Preauth mechanism to
allow clients to request tickets using JWT tokens.".

But I assume one would also have to modify FreeRDP to support a different
authentication mechanism (e.g. pass in a service ticket).

Best Regards, Joachim

Von: Marcel Pruijn
Gesendet: Monday, 20 July 2020 07:40
An: user@guacamole.apache.org
Betreff: Re: securing connection passwords

Looking forward to the suggested solutions with the key vaults and prompt
support. I hope these solutions will work with other extensions that support
openid and saml Great work guys!

Kind regards, Marcel

Op vr 17 jul. 2020 om 20:45 schreef Joachim Lindenberg mailto:joac...@lindenberg.one> >:

Hi Nick,

right – we need to differentiate between passwords for user authentication (and
potentially pass-thru) and passwords part of connection configuration.
Passwords in connection configuration must be decryptable, but as the key is
also some configuration you can argue whether the encryption adds security.

But why are user passwords encrypted rather than using a one-way-function?

Actually I am not affected at all as I am using my own extension with zero
persistence.

Best Regards, Joachim

Von: Nick Couchman mailto:vn...@apache.org> >
Gesendet: Friday, 17 July 2020 17:27
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
Betreff: Re: securing connection passwords

On Fri, Jul 17, 2020 at 11:09 AM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

>Guacamole need to know the password at connection time (in clear-text)
True.
> Even if the password is encrypted in the DB, it must be decryptable...
False (in general)
The user needs to enter the password anyway, thus it can be used to validate
against salted/hashed/whatever version of password in database while also
passing it in clear text to guacd (e.g. as password for RDP connection).
You only need to have a decryptable version if you use some other
authentication (e.g. certificates) and need the clear text password to
establish the connection.
Best Regards,
Joachim

We need to be clear about which passwords we're talking about, here. For user
accounts stored in the database so that users can log in to Guacamole, the
passwords are already AES256 encrypted and salted. You can see this if you
look at the database.

For password for specific connections, they are stored in plain-text, and they
absolutely do need to be decrypt-able - these passwords will not always match
the user who is logging in, the user won't always know the passwords for the
connections, and they won't necessarily be entering them directly when making a
connection. Thus, they do have to be stored in some format which can be
reversed into the plain-text password that can be sent along to the remote
connection. Encrypting these within the database itself does not make a lot of
sense, unless you somehow tie that encryption to something that only a user
logging in has (the user password, a certificate, etc.). However, if you do
that, you have to come up with a way to manage that encryption over time - that
is, if the user changes their password, you have to be able to rotate that
encryption to match the new password. Also, you run into issues if multiple
users are going to be sharing a connection, because the password then has to
either be stored with an encryption key that can be shared, or has to be stored
multiple times for each user...

...which brings us to the real solution, which is support for credential
vaults. Mike has already started working on this - there's a pull request out
there to support the Azure Key Vault - and that should be able to extend to
other similar credential vaults in a way that allows these types of services to
be leveraged. Whether it's an external server or implementing some sort of
internal credential storage, this, combined with the Prompt support that is on
the way, are really the ways to deal with storing and a

AW: securing connection passwords

2020-07-17 Thread Joachim Lindenberg

Hi Nick,

But why are user passwords encrypted rather than using a one-way-function?

Actually I am not affected at all as I am using my own extension with zero
persistence.

Best Regards, Joachim

Von: Nick Couchman
Gesendet: Friday, 17 July 2020 17:27
An: user@guacamole.apache.org
Betreff: Re: securing connection passwords

On Fri, Jul 17, 2020 at 11:09 AM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

-Nick

AW: securing connection passwords

2020-07-17 Thread Joachim Lindenberg

>Guacamole need to know the password at connection time (in clear-text)
True.
> Even if the password is encrypted in the DB, it must be decryptable...
False (in general)
The user needs to enter the password anyway, thus it can be used to validate 
against salted/hashed/whatever version of password in database while also 
passing it in clear text to guacd (e.g. as password for RDP connection).
You only need to have a decryptable version if you use some other 
authentication (e.g. certificates) and need the clear text password to 
establish the connection.
Best Regards,
Joachim

-Ursprüngliche Nachricht-
Von: Antoine Roux  
Gesendet: Friday, 17 July 2020 13:54
An: user@guacamole.apache.org
Betreff: Re: securing connection passwords

Hello Stephane,

MD5 is not a way to encrypt something, it's a hashing algorithm (not 
reversible).

Guacamole need to know the password at connection time (in clear-text) Even if 
the password is encrypted in the DB, it must be decryptable...

I don't think it's the right way to do something like you want.

Le 17/07/2020 à 13:44, stephane.lhotellier a écrit :
> Login passwords do not appear to be encrypted in the database.
> 
> Is it possible to encrypt them (MD5 or other) ?
> 
> 
> 
> --
> Sent from: 
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.co
> m/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 

--
Antoine  Roux

   ooo   ooo
  d888b d888b
  ooo 88W88 88I88 ooo
 d888b Y88P Y88P d888b
 88S88  '`   `'  88X88
  Y8P' .od888bo. 'Y8P
.od8bo.
   d888b
   8
Y8P
 `Y888P"Y888P'

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: What files would I have to alter to add an About page to guacamole?

2020-06-30 Thread Joachim Lindenberg

Hi Victor,

my login page looks the following (German):



Only extensions (actually two), no modification. The links all point to other 
websites.

Best Regards, Joachim

 

Von: Victor Norman  
Gesendet: Tuesday, 30 June 2020 15:04
An: user@guacamole.apache.org
Betreff: Re: What files would I have to alter to add an About page to guacamole?

 

Joachim, et al., 

 

Thanks for your response. Looking at that other thread helped me understand 
some stuff.

 

But, I definitely need to add a new link on the login page to another page, 
which I will supply.

 

Do you think this can be done with only an extension, and not changing the 
"core" code?

  _  

From: Joachim Lindenberg mailto:joac...@lindenberg.one> >
Sent: Tuesday, June 30, 2020 3:11 AM
To: user@guacamole.apache.org <mailto:user@guacamole.apache.org>  
mailto:user@guacamole.apache.org> >
Subject: AW: What files would I have to alter to add an About page to 
guacamole? 

 

Hello Victor,

you may want to check out the discussion at 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/How-can-Guacamole-be-customized-tt8216.html#a8234
 
<https://urldefense.proofpoint.com/v2/url?u=http-3A__apache-2Dguacamole-2Dgeneral-2Duser-2Dmailing-2Dlist.2363388.n4.nabble.com_How-2Dcan-2DGuacamole-2Dbe-2Dcustomized-2Dtt8216.html-23a8234&d=DwMFAw&c=4rZ6NPIETe-LE5i2KBR4rw&r=fxSFLPNU1Ux4LFqjXt9N_Q&m=hubZvUFKvJ4QedlOkL6vamhpikeDhtwkmiQbg_bmiFs&s=MldJEJqiAaaTRJ91sTE8j7QKKaCX_epCGWQqN7GtXhg&e=>
 .

I used the extension mechanism to add links to pages and to exchange the logo. 
Do you want to add or reference a page?

Best Regards,

Joachim

 

Von: Victor Norman mailto:v...@calvin.edu> > 
Gesendet: Montag, 29. Juni 2020 21:55
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org> 
Betreff: What files would I have to alter to add an About page to guacamole?

 

Friends,

 

What files would I have to change to add a link to a separate About page to the 
main Guacamole page?  And, what files would I have to add to make it work?

 

Would I really need to create a whole set of pages in 
guacamole-client/guacamole/src/main/webapp/app/about/... ? 

 

Do I have to change something in navigation/services to make it so users have 
permission to go to that page?

 

Thanks!

 

Prof. Victor Norman

Computer Science

Calvin College University

v...@calvin.edu <mailto:vnor...@calvin.edu> 

-

"A designer knows he has achieved perfection not when there is nothing left to 
add, but when there is nothing left to take away." -- Antoine de Saint Exupéry

AW: [ANNOUNCE] Apache Guacamole 1.2.0

2020-06-30 Thread Joachim Lindenberg

In my case upgrade was very simple:

docker-compose down, 

update container references from 1.0 to 1.2, change configuration nla to 
vmconnect (both due to https://issues.apache.org/jira/browse/GUACAMOLE-952), 

docker-compose up -d --build.

Thanks a lot to the team!

Joachim

 

Von: Peter De Tender  
Gesendet: Dienstag, 30. Juni 2020 13:16
An: user@guacamole.apache.org; annou...@apache.org; 
annou...@guacamole.apache.org; d...@guacamole.apache.org
Betreff: Re: [ANNOUNCE] Apache Guacamole 1.2.0

 

Hi,

What would be the best practice to upgrade from v1. 1.1 to 1.2?

Thanks Peter 

Get Outlook for Android  

 

  _  

From: Daniëls, Tom mailto:daniel...@buas.nl> >
Sent: Tuesday, June 30, 2020 12:07:18 PM
To: user@guacamole.apache.org   
mailto:user@guacamole.apache.org> >; 
annou...@apache.org   mailto:annou...@apache.org> >; annou...@guacamole.apache.org 
  mailto:annou...@guacamole.apache.org> >; d...@guacamole.apache.org 
  mailto:d...@guacamole.apache.org> >
Subject: RE: [ANNOUNCE] Apache Guacamole 1.2.0 

 

Hi Mike,

Looking great! Just deployed and working like a charm 😊

Grtz
Tom 

-Original Message-
From: Mike Jumper mailto:mjum...@apache.org> > 
Sent: dinsdag 30 juni 2020 08:54
To: annou...@apache.org  ; 
annou...@guacamole.apache.org  ; 
d...@guacamole.apache.org  ; 
user@guacamole.apache.org  
Subject: [ANNOUNCE] Apache Guacamole 1.2.0

The Apache Guacamole community is proud to announce the release of Apache 
Guacamole 1.2.0.

Apache Guacamole is a clientless remote desktop gateway which supports standard 
protocols like VNC, RDP, and SSH. We call it "clientless"
because no plugins or client software are required; once Guacamole is installed 
on a server, all you need to access your desktops is a web browser.

The 1.2.0 release features support for SAML 2.0, Wake-on-LAN, and a new 
interface for easily switching between multiple active connections. The general 
behavior of the login interface has also been improved, as has the flexibility 
of the TOTP support, which may now be used even with user accounts that do not 
yet exist in the database.

A full list of the changes in this release, along with links to downloads and 
updated documentation, can be found in the release
notes:

http://guacamole.apache.org/releases/1.2.0/

For more information on Apache Guacamole, please see:

http://guacamole.apache.org/

Thanks!

The Apache Guacamole Community

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org 
 
For additional commands, e-mail: user-h...@guacamole.apache.org 
 

B�CB��[��X��ܚX�KK[XZ[
�\�\�][��X��ܚX�P�XX�[[�K�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[XZ[
�\�\�Z[�XX�[[�K�\X�K�ܙ�B

AW: What files would I have to alter to add an About page to guacamole?

2020-06-30 Thread Joachim Lindenberg

Hello Victor,

you may want to check out the discussion at
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/How-
can-Guacamole-be-customized-tt8216.html#a8234.

I used the extension mechanism to add links to pages and to exchange the
logo. Do you want to add or reference a page?

Best Regards,

Joachim

 

Von: Victor Norman  
Gesendet: Montag, 29. Juni 2020 21:55
An: user@guacamole.apache.org
Betreff: What files would I have to alter to add an About page to guacamole?

 

Friends,

 

What files would I have to change to add a link to a separate About page to
the main Guacamole page?  And, what files would I have to add to make it
work?

 

Would I really need to create a whole set of pages in
guacamole-client/guacamole/src/main/webapp/app/about/... ? 

 

Do I have to change something in navigation/services to make it so users
have permission to go to that page?

 

Thanks!

 

Prof. Victor Norman

Computer Science

Calvin College University

v...@calvin.edu  

-

"A designer knows he has achieved perfection not when there is nothing left
to add, but when there is nothing left to take away." -- Antoine de Saint
Exupéry

AW: apache vs. nginx what is better choice?

2020-06-27 Thread Joachim Lindenberg

As always the answer depends on what you want to do. For a comparison check 
e.g. https://serverguy.com/comparison/apache-vs-nginx/. For basic Guacamole 
usage you 
Best Regards,
Joachim

-Ursprüngliche Nachricht-
Von: dfk1976  
Gesendet: Saturday, 27 June 2020 13:39
An: user@guacamole.apache.org
Betreff: apache vs. nginx what is better choice?

is there any difference or benefit in either using apache or nginx? or does it 
play no role? any experience or explanation?



--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Scaling Guacamole to hundreds of concurrent RDP connexions

2020-06-15 Thread Joachim Lindenberg

I cannot comment on what type of machine you need for that load, but in any
case I´d prefer multiple instances over a SPoF - and often that is also a
cheaper hardware investment, but it takes you additional time to set it up,
but that investment also helps you when you need any type of servicing.
W.r.t. testing: you could have a login script or task that kicks in on
connecting and simulates a real user. I´d assume that load of keyboard is
negligible compared to graphics, therefore as a first iteration you may want
to record some real sessions before and then replay them using a browser.
Just putting this out as a starting idea, others are welcome to contribute..
Best Regards, Joachim


-Ursprüngliche Nachricht-
Von: Charaoui, Jérôme  
Gesendet: Monday, June 15, 2020 6:20 PM
An: user@guacamole.apache.org
Betreff: Re: Scaling Guacamole to hundreds of concurrent RDP connexions

Another issue I forgot to mention is, what tools could be used to simulate
that number of connections, including activity of the remote desktop side?

--
Jérôme Charaoui
Technicien en informatique
Collège de Maisonneuve


De : Charaoui, Jérôme  Envoyé : 15 juin 2020
11:58 À : user@guacamole.apache.org Objet : Scaling Guacamole to hundreds of
concurrent RDP connexions

Hello,

For september we're considering a large Guacamole deployment with an
estimated load of upwards to 500 to 600 RDP connections in an academic
environment. It's expected a number of these sessions will be used for 3D
graphics and graphics design software. I'm wondering if any of you might
have insights to share about how to successfully pull this off?

Since we expect to have to face possibly extreme CPU load, we're looking to
place guacd on a single high end bare-metal server with loads of cores such
as the recent AMD Epyc series and dual 10GbE NICs.

Would it make sense to instead consider multiple servers and throw load
balancing into the mix? I've read some suggesting to look into HAProxy, has
anyone used it in the context of Guacamole?

What about the client components, would it be important to also put this on
its own load-balanced hardware? At this point I'm leaning towards multiple
instances of the client but sharing the same hardware/OS as guacd since that
would save us managing the bandwidth requirements between guacd and the
clients.

Thanks,

--
Jérôme Charaoui
Technicien en informatique
Collège de Maisonneuve

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Starting VM on connection

2020-06-06 Thread Joachim Lindenberg

Hi Ionel,

I am doing this in my extension, see 
https://software.lindenberg.one/backup/en/documentation/guacamole-integration. 
In fact it does not only start but also monitor usage and “save” Hyper-V VMs. 
All actual management and also authentication is in my backup server and called 
remotely from the extension.

Not sure this is an easy addition to the existing authentication mechanism 
though, and also you´ll have to check whether combining makes sense. The 
advantage of delegation is that I can enumerate existing VMs and status 
directly and use the same authentication as the involved hypervisor (in my case 
Hyper-V and Active Directory).

Best Regards, Joachim

 

 

Von: Ionel GARDAIS  
Gesendet: Samstag, 6. Juni 2020 10:33
An: user 
Betreff: Starting VM on connection

 

Hi,

 

Is anyone aware of a plugin that would start a VM when a user click a 
connection ?

Some kind of raw VDI.

 

Regards,

Ionel

AW: Security Vulnerability - Guacamole 1.0.0

2020-06-03 Thread Joachim Lindenberg

Lockout in-case of consecutive incorrect logins opens the option for
denial-of-service attacks. Has to be optional at best.

Best Regards, Joachim

 

Von: Tushar Jain  
Gesendet: Mittwoch, 3. Juni 2020 17:54
An: user@guacamole.apache.org
Betreff: Security Vulnerability - Guacamole 1.0.0

 

Hi,

 

My security vulnerability testing group has reported following issues:

 

1.  Reflected XSS - In the username field, while creating a new user
2.  HTML Injection - In the group name field while creating a new group
3.  Implementation of Captcha or a lockout in-case of consecutive
incorrect logins. I am using both mysql and LDAP (AD) authentication

 

He further suggested to implement HTML encoding for special tags like <, >,
", ' for 1 and 2 above.

 

It would be really helpful if anyone can direct me the resolution I need to
take to fix the above. 

 

 

Thanks in advance

Tushar Jain

 

Disclaimer: This message and any attachment may contain confidential,
proprietary information and is intended only for the individual named. If
you are not the original intended recipient and have erroneously received
this message, you should not disseminate, distribute or copy this e-mail.
Please notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system. Hitachi MGRM Net
E-mail transmission cannot be guaranteed to be secure or error-free as
information could be intercepted, corrupted, lost, destroyed, arrive late or
incomplete, or contain viruses. Hitachi MGRM Net therefore does not accept
liability for any errors or omissions in the contents of this message, which
arise as a result of e-mail transmission. If verification is required,
please request a hard-copy version. Hitachi MGRM Net Ltd, C - 6/5,
Safdarjung Development Area, New Delhi - 110016, India

 

'Please consider the environment before printing this e-mail'.

AW: Need help to disable clipboard

2020-05-29 Thread Joachim Lindenberg

Hi Madhukar,

I think this has been discussed several times already – there is no way to 
prevent malicious users to disclose data if they really want to.

If the clipboard is disabled they just have to use other means.

Probably this is the top candidate for a FAQ…

Best Regards, Joachim

 

Von: Madhukar Bhosale  
Gesendet: Freitag, 29. Mai 2020 12:34
An: user@guacamole.apache.org
Betreff: Need help to disable clipboard

 

Hi,

 

Please help  me to disable clipboard in Guacamole.

 

Regards

Madhukar

AW: AW: [EXTERNAL] Re: Guacamole Installation with separate servers for DMZ and Internal Setup

2020-05-28 Thread Joachim Lindenberg

Can you please elaborate a little to what risk you are referring? Have you
been able to escape a guacd or guacamole or some other container?  Via the
network interfaces exposed or how? Is there some thing to be done by the
project to improve container security? Actually I´d be willing to spend time
on it.
Imho the biggest issue with docker is which images to trust. For many
projects there is a plethora of users providing some container.
Thanks, Joachim

-Ursprüngliche Nachricht-
Von: sciUser  
Gesendet: Donnerstag, 28. Mai 2020 19:08
An: user@guacamole.apache.org
Betreff: Re: AW: [EXTERNAL] Re: Guacamole Installation with separate servers
for DMZ and Internal Setup

Docker is popular however it comes with a serious security risk, its always
better to build your own Guacamole instance over using Docker.  The risk is
in exploiting the host server through Docker container.  I have actually
done this and it can be pretty nasty if someone wanted to be malicious.  

I agree that documentation could be better, its lacks the show and tell
aspect with explanation. 
I plan on fixing that gap once I complete this project in August, to give
proper instructional guides.
Don't get me wrong, Mike and Nick have done an outstanding job in
maintaining this project and if it wasn't for them Guacamole wouldn't be as
tasty as it is now. 

This is why I will make this pledge, once my company hits $1MM revenue, I
will donate to the project $20k.  

Keep up the good work!
 



-
A Cybersecurity Enablement Company
We don't just run you through the motions, Our labs teach you how to think! 
Known good Guacamole  installations

--
Sent from:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: [EXTERNAL] Re: Guacamole Installation with separate servers for DMZ and Internal Setup

2020-05-28 Thread Joachim Lindenberg

I am wondering why the docker containers are not more popular – they are ideal 
for not having to worry about dependencies.

Probably better documentation could help, like how to use extensions with 
docker, how to map volumes for extensions int guacamole, or RDP drive 
directories into guacd, etc..

Regards, 

Joachim

 

Von: Nick Couchman  
Gesendet: Donnerstag, 28. Mai 2020 18:21
An: user@guacamole.apache.org
Betreff: Re: [EXTERNAL] Re: Guacamole Installation with separate servers for 
DMZ and Internal Setup

 

On Thu, May 28, 2020 at 11:57 AM MARTINEZ, ARIEL mailto:amarti...@hostos.cuny.edu> > wrote:

Hi Nick,

 

Thank you for this information. Does the Guacamole client and guacd have the 
same required dependencies?  In other words do I need to install  Cairo, 
libjpeg, libpng, and the OSSP UUID library only on the Guacamole Client server 
and things like ffmpeg, freerdp, pango, etc. only on the guacd server? Or, 
should I install all of the dependencies on both servers?

 

 

No, the dependencies are not the same.  Guacamole Client basically just 
requires Java and Tomcat, and then a web server if you want to reverse proxy 
through that.

 

The guacd dependencies include the items you mentioned - various libraries 
depending on the required protocols.

 

-Nick

AW: Using Docker Images with XML Authentication

2020-05-22 Thread Joachim Lindenberg

I also never tried xml authentication with docker, but as I am using docker 
setups only, I experienced that the docker images don´t use /etc/guacamole as I 
expected it to work following the documentation. I got it to work by explicitly 
defining GUACAMOLE_HOME=/etc/guacamole in my docker-compose.yaml.
Best Regards,
Joachim

 

Von: ivanmarcus  
Gesendet: Samstag, 23. Mai 2020 07:36
An: user@guacamole.apache.org
Betreff: Re: Using Docker Images with XML Authentication

 

Like Sean I've not done anything much with the Docker image - in fact I've 
never used it.

However I did try converting an Ubuntu 20.04 Guacamole VM with MySQL auth to 
use the user-mapping.xml file.

The following seemed to work:

 

mv /etc/guacamole/extensions/guacamole-auth-jdbc-mysql-1.1.0.jar /home/ (moved 
rather than deleted as I wanted to put it back after this test!)

mv /etc/guacamole/guacamole.properties /home (as above)

nano /etc/guacamole/user-mapping.xml (create the necessary user detail in this 
file etc)

service guacd restart

service tomcat9 restart

 

After this I was able to log into Guacamole with the user-mapping user/pass, 
and was at the login page for an RDP target I had running. I didn't go any 
further but have no reason to assume it wouldn't work as advertised from there. 

That said, I'm not totally certain that's all that'd be required, you may find 
something else you need to do. Either way if you do successfully modify the 
image it'd be useful if you posted your findings/method back to the list in 
case anyone else wants to do this, thanks.

 

 

On 23/05/2020 1:56 p.m., Sean Reid wrote:

Hi Scott, 

 

It doesn't seem like the Docker images support this. I've never tried to do 
this myself with the Docker image, but looking quickly at the bin/start.sh 

  script that starts guacamole when the docker image starts up, it looks like 
you'd need to build a docker image yourself with some changes to that script so 
that it doesn't require database information. There are probably some other 
changes you'd need to make too, but they didn't jump out at me as quickly.

 

Once you've made those changes the start script, you could then either build a 
copy of your user-mappings.xml permanently into your custom image, or you could 
mount the file at "docker run" time with a the "-v" option passed to docker.

 

I hope this at least gives you a little bit of an idea for a path forward,

Sean

 

On Fri, May 22, 2020 at 12:52 PM Scott Hancock mailto:shwor...@gmail.com> > wrote:

Hi,

I’m trying the Guacamole docker images. To simplify things I’d like to just use 
the default XML authentication rather than a database. Is there a way to 
configure the docker images to use xml instead of database for authentication?

Thanks,
Scott
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org 
 
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Soon any guackamole package for debian?

2020-05-21 Thread Joachim Lindenberg

w.r.t. Ubuntu, you may want to “push” for  
 
https://bugs.launchpad.net/bugs/1873514.

Nevertheless I´d love to see a version of Guacamole that pulls the FreeRDP 
nightly build (and depending on need also other important libs) into a 
container.

Best Regards,

Joachim

 

Von: Robert Hardy  
Gesendet: Donnerstag, 21. Mai 2020 23:32
An: user@guacamole.apache.org
Betreff: Re: Soon any guackamole package for debian?

 

Working with Debian is a nut I've yet to crack. I haven't got further than my 
own PPAs.
I've tried before but it seems a lot more complicated than it needs to be.
When I hear about a year long process to become a Debian developer and the need 
for mentoring I tend to glaze over...
I'll have to try at some point but my time is expensive and I don't have a lot 
of time for games, especially when it's pro bono...

You didn't read my message. The existing packages of freerdp2 inside Ubuntu are 
ancient pre-release development git snapshots from February 2019.
There have been major changes to fix all sorts of problems. There are 2663 
closed issues on github. 
It's hard to map exactly how many came after that snapshot in February 2019 
with the UI in front of me but it's a lot of them.
It also includes fixes to address significant 14 security vulnerabilities.

It is not recommended to run guacamole against an ancient snapshot release like 
that. Frankly it won't work properly and will be insecure.
A lot of things didn't work for me until I recompiled against a specific 
freerdp2 daily from the date of release of the stable release.
It's an ugly work around but it worked for now.

Upgrading from Ubuntu 18.04 to the stable 20.04 release requires a mysql 
database upgrade from 5.7 to 8.0.
Guacamole 1.1.0 stopped working after I upgraded my OS. Not at all surprising 
since Guacamole 1.1.0 was installed completely un-packaged.
Basically it was unable to connect to the upgraded database.

Digging around in the guacamole bug reports, I believe it is because it needs 
some support for a newer database connector that will work with 1.2.0 once it 
is released. Obviously 1.2.0 released isn't yet available so I'm stuck in a 
holding pattern in terms of being able to upgrade.

- Rob

On 2020-05-21 3:40 p.m., Mike Jumper wrote:

On Thu, May 21, 2020 at 12:30 PM Robert Hardy mailto:rha...@webcon.ca> > wrote:

Currently the extreme lack of packaging for both guacamole and freerdp2 is 
really holding use of both project back.

 

If you would like to work with Debian to produce packages of Guacamole, I'm 
sure they would welcome the assistance.

 

Currently there seem to be two blocking issues:
1. Due to database changes, 1.2.0 of guacamole is needed in order to be able to 
upgrade to the current stable of release of 20.04 Ubuntu. That isn't available.

 

What database changes are you referring to?

 

2. The build dependency of freerdp2 release is not available.

 

Isn't it? https://packages.ubuntu.com/focal/freerdp2-dev

 

- Mike

AW: Session Token in URL

2020-05-19 Thread Joachim Lindenberg

Is logging really a concern if you use https and avoid any proxy that 
terminates (MitM)? Of course you can argue about the nginx or similar you put 
in front of Guacamole, but if both components are administrated by the same 
folks you know whom to trust or fire anyway..

Regards, Joachim

 

Von: Mike Jumper  
Gesendet: Dienstag, 19. Mai 2020 21:06
An: user@guacamole.apache.org
Betreff: Re: Session Token in URL

 

On Tue, May 19, 2020, 11:52 sciUser mailto:shulb...@securitycentric.net> > wrote:

What you want is what we do, we built a provisioning system that handles Just
In time (JIT) tokens and they expire after session is terminated, preventing
students from book marking the url. 

 

The token is not part of any URL exposed to the user in that way. It's part of 
REST requests made internally by JavaScript. You're not going to bookmark or 
see a session token unless you go out of your way to do so and open up dev 
tools.

 

The concern that a token may be inadvertently logged by a proxy is a valid one, 
though, and we should look into changes to the REST services that would allow 
the token to be provided through a header. I think the main difficulty there 
would be with WebSocket, which lacks an API for setting headers.

 

- Mike

AW: RDP File transfer not working on windows 2016 or 2019

2020-05-11 Thread Joachim Lindenberg

Hi Peter,

for VMs you like hit https://issues.apache.org/jira/browse/GUACAMOLE-952. Try 
security “vmconnect”.

Best Regards, Joachim

 

 

Von: Peter De Tender  
Gesendet: Monday, 11 May 2020 14:32
An: user@guacamole.apache.org
Betreff: RDP File transfer not working on windows 2016 or 2019

 

Hi, 

 

I had an initial support request on RDP File Transfer last week, as I couldn't 
get it to work. 

 

However, that was on my test win2019 VM, where it works fine on 2012R2.

 

My security setting is NLA, but I also tried with TLS and Any. (ignore cert). 

 

Is this a Guacamole limitation or Windows security change since 2016?

 

Running CENTOS 7.5 and Guacamole 1.1.0 from ZeroCool setup script. 

 

Thanks Peter 

 

Get Outlook for Android

AW: Check if local user on Win10 are already logged in

2020-05-11 Thread Joachim Lindenberg

Hi Micael,

while Guacamole could probably know who connected via Guacamole, Guacamole will 
not know any user logged in via standard RDP or locally. You can get that 
information via qwinsta, query session, or variants thereof, but expect 
retrieval to be slow at least in case of error. 

You should be able to write a Guacamole extension that monitors either way and 
visualizes the usage information – whether with user names or without is up to 
your privacy considerations.

Best Regards, Joachim

 

Von: ftkln  
Gesendet: Monday, 11 May 2020 13:55
An: user@guacamole.apache.org
Betreff: Check if local user on Win10 are already logged in

 

Hello, Great work with guacamole. I have one thing that i would like to ask. 
For example, if i have five Win10 computers with RDP running. If a user is 
already logged in locally at one of the computers then Guacamole does not know 
that as it is built today. This is where I assume that Guacamole has its own 
database that keeps track of who is logged on to the computers? If i would like 
Guacamole to know that on one of these computers there are already one user 
logged in locally. Would that be possible with (eg. WMI ) or other ways? 

  _  

Sent from the Apache Guacamole - General/User Mailing List mailing list archive 
  at 
Nabble.com.

AW: Docker automated builds?

2020-05-09 Thread Joachim Lindenberg

Hi Nick,

thanks for that clarification. However, if you take this formal, then the 
docker containers are not releases or part of the project release anyway 
because they are not available on downloads.apache.org – violating “all 
artifacts MUST be uploaded to the project's subdirectory within the canonical 
Apache distribution channel, downloads.apache.org.”

More seriously, a clear naming convention as outlined under  
<http://www.apache.org/legal/release-policy.html#release-types> 
http://www.apache.org/legal/release-policy.html#release-types should do. You 
could outline the tag naming conventions in the documentation available in the 
docker repository.

And last but not least, as long as an artifact like docker containers consumes 
upstream projects that are less rigid, any release decision is based on limited 
knowledge – unless you encourage early testing in as many scenarios as possible 
– and one way to encourage that is via nightly builds or containers.

Involving lawyers may complicate the matter significantly of course, and I 
guess you have to…

Best Regards, Joachim

 

 

Von: Nick Couchman  
Gesendet: Samstag, 9. Mai 2020 16:25
An: user@guacamole.apache.org
Betreff: Re: Docker automated builds?

 

 

 

On Sat, May 9, 2020 at 9:27 AM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello Team,

is there any reason why you don´t leverage automated builds on docker hub?

The benefit I see is that testing bug fixes or even testing with newer builds 
more frequently would become easier if I don´t need to pull the source and 
build on my own but can just reference a different tag. As “latest” is usually 
used for the most recent released version, you could pick the branch name, or 
“nightly” or whatever.

As an experiment, I forked guacamole-server on github and configured a docker 
hub build against that, and it worked with the default build rule except that I 
changed latest to master in second iteration. I did a smoke test and it appears 
to work. 

However, afaik there is no means on github to force a fork to mirror the source 
repository automatically, nor can I configure a docker hub build against a 
repository owned by someone else.

Thus getting a nightly build would involve extra script code to sync the fork, 
which would be unnecessary if you configure it.

Thanks for your  consideration.

Best Regards,

Joachim

 

 

At least one of the reasons for this is that the Apache Foundation highly 
discourages this:

 

http://www.apache.org/legal/release-policy.html

 

You can read about their reasoning for this, but, essentially, they want the 
projects to make sure there is a clear distinction between official released 
versions and development builds, particularly for users/non-developers.

 

-Nick

Docker automated builds?

2020-05-09 Thread Joachim Lindenberg

Hello Team,

is there any reason why you don´t leverage automated builds on docker hub?

The benefit I see is that testing bug fixes or even testing with newer
builds more frequently would become easier if I don´t need to pull the
source and build on my own but can just reference a different tag. As
latest is usually used for the most recent released version, you could
pick the branch name, or nightly or whatever.

As an experiment, I forked guacamole-server on github and configured a
docker hub build against that, and it worked with the default build rule
except that I changed latest to master in second iteration. I did a smoke
test and it appears to work. 

However, afaik there is no means on github to force a fork to mirror the
source repository automatically, nor can I configure a docker hub build
against a repository owned by someone else.

Thus getting a nightly build would involve extra script code to sync the
fork, which would be unnecessary if you configure it.

Thanks for your  consideration.

Best Regards,

Joachim

AW: Want some Salsa with your guacamole?

2020-05-08 Thread Joachim Lindenberg

Hi Dave,

I am trying to understand what it does and what it is good for. My take is: the 
user has to authenticate first to salsa, with LDAP credentials, which 
whitelists the IP used, and then authenticate again to Guacamole, likely using 
with LDAP credentials again?

Which causes me to ask: do you think the Guacamole login screen is less secure 
then the one of Salsa?

Or what am I missing?

Thanks, Joachim

 

Von: Dave Kempe  
Gesendet: Friday, 8 May 2020 12:12
An: user@guacamole.apache.org
Betreff: Want some Salsa with your guacamole?

 

Hey all,

Hopefully this is helpful to someone, but we have released our Haproxy 
whitelisting tool, which helps with securing guacamole. We built it protect the 
guacamole login screen behind an Haproxy ACL.  

 

https://github.com/sol1/salsa 

 

Salsa is a simple web interface which interacts with HAProxy to grant and 
revoke access to backends via HAproxy's built in ACL feature. ACLs can be 
managed with a Salsa admin user. Groups can then be created with a list of ACLs 
to unlock to users. Users can be added and removed to multiple groups. Once a 
user successfully logs in, that user's IP address with be added to the ACL 
(whitelisted). We built it protect the guacamole login screen behind an Haproxy 
ACL. 

 

Feel free to follow up via github if need help or information, and I hope this 
helps someone. 

 

Keep up the great work Guacamole team!

 

thanks

Dave Kempe

AW: Ubuntu 20.04 / Guacamole 1.1.0 / FreeRDP preconception PDU Broken

2020-05-08 Thread Joachim Lindenberg

Hi Tom,

try vmconnect instead of nla for security. See 
https://issues.apache.org/jira/browse/GUACAMOLE-952.

Best Regards, Joachim

 

Von: Daniëls, Tom  
Gesendet: Friday, 8 May 2020 08:37
An: user@guacamole.apache.org
Betreff: RE: Ubuntu 20.04 / Guacamole 1.1.0 / FreeRDP preconception PDU Broken

 

Hi Nick,

 

Deployed the war file on a test machine and unfortunately it still does not 
work. I receive error

The remote desktop server is currently unreachable. If the problem persists, 
please notify your system administrator, or check your system logs.

 

If I check syslog I see:

May  8 05:52:46 guapo guacd[22182]: Creating new client for protocol "rdp"

May  8 05:52:46 guapo guacd[22182]: Connection ID is 
"$a2314fab-46c5-4c75-8e5e-0f25e22cb900"

May  8 05:52:46 guapo guacd[22288]: Security mode: NLA

May  8 05:52:46 guapo guacd[22288]: Resize method: none

May  8 05:52:46 guapo guacd[22288]: User 
"@c984483e-03f1-496d-8b72-ecd5831ed6b3" joined connection 
"$a2314fab-46c5-4c75-8e5e-0f25e22cb900 (1 users now present)

May  8 05:52:46 guapo guacd[22288]: Loading keymap "base"

May  8 05:52:46 guapo guacd[22288]: Loading keymap "en-us-qwerty"

May  8 05:52:46 guapo guacd[22288]: Error connecting to RDP server

May  8 05:52:46 guapo guacd[22288]: User 
"@c984483e-03f1-496d-8b72-ecd5831ed6b3" disconnected (0 users remain)

May  8 05:52:46 guapo guacd[22288]: Last user of connection 
"$a2314fab-46c5-4c75-8e5e-0f25e22cb900" disconnected

May  8 05:52:46 guapo guacd[22182]: Connection "$ 
a2314fab-46c5-4c75-8e5e-0f25e22cb900" removed.

 

Tomcat logs when connecting:

May  8 06:21:21 guapo tomcat9[19360]: 06:21:21.403 [http-nio-8080-exec-2] INFO  
o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is "/etc/guacamole".

May  8 06:21:21 guapo tomcat9[19360]: 06:21:21.424 [http-nio-8080-exec-2] INFO  
o.a.g.tunnel.TunnelRequestService - User "connect-user" connected to connection 
"VMConnect RDP (Win10)".

May  8 06:21:21 guapo tomcat9[19360]: 06:21:21.424 [http-nio-8080-exec-2] INFO  
o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not 
WebSocket). Performance may be sub-optimal.

May  8 06:21:36 guapo tomcat9[19360]: 06:21:36.684 [http-nio-8080-exec-5] INFO  
o.a.g.tunnel.TunnelRequestService - User "connect-user" disconnected from 
connection "VMConnect RDP (Win10)". Duration: 15260 milliseconds

May  8 06:21:36 guapo tomcat9[19360]: 06:21:36.686 [http-nio-8080-exec-5] ERROR 
o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to 
guacd timed out.

 

Connecting to regular RDP servers works without a hitch (even the Hyper-V host 
for the guest I am trying to connect to). Relevant settings:

 



rdp

hyper-vhost.local

2179

true

nla

true

connect-user

Pwd1234

AD

970e1fcf-e920-4042-8774-4602c2f831fb



 



rdp

 hyper-vhost.local 

3389

true

nla

true

connect-user

Pwd1234



 

All info including hostname, username, password and preconnection-blob work 
with Guacamole 1.0.0. (on Ubuntu 18.04), connecting to hyper-vhost.local with 
‘regular’ RDP works so it does not appear to be a network issue:

 

Checking guacd reveales it is indeed the 1.2.0 version:

May 08 06:16:55 guapo guacd[19318]: Guacamole proxy daemon (guacd) version 
1.2.0 started

 

Any pointers and/or help would be greatly appreciated.

 

Kind regards,

Tom Daniels

 

 

From: Daniëls, Tom mailto:daniel...@buas.nl> > 
Sent: vrijdag 8 mei 2020 07:37
To: user@guacamole.apache.org  
Subject: RE: Ubuntu 20.04 / Guacamole 1.1.0 / FreeRDP preconception PDU Broken

 

Hi Nick,

 

Thanks so much for your swift reply; using openjdk-8 did the trick. Will roll 
out the 1.2.0 build during off hours and will let you know if everything is 
working as expected!

 

Kind regards,

Tom Daniels

 

From: Nick Couchman mailto:vn...@apache.org> > 
Sent: donderdag 7 mei 2020 17:35
To: user@guacamole.apache.org  
Subject: Re: Ubuntu 20.04 / Guacamole 1.1.0 / FreeRDP preconception PDU Broken

 

On Thu, May 7, 2020 at 10:43 AM Daniëls, Tom mailto:daniel...@buas.nl> > wrote:

Hi Nick,

 

Thanks so much for you reply. I will be happy with a working solution ;-)

For the last week I have been fruitlessly trying to compile the git version of 
guacamole-client using maven.

With openjdk-13 or openjdk-14 installed I receive this error when running nvm 
-X package

error: Source option 6 is no longer supported. Use 7 or later.

 

With openjdk-11 installed I receive this error 

Exit code: 1 - javadoc: error - The code being documented uses modules but the 
packages defined in http://docs.oracle.com/javase/6/docs/api/ are in the 
un

AW: How can Guacamole be customized?

2020-05-05 Thread Joachim Lindenberg

Hi Nick,

thanks a lot – great starting point. I modified your extension and replaced the
logo, some text, added some more text, changed styles..

Is there any means to use properties defined in guacamole.properties (or
environment) from html (or other) fragments?

Thanks & Best Regards, Joachim

Von: Nick Couchman
Gesendet: Sonntag, 3. Mai 2020 21:46
An: user@guacamole.apache.org
Betreff: Re: How can Guacamole be customized?

On Sun, May 3, 2020 at 12:17 PM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

I agree with always use https, but disagree with always 2FA, and password
expiries have to be considered a bad practice nowadays. But all of this is kind
of off-topic w.r.t. Gucacamole - ultimately all of us have to make their own
decisions and sometimes trade-offs.
What I believe we should agree on is, that it should be easier to customize the
user interface, no matter what the reason is. I know it is possible to write an
extension doing that, but an example extension with good documentation would be
definitely welcome. Right now there are many extensions out for authentication,
but I am not aware of any that comes without java code but extends the user
interface, and if only adding a link or overriding an image.

https://issues.apache.org/jira/browse/GUACAMOLE-747

You're not the first one to ask about that.

Does anyone have source code and is willing to share it?

I just put together a pull request for the guacamole-client repo that contains
some example code. I don't know if/when it will be merged into the repository,
but you're welcome to take a look at it and see if it's something that helps
you out:

https://github.com/apache/guacamole-client/pull/508

https://github.com/necouchman/guacamole-client/tree/jira/747

This branding extension does the following:

- Changes the image used on the logon page

- Changes the title used for the logon page and browser bar

- Adds a warning banner on the logon page directly under the title and above
the username/password boxes

- Customizes the font used throughout the interface

- Customizes several color schemes used throughout the interface, notably
headers and buttons

Hope it helps.

-Nick

AW: How can Guacamole be customized?

2020-05-03 Thread Joachim Lindenberg

I agree with always use https, but disagree with always 2FA, and password 
expiries have to be considered a bad practice nowadays. But all of this is kind 
of off-topic w.r.t. Gucacamole - ultimately all of us have to make their own 
decisions and sometimes trade-offs. 
What I believe we should agree on is, that it should be easier to customize the 
user interface, no matter what the reason is. I know it is possible to write an 
extension doing that, but an example extension with good documentation would be 
definitely welcome. Right now there are many extensions out for authentication, 
but I am not aware of any that comes without java code but extends the user 
interface, and if only adding a link or overriding an image.
Does anyone have source code and is willing to share it?
Thanks & Best Regards,
Joachim

-Ursprüngliche Nachricht-
Von: Niubbo75  
Gesendet: Sunday, 3 May 2020 16:29
An: user@guacamole.apache.org
Betreff: Re: How can Guacamole be customized?

WhiteTiger-2 wrote
> Forgive me, I follow your comments with great interest, but on the 
> GDPR I don't agree very much with you.
> 
> True, Guacamole does not contain personal data, but it is not just a 
> remote access tool like TeamViewer, Anydesk, VNC, and others can be.
> These tools are installed on the PC of users and technicians.
> Guacamole is instead a "tool" where anyone can access to the login 
> page if it is public or otherwise accessible from the outside.

Sorry but I don't agree with you. As a GDPR expert (GDPR is our core business), 
make a secure login page is "security by default", this mean that you MUST 
provide a login page that is secure, this mean have HTTPS login page with 
something like NGINX as reverse proxy (or Apache), have a valid SSL certificate 
(ones from Let's Encrypt will be ok), and implement 2FA (for security reason 
implement ALWAYS 2FA! Something like TOTP, SSO, Radius, ...) plus apply best 
practices (password expiring, complexity, password hystory, inactive users...).

If you check, Guacamole login page have no cookie at all, so you will not need 
to have a cookie policy nor a privacy policy published just because access to 
remote resorces is guarantee ONLY to employers and/or collaborators, there is 
NOT a register page where I can collect personal data.

>From GDPR side, the only things you need to do to be compliant is to give 
>proper informations about how you (I mean the company) can access personal 
>data of your employes and/or collaborators and what they can and can not do 
>with this tool; if you have this document signed and accepted, you are 
>compliant for it.

My 2 cents,
Alessandro.




--
Sent from: 
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: How can Guacamole be customized?

2020-05-02 Thread Joachim Lindenberg

>In my opinion (and I can be wrong), the use of Guacamole today puts
>European companies out of law.
I disagree. I am based in Germany, I do consulting w.r.t. security and data
protection, and I also offer Guacamole as part of my backup service
contracts. It really depends on your use case, and where there is a contract
(service, employee, whatever), then any additional consent is imho worsening
your legal situation as a provider. If you really need something like this,
then you can integrate Guacamole into you own portal (you name it) and use
single sign on mechanisms from there (I do from my backup software).
Nevertheless I´d also like to see a full blown customization example, as of
course I´d also like to brand it more easily. 
Joachim

> -Ursprüngliche Nachricht-
> Von: WhiteTiger 
> Gesendet: Samstag, 2. Mai 2020 17:18
> An: user@guacamole.apache.org
> Betreff: Re: How can Guacamole be customized?
> 
> Now I read the framework documentation, but at least all the suggestions
> related to Disclaimers and Policy management should be included in a
future
> release.
> Especially in Europe, the GDPR requires companies to take a particular
> approach to managing access to IT systems.
> I don't understand how those things were not already included a year ago,
> when the GDPR became law.
> In my opinion (and I can be wrong), the use of Guacamole today puts
> European
> companies out of law.
> 
> In my opinion, the best solution is that the administrator has options
with
> the possibility of inserting images or an HTML text in which he himself
will
> insert the links to images or other pages.
> 
> 
> 
> --
> Sent from: http://apache-guacamole-general-user-mailing-
> list.2363388.n4.nabble.com/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: How can Guacamole be customized?

2020-05-02 Thread Joachim Lindenberg

>In my opinion (and I can be wrong), the use of Guacamole today puts
European companies out of law.
I disagree. I am based in Germany, I do consulting w.r.t. security and data
protection, and I also offer Guacamole as part of my backup service
contracts. It really depends on your use case, and where there is a contract
(service, employee, whatever), then any additional consent is imho worsening
your legal situation as a provider. If you really need something like this,
then you can integrate Guacamole into you own portal (you name it) and use
single sign on mechanisms from there (I do from my backup software).
Nevertheless I´d also like to see a full blown customization example, as of
course I´d also like to brand it more easily. 
Joachim

> -Ursprüngliche Nachricht-
> Von: WhiteTiger 
> Gesendet: Samstag, 2. Mai 2020 17:18
> An: user@guacamole.apache.org
> Betreff: Re: How can Guacamole be customized?
> 
> Now I read the framework documentation, but at least all the suggestions
> related to Disclaimers and Policy management should be included in a
future
> release.
> Especially in Europe, the GDPR requires companies to take a particular
> approach to managing access to IT systems.
> I don't understand how those things were not already included a year ago,
> when the GDPR became law.
> In my opinion (and I can be wrong), the use of Guacamole today puts
> European
> companies out of law.
> 
> In my opinion, the best solution is that the administrator has options
with
> the possibility of inserting images or an HTML text in which he himself
will
> insert the links to images or other pages.
> 
> 
> 
> --
> Sent from: http://apache-guacamole-general-user-mailing-
> list.2363388.n4.nabble.com/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Security Warnings - was Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step

2020-05-01 Thread Joachim Lindenberg

Hi David, all,
while I definitely promote securing systems and updating regularly or even
automatically, imho  this one is probably just noise for most of us. From
https://www.openssl.org/news/vulnerabilities.html#2020-1967 "Server or
client applications that call the SSL_check_chain() function during or after
a TLS 1.3 handshake may crash due to a NULL pointer dereference as a result
of incorrect handling of the "signature_algorithms_cert" TLS extension. The
crash occurs if an invalid or unrecognised signature algorithm is received
from the peer. "
>From the pure wording (not looking at source code) I conclude:
- not relevant with any RDP Server of Microsoft as TLS 1.3 is not generally
available for production on Windows yet.
- not relevant for anyone using self-signed certificates (of course you
should use trusted certificates), though this one is not clear from the
note.
- not relevant with SSL.
- not relevant if your servers (do you trust their managers?) dont send
"invalid or unrecognised signature algorithm"(s) - in other words 
- only relevant if servers are rogue.
Probably leaving an attack window if you allow connections to (arbitrary)
hosts that you don´t manage as part of your organization. Users of ad-hoc
connections are affected, but
https://guacamole.apache.org/doc/gug/adhoc-connections.html already warns
about "security implications". Or more generalized, whenever you accept user
input without proper validation, you are vulnerable to injection attacks.
But if I recall your guide, that extension was not installed. With the
ad-hoc connection extension it would be interesting to see whether the crash
affects just the connection to the rogue server or the entire guacd process.

Or am I confused?
I´d suggest to repost security warnings only if there is a likely scenario
for exploits. Imho, this one just provides yet another reason not to use
ad-hoc connections.
And for guides I usually just recommend to use the most recent versions
unless you know better.
Any other thoughts?
Best Regards, Joachim




> -Ursprüngliche Nachricht-
> Von: drhy 
> Gesendet: Freitag, 1. Mai 2020 02:14
> An: user@guacamole.apache.org
> Betreff: Re: Guacamole 1.1.0 with MySQL, Radius and https: Step-by-step
> 
> The guides in the first post have been updated to use OpenSSL version
1.1.1g
> This latest OpenSSL version includes a "high severity fix".
> 
> -David
> 
> 
> 
> --
> Sent from: http://apache-guacamole-general-user-mailing-
> list.2363388.n4.nabble.com/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Login Page customization.

2020-04-23 Thread Joachim Lindenberg

In my Dockerfile I am using the following:

FROM guacamole/guacamole:1.0.0

ADD 
https://software.lindenberg.one/backup/downloads/guacamole-lindenberg-backup-1.0.0.jar
 /etc/guacamole/extensions/

COPY guacamole.properties /etc/guacamole/

The disadvantage is that I need to rebuild for any configuration change. I did 
that already with pre 1.0 and ignoring 
https://issues.apache.org/jira/browse/GUACAMOLE-464 . You may want to prefer 
environment variables. 

I was also considering to just map /etc/guacamole/extensions/ to a host 
directory, as then multiple extensions (in particular versions of my own during 
development) would not multiply the number of docker images, but that kind of 
requires a contract from Guacamole team that there is never a “standard 
extension” or similar in that location by default.

Best Regards,
Joachim

 

 

Von: Nick Couchman  
Gesendet: Thursday, 23 April 2020 17:06
An: user@guacamole.apache.org
Betreff: Re: Login Page customization.

 

On Thu, Apr 23, 2020 at 10:50 AM Riano De Souza mailto:riano.deso...@mrj.co.za> > wrote:

Cool so I got the extention template and so on. But where is the extentions 
folder located?

 

And wont it just get overwritten when the container gets reloaded?

 

 

You'll probably have to modify the startup script for the container to pull in 
the custom branding extension prior to starting Tomcat.  My Docker skills are 
not all that complete, so I can't tell you without some trial-and-error exactly 
how you'd accomplish that, but I know that you can specify custom startup 
commands for containers after you deploy them, so I'd guess you just want to 
make sure you deploy that extension every time.  Also, I believe the extension 
would only be overwritten if you reload the container from the original image - 
I would think it would persist between starts and stops.  I could be wrong 
about that, though - like I said, my Docker familiarity is a bit sketchy.  
Maybe others on the list can offer their experiences and advice :-).

 

-Nick

AW: Windows Login/password screen first when connecting via Guacamole

2020-04-23 Thread Joachim Lindenberg

I think that´s a bad idea as you would have to turn of NLA. 
Best Regards, Joachim

> -Ursprüngliche Nachricht-
> Von: Tushar Jain 
> Gesendet: Donnerstag, 23. April 2020 11:04
> An: user@guacamole.apache.org
> Betreff: RE: Windows Login/password screen first when connecting via
> Guacamole
> 
> If your Windows Host is configured to accept user credentials before
login,
> and if you do not provide them while creating the Guacamole connection,
you
> would see the default Windows Login screen in the browser, asking you to
> enter the credentials
> 
> -Original Message-
> From: andreas.schue...@metronom.com
> [mailto:andreas.schue...@metronom.com]
> Sent: 23 April 2020 01:16 PM
> To: user@guacamole.apache.org
> Subject: Windows Login/password screen first when connecting via Guacamole
> 
> Hi! Is there any hint/config that shows the typical default windows login
> screen first in browser window when connecting with Guacamole to the
> Windows
> host ?
> 
> Greetz
> Andreas
> 
> 
> 
> 
> --
> Sent from:
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 
> 
> 
> --
> **Disclaimer:* This message and any attachment may contain confidential,
> proprietary information and is intended only for the individual named. If
> you are not the original intended recipient and have erroneously received
> this message, you should not disseminate, distribute or copy this e-mail.
> Please notify the sender immediately by e-mail if you have received this
> e-mail by mistake and delete this e-mail from your system. Hitachi MGRM
Net
> E-mail transmission cannot be guaranteed to be secure or error-free as
> information could be intercepted, corrupted, lost, destroyed, arrive late
> or incomplete, or contain viruses. Hitachi MGRM Net therefore does not
> accept liability for any errors or omissions in the contents of this
> message, which arise as a result of e-mail transmission. If verification
is
> required, please request a hard-copy version. Hitachi MGRM Net Ltd, C -
> 6/5, Safdarjung Development Area, New Delhi - 110016, India*
> *
> *
> *'Please
> consider the environment before printing this e-mail'.*
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: AW: RDP to Windows Server 2019

2020-04-19 Thread Joachim Lindenberg

Hi Piviul,

1) NLA shall be used.

RDP does not have the best reputation due to the complexity of the protocol. 
And initially there was no authentication except the login of the remote 
session, i.e. whatever issues are in the implementation are exposed to an 
anonymous hacker. This changed with NLA which introduced mandatory 
authentication prior to protocol data exchange (except for the preconnection 
info used by Hyper-V).

https://calcomsoftware.com/the-policy-expert-rds-require-user-authentication-for-remote-connections-by-using-network-level-authentication-nla/
"When using RDP with NLA disabled or not configured, remote users can access 
the RDP tunnel without any authentication required. This dramatically increases 
the chance for attackers to perform RDP based attacks, such as the wormable 
BlueKeep among others. Enabling NLA will block attackers lacking authentication 
credentials, and it is recommended specifically for BlueKeep prevention, 
regardless of patching actions."

Obviously for some vulnerabilities patches are available in the meantime, but 
without NLA you are still allowing an anonymous user to consume lots of 
resources on your system.
(https://en.wikipedia.org/wiki/Network_Level_Authentication)

Takeaway: in order to protect your servers, enforce NLA (for windows easy via 
group policy).

2) Certificates shall be used

When a TLS connection is established, two important things are done:
2.1) the identity of the server (and optionally, almost never the client) is 
validated/authenticated, using the servers certificate and certificates along a 
chain up to root certificates of trustworthy certification authorities, which 
are known and trusted by the client prior to connection establishment. 
2.2.) encryption algorithm and key are negotiated.

If you don’t support 2.1 with trusted certificates, you may end up with 
communicating encrypted to someone you do not know, and probably disclose your 
crown jewels (including credentials) to an enemy.

Self-signed certificates or - depending on scenario - certificates signed by 
private certification authorities make 2.1 more difficult to impossible, and 
the last resort of any client software is to present a security warning/alert. 
However, one should never delegate the decision to end users. You have to train 
them, and the only easy rule is to cancel any security alerts. If you are an 
all windows organization, you can deploy certs via GPO, but which organization 
is windows only? Not BYOD?

Takeaway: certificates protect your clients or end users.

3) 1+2 

as one mechanism protects the server and the other your users, you just have to 
do both.

Best Regards,
Joachim


> -Ursprüngliche Nachricht-
> Von: Piviul 
> Gesendet: Mittwoch, 15. April 2020 08:40
> An: user@guacamole.apache.org
> Betreff: Re: AW: RDP to Windows Server 2019
> 
> Il 14/04/20 08:03, Joachim Lindenberg ha scritto:
> > Hello Piviul,
> > disabling NLA and ignoring certificates is definitely a bad advice from a
> security point of view. If certs are wrong, it can usually be seen in guacd 
> logs.
> ...yes Joachim you are are right, it's never a good advise to weak
> security ...but if we would like to evaluate the weight of the weakeness
> introduced, we are talking about ignoring that certificates sent from a
> client in a LAN can't be validated from a Certification Authority
> because autosigned, isn't it? In other word ignore certificate doesn't
> mean don't use them to secure the connection but weak the certificate
> check... or there are other weakeness I don't see in ignoring certificates?
> And if we would like evaluate the weakness introduced about don't using
> NLA means that credentials are validated from the client after the
> connection instead of authenticate before the connection... but
> credentials and all network traffic are encrypted in both cases I hope...
> 
> There is no controversy in my question I would like only check if there
> are aspects that I have no considered.
> 
> Piviul
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Multiple WAN Network Interface

2020-04-14 Thread Joachim Lindenberg

Hi Chris,

Imho this is very likely a dead end as routing of inbound and outbound
packets is entirely independent with internet protocol. You are suggesting
different end points for inbound traffic "only", but likely bandwidth is
more relevant with outbound Guacamole traffic. If you can separate by
network regions (rather than job roles) and get this into your routing
tables, then you may succeed.

Cheers, Joachim

 

 

 

Von: Chris Lee  
Gesendet: Dienstag, 14. April 2020 11:00
An: user@guacamole.apache.org
Betreff: Multiple WAN Network Interface

 

HI All,

 

It is possible to setup multiple Network WAN interface on Fedora Linux box,
so it can increase the total WAN bandwidth and HA?

 

WAN 1 \

WAN 2 --- Guacamole Server - LAN   

WAN 3 /

 

Suppose each WAN link have 10Gb bandwidth, Then I get different URL for
different department users:

 

Account: https://WAN 
01.example.com:8443/guacamole/

Sales:  https://WAN 
02.example.com:8443/guacamole/

IT:https://WAN 
03.exmaple.com:8443:guacamole/

 

In theory , I have 30Gb WAN bandwidth?

 

In case one of WAN Link is dead, I just update the DNS records to redirect
the traffic.

 

Any comments?

 

Regards,

Chris

 

 

This message and its attachment (if any) are strictly confidential and sent
to the designated recipient(s) only. If you are not the intended recipient,
please notify the sender by e-mail and delete this message and its
attachment (if any) from your computer system immediately . Century City
International Holdings Limited, Paliburg Holdings Limited, Regal Hotels
International Holdings Limited, its respective related subsidiaries,
associated companies and affiliates do not guarantee this message and its
attachment (if any) are free of computer virus and would not accept any
liability whatsoever arising from Internet transmission.

AW: RDP to Windows Server 2019

2020-04-13 Thread Joachim Lindenberg

Hello Piviul,
disabling NLA and ignoring certificates is definitely a bad advice from a 
security point of view. If certs are wrong, it can usually be seen in guacd 
logs.
Best Regards, Joachim


> -Ursprüngliche Nachricht-
> Von: Piviul 
> Gesendet: Dienstag, 14. April 2020 07:39
> An: user@guacamole.apache.org
> Betreff: Re: RDP to Windows Server 2019
> 
> Il 14/04/20 01:43, gacott ha scritto:
> > We have a Windows Server 2019 VM. We can RDP to it using a number of
> other
> > RDP solutions, but it just will not connect with Guac. If we use the exact
> > same settings, and just put a Win2012R2 server on that port, it connects.
> > Any ideas?
> What about certificates settings? On the "windows server 2019" RDP
> server you should unset the authentication at network level and from
> guacamole rdp settings you have to check the ignore certificates checkbox.
> 
> Did you?
> 
> Piviul
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
> 



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: Pushing message to VM using Guacamole API

2020-04-12 Thread Joachim Lindenberg

Is this windows, linux, mac os? If windows, what about the windows msg command 
( 

 
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msg)?
 

Best Regards, Joachim

 

Von: Umesh Bhatt  
Gesendet: Sonntag, 12. April 2020 18:09
An: user@guacamole.apache.org
Betreff: RE: Pushing message to VM using Guacamole API

 

Hi,

 

Thanks for response. 

We are using Guacamole for Cloud labs. We are giving labs for say 30 hours for 
a month. Now when user is close to 30 hours, we want to send a notification to 
learner so that they can request for extension.

Or when we want to reboot the Lab due to patch or something else we can send a 
reboot notification so that they can save their data.

 

If Guacamole allows us to push notification from outside that will be great.

 

Regards,

Umesh

From: Nick Couchman mailto:vn...@apache.org> > 
Sent: Sunday, April 12, 2020 5:41 PM
To: user@guacamole.apache.org  
Subject: Re: Pushing message to VM using Guacamole API

 

On Sun, Apr 12, 2020 at 3:40 AM Umesh Bhatt mailto:um...@nuvepro.com> > wrote:

Hi,

 

I want to push notification messages in end user VM similar like Guacamole slow 
or unstable network messages. 

Can you pls let me know if Restful APIs are available for this?

 

 

There is no current implementation for sending "out-of-band" messages like this 
from the Guacamole system to the remote server.

 

The Guacamole protocol itself could easily support such a feature, it would 
just need to be implemented as a channel within Guacamole.  However, the 
ability to implement it for the remote server(s) would depend upon the protocol 
you're using and its ability to support such "out-of-band" messages on the 
remote system - things that are not normal Keyboard/Mouse/Video messages.  SSH 
can probably do this in some form or fashion.  RDP has support for implementing 
arbitrary data channels, so it should be possible, there, as well.  VNC 
probably would not support it, and neither would Telnet.  Also, the ability for 
the remote system to do something with the messages would also require 
something listening on the remote system for the messages - an agent of some 
sort - that is able to receive the out-of-band messages and do something with 
them - display a message to the user, etc.

 

Can you describe your use-case a little bit more - what messages you'd want to 
send back to the remote system, and why you'd need to send and/or display them 
on the remote system?

 

-Nick

establishing trust for guacd-RDP connections?

2020-04-08 Thread Joachim Lindenberg

Hello Nick, Mike,

„Guacamole kind of already supports” – can you please clarify how this is
supposed to work especially in a docker environment? The documentation lacks
anything on exposing a certificate store or how to prepopulate it with trusted
certs. Or am I blind?

Thanks, Joachim

Von: Joachim Lindenberg
Gesendet: Samstag, 28. März 2020 20:19
An: user@guacamole.apache.org
Betreff: AW: freerdp support for certificate fingerprints - also with Guacamole?

Hi Nick,

Thanks for following up. However, afaik this requires someone to run a freerdp
client manually in the same environment that Guacamole is using, and to all
hosts relevant.

If you want to run Guacamole with docker, then this is pretty cumbersome to do.
Also certificates expire, one would then have to redo the manual work.

At least in my scenario, I can provide the correct fingerprint dynamically at
runtime.

Perhaps others should comment, what their experience is..

Thanks,

Joachim

Von: Nick Couchman mailto:vn...@apache.org> >
Gesendet: Samstag, 28. März 2020 20:06
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
Betreff: Re: freerdp support for certificate fingerprints - also with Guacamole?

On Sat, Mar 28, 2020 at 2:56 PM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello all,

I guess most of us are ignoring certificates with RDP. If you are like me and
looked at Microsofts documentation how to replace a self-signed certificate,
there is a clear trade off… and so far I am running Guacamole on the same
physical host then my virtual machines it interfaces to, but I guess this is a
rather atypical scenario. You may also argue, NLA/CredSSP is used after TLS
connection is established and mitigates the risk, but from a privacy pov at
least you disclose communication metadata (including the PDU for Hyper-V
connections) prior to that, and if you are located in Europe like me,
discussions like this trigger data protection impact assessments…

The good news is that FreeRDP now supports to supply known certificate
fingerprints starting with <https://github.com/FreeRDP/FreeRDP/pull/5880>
https://github.com/FreeRDP/FreeRDP/pull/5880.. I am already leveraging that
when my software interfaces to wfreerdp via command line, but with Guacamole I
cannot. I definitely would appreciate if that could be added to Guacamole as
well, probably as part of the connection properties.

Thanks & Best Regards, Joachim

Guacamole kind of already supports this - by default, the FreeRDP library tries
to create a directory within the current user's home directory, and when Mike
was implementing FreeRDP 2 support we ran into the fact that FreeRDP doesn't
really take no for an answer, anymore. So, you should be able to add
certificates to this store that FreeRDP auto-creates and un-tick that Ignore
Certificates box.

-Nick

AW: freerdp support for certificate fingerprints - also with Guacamole?

2020-03-28 Thread Joachim Lindenberg

Hi Nick,

Thanks for following up. However, afaik this requires someone to run a freerdp
client manually in the same environment that Guacamole is using, and to all
hosts relevant.

If you want to run Guacamole with docker, then this is pretty cumbersome to do.
Also certificates expire, one would then have to redo the manual work.

At least in my scenario, I can provide the correct fingerprint dynamically at
runtime.

Perhaps others should comment, what their experience is..

Thanks,

Joachim

Von: Nick Couchman
Gesendet: Samstag, 28. März 2020 20:06
An: user@guacamole.apache.org
Betreff: Re: freerdp support for certificate fingerprints - also with Guacamole?

On Sat, Mar 28, 2020 at 2:56 PM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello all,

Thanks & Best Regards, Joachim

-Nick

freerdp support for certificate fingerprints - also with Guacamole?

2020-03-28 Thread Joachim Lindenberg

Hello all,

I guess most of us are ignoring  certificates with RDP. If you are like me
and looked at Microsofts documentation how to replace a self-signed
certificate, there is a clear trade off. and so far I am running Guacamole
on the same physical host then my virtual machines it interfaces to, but I
guess this is a rather atypical scenario. You may also argue, NLA/CredSSP is
used after TLS connection is established and mitigates the risk, but from a
privacy pov at least you disclose communication metadata (including the PDU
for Hyper-V connections) prior to that, and if you are located in Europe
like me, discussions like this trigger data protection impact assessments.

The good news is that FreeRDP now supports to supply known certificate
fingerprints starting with  
https://github.com/FreeRDP/FreeRDP/pull/5880.. I am already leveraging that
when my software interfaces to wfreerdp via command line, but with Guacamole
I cannot.  I definitely would appreciate if that could be added to Guacamole
as well, probably as part of the connection properties.

Thanks & Best Regards, Joachim

AW: Black box for cursor with xRDP and VNC when using Chrome Only

2020-03-28 Thread Joachim Lindenberg

Hello,
I am also experiencing black boxes for input areas in Chrome, however using
guacamole RDP to windows systems (virtual machines on Hyper-V) only (my
linux vms are servers only). Similar like you, no problems with Firefox. I
tested with Guacamole 1.0 and staging/1.2.0.
No clue though, whether this is a Guacamole or Chrome or other issue.
Best Regards,
Joachim


> -Ursprüngliche Nachricht-
> Von: rstaats 
> Gesendet: Samstag, 22. Februar 2020 07:03
> An: user@guacamole.apache.org
> Betreff: Black box for cursor with xRDP and VNC when using Chrome Only
> 
> I have a weird issue that I'm not sure is a Guacamole problem. I'm hoping
> maybe someone else has seen this too or has an idea of what the problem
> may
> be.
> 
> Only with Chrome in the special case noted below, when I start typing in
the
> Guac session in a text editor, xTerm, etc, any application that accepts
> text, the cursor changes into a small black box. When I move the cursor it
> goes back to normal. But start typing again and the cursor is back to
being
> a black box.
> 
> 
>  list.2363388.n4.nabble.com/file/t946/Black_Cursor.jpg>
> 
> 
> This problem only happens with Chrome. Using Firefox and Edge it works
> fine,
> no black box when typing. I can have the exact same session open
> simultaneously, side by side, on Chrome, Edge, and Firefox and only when
> typing in the Chrome  window does the cursor/black box issue occur. The
> black box/cursor problem is never seen in the Edge and Firefox windows.
> 
> I am using Guacamole 1.0.0 (and tested with 1.1.0 too) and access a CentOS
7
> VM that is running Gnome-Shell. I have configured TigerVNC and xRDP on the
> CentOS system and have configured 3 access methods.
> 
> 1) xRDP with Xorg
> 2) xRDP with VNC (Using libvnc.so from TigerVNC) xRDP connects to VNC port
> 5900 to show the X desktop.
> 3) VNC directly into X desktop (Using libvnc.so from TigerVNC) Just
connect
> directly to port 5900 to see the X desktop.
> 
> *Using Guacamole*
> 1) Guac using RDP --> xRDP with Xorg is fine, cursor does not change when
> typing.
> 2) Guac using VNC --> Direct VNC to desktop is fine, cursor does not
change
> when typing.
> 3) Guac using RDP --> xRDP with VNC (connecting to the exact same VNC used
> in Example 2 above) - *Issue* - Cursor changes to black box when typing
but
> just for Chrome. Firefox and Edge work fine.
> 
> I have tested this with multiple client computers connecting to the Guac
> session. All work fine for Firefox and Edge and all have the issue with
> Chrome.
> 
> Guac using RDP to a Windows system is fine, no problem seen in any of the
> browsers.
> 
> Essentially the problem only occurs with xRDP using VNC and only for the
> Chrome browser, which is the weird thing to me. I could understand if all
> browsers  exhibited this issue, it would mean an xRDP/VNC issue, but they
> don't, just Chrome.
> 
> 
> 
> 
> --
> Sent from: http://apache-guacamole-general-user-mailing-
> list.2363388.n4.nabble.com/
> 
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org



-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: DAAS Service using Guacamole

2020-03-23 Thread Joachim Lindenberg

Hi Samuel,

you didn´t mention openstack but a hypervisor. The specific hypervisor I am
using is Hyper-V, but I´d assume it can be done with any. Technically I am
using Guacamole on a linux virtual machine with docker, and that virtual
machine runs by accident on the same Hyper-V then the virtual machines created
by my backup, but this is not a requirement (though ignoring certificates might
not be adequate if the hosts differ). The extension running with Guacamole
essentially delegates authentication and authorization to the backup service
called as a kind of REST-service, as the backup service at already interfaces
with Hyper-V. It also monitors VM usage in order to allow to save (Hyper-V
specific, could also deallocate) unused virtual machines, though in the mean
time I figured out how to monitor port 2179 directly. As Java is poor w.r.t.
calling native code, you probably want to stick to that pattern, especially as
running that on a nearby container or on the hypervisor host itself is
practical. One plus of this setup is that I don´t need a database for Guacamole
as all information is provided remotely.

If you are interested in my help, I suggest to continue peer-to-peer. Obviously
you need to detail some specifics…

Best Regards, Joachim

Von: Samuel Abdullah
Gesendet: Monday, 23 March 2020 11:54
An: user@guacamole.apache.org
Betreff: Re: DAAS Service using Guacamole

Hi Joachim,

May i know if this extension was used in Guacamole, does it stack with
openstack environment?

As i know of now Guacamole only act as a gateway and broker to the Hypervisor
we owned. Technically i believed inside the Guacamole server, there can be
extension running to instruct a new VM to be fire up for instance in different
scenario:

1. Random existing VM in a storage cluster will be selected whenever user
select to start a session in VM.

2. Create new VM instantly and open a desktop session based to users in the
portal.

I'm interested to further this discussion with you, perhaps will need your help
on this technically.

Best Regards

Samuel

On Mon, Mar 23, 2020 at 6:40 PM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello Abdullah,

I can assure you it is technically possible. I wrote a Guacamole extension that
integrates with my backup service and that allows users to fire up a system on
demand.

The interesting part can be the software licensing required.

If you need help with the technical part, I am a freelancer and would be
interested in a project like this.

Best Regards, Joachim

Von: Samuel Abdullah mailto:sam...@silverliningsys.com> >
Gesendet: Monday, 23 March 2020 11:12
An: user@guacamole.apache.org <mailto:user@guacamole.apache.org>
Betreff: DAAS Service using Guacamole

Hi all,

May i know if there is any way that i can use guacamole as part of a desktop as
a service?

Does Guacamole has a component and functionality where it could run / fire up a
new VM inside our hypervisor?

Understand that Guacamole is just a gateway however can we add any custom
script into the server in order to instruct it to create a new VM in our
environment?

Best Regards

Samuel

<https://www.silverliningsys.com/>

<http://www.silverliningsys.com/> www.silverliningsys.com

Abu Bakar Samuel Abdullah

Cloud Infrastructure & Operations

P: +603-2712-0081

M: +60.12.654.5938

E: <mailto:sam...@silverliningsys.com> sam...@silverliningsys.com

<https://www.silverliningsys.com/>

<http://www.silverliningsys.com/> www.silverliningsys.com

Abu Bakar Samuel Abdullah

Cloud Infrastructure & Operations

P: +603-2712-0081

M: +60.12.654.5938

E: <mailto:sam...@silverliningsys.com> sam...@silverliningsys.com

AW: DAAS Service using Guacamole

2020-03-23 Thread Joachim Lindenberg

Hello Abdullah,

I can assure you it is technically possible. I wrote a Guacamole extension that 
integrates with my backup service and that allows users to fire up a system on 
demand.

The interesting part can be the software licensing required.

If you need help with the technical part, I am a freelancer and would be 
interested in a project like this.

Best Regards, Joachim

 

Von: Samuel Abdullah  
Gesendet: Monday, 23 March 2020 11:12
An: user@guacamole.apache.org
Betreff: DAAS Service using Guacamole

 

Hi all,

 

May i know if there is any way that i can use guacamole as part of a desktop as 
a service?

Does Guacamole has a component and functionality where it could run / fire up a 
new VM inside our hypervisor?

 

Understand that Guacamole is just a gateway however can we add any custom 
script into the server in order to instruct it to create a new VM in our 
environment?

 

Best Regards

Samuel

 

-- 


  

  www.silverliningsys.com

Abu Bakar Samuel Abdullah

Cloud Infrastructure & Operations

 

P: +603-2712-0081

M: +60.12.654.5938

E:   sam...@silverliningsys.com

AW: Update to 1.1.0 breaks RDP

2020-02-17 Thread Joachim Lindenberg

Hi Mike,

I don´t want to open a bug report with FreeRDP unless using a recent version. 
And right now it is not clear to me whether it is a bug in FreeRdP, whether 
recent or not, or a bug in Guacamole 1.1. The fact that it works when 
connecting with FreeRDP itself, is more of an indicator (not a proof)of the 
issue is with Guacamole.

I can imagine what feedback I´d get when I open a bug in Debian and then figure 
out it is entirely unrelated to FreeRDP. If it turns out to be a bug in 
FreeRDP, then there is the option to ask them to update.

Btw, I tried to build FreeRDP myself and failed: 
https://github.com/FreeRDP/FreeRDP/issues/5886.

Please…

Thanks, Joachim

 

Von: Mike Jumper  
Gesendet: Montag, 17. Februar 2020 20:20
An: user@guacamole.apache.org
Betreff: Re: Update to 1.1.0 breaks RDP

 

On Mon, Feb 17, 2020, 10:58 Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello Mike, all,

I tried to use a nightly build of freerdp because of  
<https://issues.apache.org/jira/browse/GUACAMOLE-952> 
https://issues.apache.org/jira/browse/GUACAMOLE-952, but failed. I´d definitely 
appreciate if the team could provide instructions how to build a guacd docker 
image using a nightly build, rather then all of us trying to figure out the 
hard way… and yes, I do appreciate the work being done by the team a lot!

 

This wouldn't come down to instructions, but rather creating an entirely 
different image. The current image uses the freerdp2 package from the 
distribution of the base image. Building FreeRDP from source instead would be a 
completely different process.

 

I believe there was a WIP that did exactly that but for the 1.x versions of 
FreeRDP, and we moved away from that approach once support for 2.0.0 was added. 
If the packages provided by the distros are proving this unreliable, perhaps we 
need to bring that WIP back.

 

Regardless of the above, if your particular distro has a specifically buggy 
package, opening a bug report with that distro would be the best idea. Anything 
we do to allow our images to be easily rebuilt against arbitrary FreeRDP 
snapshots would be a workaround. Proper bug reports and updated packages are 
the true solution 

 

- Mike

AW: Update to 1.1.0 breaks RDP

2020-02-17 Thread Joachim Lindenberg

Hello Mike, all,

I tried to use a nightly build of freerdp because of

https://issues.apache.org/jira/browse/GUACAMOLE-952, but failed. I´d definitely
appreciate if the team could provide instructions how to build a guacd docker
image using a nightly build, rather then all of us trying to figure out the
hard way… and yes, I do appreciate the work being done by the team a lot!

And as I have only 1909 Windows systems – freerdp 2.0 of February 2020 does
work with them to the extent I tested, and turning of WDDM did not solve the
Hyper-V issue..

Thanks & Best Regards, Joachim

Von: Mike Jumper
Gesendet: Montag, 17. Februar 2020 19:50
An: user@guacamole.apache.org
Betreff: Re: Update to 1.1.0 breaks RDP

On Mon, Feb 17, 2020, 05:15 jacotec mailto:m...@jacotec.de> >
wrote:

Hi,

after spending hours trying to resolve this I need to shout for help here.
;-)

I have a working setup of Guacamole 1.0.0 on Ubuntu 18.04, all is nice here.
I've upgraded the installation and client to 1.1.0 (I did install
freerdp2-dev before as it's required now) but that fully breaks any RDP
capabilities.

The RDP connection is closed by Guacamole after negotiating the capabilities
(I checked that via Wireshark on a Windows remote host) and in no log I see
any reason why this happens.

What do you see in the logs? What about debug-level logging?

Is there a magic trick which I have missed for getting freerdp2 with
Guacamole to work for RDP connections?

No, it should just work, barring a bug in FreeRDP or a regression from the
migration.

As noted in the release notes, "FreeRDP 2.0.0" is not actually a specific
version, with the freerdp2 package on Ubuntu 18.04 actually being a relatively
old build of the 2.0.0-rc0 tag, so there is variation in behavior across
platforms for what otherwise looks like the same library to users trying to
install guac:

https://guacamole.apache.org/releases/1.1.0/#freerdp-200-or-later-is-now-required-for-rdp-support

If things are failing there, I would try:

1) Testing with the xfreerdp client to verify that it really is a Guacamole
issue and not a FreeRDP issue.

2) Testing with the "guacamole/guacd" Docker image, which should have a more
recent version of the library.

3) Setting the guacd log level to "debug" and seeing whether any additional
details clarify what is failing.

If you decide to uninstall the freerdp2 package and instead build FreeRDP from
source to obtain a more recent version, be sure to rebuild guacamole-server
after doing so. There are incompatible API differences across the various
2.0.0s which will cause trouble if Guacamole isn't rebuilt to take them into
account. Software built against FreeRDP 2.0.0-rcX cannot safely be used against
2.0.0-rcY without a rebuild, assuming things haven't changed to the extent that
the build fails.

- Mike

AW: guacamole 1.1 docker + Hyper-V instances?

2020-02-09 Thread Joachim Lindenberg

Hi Nick,

thanks for following up.  I just did a quick test of a nightly build 
(2.0.0-dev5 (245fc6014)) of wfreerdp and it supports preconnection blobs – 
doesn´t look like support was removed in general. Thus I´d assume it is more 
like guacamole does not recognize it, or the build options used by Debian do 
not support it.

Thanks & Best Regards, Joachim

 

Von: Nick Couchman  
Gesendet: Sonntag, 9. Februar 2020 21:57
An: user@guacamole.apache.org
Betreff: Re: guacamole 1.1 docker + Hyper-V instances?

 

On Sun, Feb 9, 2020 at 3:48 PM Nick Couchman mailto:vn...@apache.org> > wrote:

On Sun, Feb 9, 2020 at 1:18 PM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello,

I tried to upgrade one of my docker based guacamole installations today, and 
failed. I am using guacamole mostly to connect to Hyper-V virtual machines, 
using the preconnection blob mechanism. Now when I connected to the new 
guacamole, I was able to authenticate using my extension (thanks for staying 
compatible!), but connections failed. In guacd log I found the cause:

guacd[100]: WARNING:Installed version of FreeRDP lacks support for the 
preconnection PDU. The specified preconnection BLOB and/or ID will be ignored.

Is there a reason not to compile with Hyper-V support out of the box? Did I 
miss a discussion on the mailing list? Or is it by accident Debian has the 
wrong default?

 

It seems like FreeRDP 2 either removed support for this or has changed it to 
the point where Guacamole doesn't recognize it.  Worth some additional 
investigation - if they've just changed it and we need to adjust, then it's 
worth a JIRA issue on our side.  If FreeRDP 2 has removed it then there isn't 
much we can do about it.

 

 

It looks like FreeRDP 2 supports it, so there's something in the Guacamole code 
that sets/detects it that has broken with the switch to FreeRDP 2.  I've opened 
a JIRA issue for it:

 

https://issues.apache.org/jira/browse/GUACAMOLE-952

 

-Nick

guacamole 1.1 docker + Hyper-V instances?

2020-02-09 Thread Joachim Lindenberg

Hello,

I tried to upgrade one of my docker based guacamole installations today, and
failed. I am using guacamole mostly to connect to Hyper-V virtual machines,
using the preconnection blob mechanism. Now when I connected to the new
guacamole, I was able to authenticate using my extension (thanks for staying
compatible!), but connections failed. In guacd log I found the cause:

guacd[100]: WARNING:Installed version of FreeRDP lacks support for the
preconnection PDU. The specified preconnection BLOB and/or ID will be
ignored.

Is there a reason not to compile with Hyper-V support out of the box? Did I
miss a discussion on the mailing list? Or is it by accident Debian has the
wrong default?

Thanks, Joachim

AW: Windows 10 flaky RDP

2019-10-22 Thread Joachim Lindenberg

I am experiencing „flaky“ connections recently with plain mstsc RDP 
connections, w10pro to w10pro. I suspect Microsoft introduced a regression 
recently.

Regards, Joachim

 

 

Von: Peter Gui  
Gesendet: Tuesday, 22 October 2019 01:14
An: user@guacamole.apache.org
Betreff: Windows 10 flaky RDP

 

Hello everyone.

I was just wondering if any one has experience with remote desktop in Windows 
10 pro.

I am running Windows 10 pro in a VirtualBox VM. I have Guacamole configured to 
work with remote desktop but I am frustrated with the connection. The most 
reproducible version of this problem is a simple browser refresh of Guacamole's 
Windows connection, on reload I get the error message "The connection has been 
closed because the server is taking too long to respond..."  The worst part is 
that I have to reboot the VM to get it working again. I have Windows configured 
with the following settings:

modified registry keys 

 

ignore cert and security 
 

I also have a Linux VM running VNC works much more consistently. And VRDE 
  (VirtualBox's RDP client) 
also works consistently.

 

I see 4 potential solutions to this problem:

*   Spend more time trying to configure remote desktop in Windows.
*   Install Windows Server (which would have the added benefit of allowing 
multiple connections.
*   Install and use TightVNC instead of remote desktop (also may allow 
multiple connections)
*   Switch to purely using VRDE for my Windows connections (most limiting 
and hacky feeling solution)

Let me know what you think of these options or if you have another solution.

Thanks

AW: 6 Monitors/6 miniPCs - How to set up Guacamole

2019-10-02 Thread Joachim Lindenberg

>@David - Thanks for your reply. I was hoping there might be a Win-based 
>solution but kinda knew it was going to be a long shot. Appreciate your input 
>Sir!
For Windows only you may want to check out https://github.com/cedrozor/myrtille 
or https://github.com/FreeRDP/FreeRDP-WebConnect. However imho both are 
inferior to Guacamole, i.e. the effort to install a linux and probably docker 
is well justified.
Regards, Joachim


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

AW: dynamic param values for user-mapping.xml

2019-04-23 Thread Joachim Lindenberg

Hi Vieri,
I´d expect Mike or Nick to cite 
https://guacamole.apache.org/faq/#integrate-auth... and I can confirm it is 
doable.
Best Regards, Joachim

-Ursprüngliche Nachricht-
Von: Vieri  
Gesendet: Tuesday, 23 April 2019 13:53
An: user@guacamole.apache.org
Betreff: Re: dynamic param values for user-mapping.xml

On Tuesday, April 23, 2019, 12:03:29 PM GMT+2, Vieri  
wrote: 
>
>SCRIPT_GENERATED_OUTPUT

I may need to use ${GUAC_USERNAME} and ${GUAC_PASSWORD} within the LDAP/AD 
connection object. That may solve part of my question.
However, I still don't know how to dynamically change "hostname".

Vieri

AW: Using Guacamole to replicate Amazon EC2

2019-03-03 Thread Joachim Lindenberg

Hi Gianluca,
For my backup application I wrote a Guacamole extension that in essence
reflects your steps 4+5. I have two directions of integration: the extension
can enumerate all backups and show them in the Guacamole user interface,
selecting one starts a virtual machine out of the backup and connects, or
v.v. I have a button in my user interface that fires up the virtual machine,
generates a token, and starts Guacamole user interface with the token, which
then is used by the extension to use a one-time user and connect to the
virtual machine.
W.r.t. step 6 - in case your user interface or Guacamole is the only access
path, it is fairly easy to integrate that with a Guacamole extension as
well. In my backup application I am relying on other means as there are many
access paths.
Best Regards, Joachim


-Ursprüngliche Nachricht-
Von: GianlucaMassimiani  
Gesendet: Sonntag, 3. März 2019 21:55
An: user@guacamole.apache.org
Betreff: Using Guacamole to replicate Amazon EC2

I have a bunch of servers that I would like to use as a mini-cloud system,
similarly to how Amazon EC2 works. Basically I would like to:
1) Install an hypervisor (e.g. KVM) on each server
2) Install Guacamole on the servers
3) Connect to the cloud system through a web browser, being able to see
which servers are available
4) Through the web browser, select a server and specify the software (for
example, the OS) and further specifications of the instance (virtual
machine) that I want to run on that server.
5) Launch the instance on the server using the KVM, and use the instance
through the web browser
6) When I am done, disconnect from the server (instance on the server should
be destroyed)

Do you think Guacamole is suitable for such a project? My biggest concern is
about steps 4 and 5. After I have connected to the server using Guacamole,
how do I create a virtual machine on the server (that is, how can I make
Guacamole and KVM to interact with each other)? And after that, how do I
connect Guacamole with the just created virtual machine? Any advice would be
really appreciated. Thanks  



--
Sent from:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

AW: Guacamole RDP Probleme with VM machine

2019-03-02 Thread Joachim Lindenberg

Hi Kamal,

are you using extended mode / preconnection blob?

Best Regards, Joachim

 

Von: Kamal Ezzaki  
Gesendet: Freitag, 1. März 2019 14:30
An: user@guacamole.apache.org
Betreff: Guacamole RDP Probleme with VM machine

 

Hello again, 

i have a probleme with RDP connexion From Guacamole to WIndows 7 | 10 .

i tried to connect to windows 10 from another windows and it's work

i tried to connect from guacamole to my physical machine ( Windows 10 ) and 
it's work

i tried to connect from a VM Windows 10 to another Windows 10 and it's Work

i tried telnet 3389 and it's work too 

But when i tried to connect Guacamole with a VM windows it's not working 

and this is my log file :

 

Feb 16 18:55:18 localhost guacd[94927]: Creating new client for protocol "rdp"

Feb 16 18:55:18 localhost guacd[94927]: Connection ID is 
"$8f7d1cb3-d4f8-403a-b907-6ef8eb5673ba"

Feb 16 18:55:18 localhost guacd[110757]: No security mode specified. Defaulting 
to RDP.

Feb 16 18:55:18 localhost guacd[110757]: Resize method: none

Feb 16 18:55:18 localhost server: 18:55:18.138 [http-bio-8080-exec-48] INFO  
o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection 
"4".

Feb 16 18:55:18 localhost guacd[110757]: User 
"@b245c2ef-a019-498c-91d7-b12554a47bfe" joined connection 
"$8f7d1cb3-d4f8-403a-b907-6ef8eb5673ba" (1 users now present)

Feb 16 18:55:18 localhost guacd[110757]: Loading keymap "base"

Feb 16 18:55:18 localhost guacd[110757]: Loading keymap "en-us-qwerty"

Feb 16 18:55:18 localhost guacd[110757]: Failed to load guacdr plugin. Drive 
redirection and printing will not work. Sound MAY not work.

Feb 16 18:55:18 localhost guacd[110757]: Failed to load guacsnd alongside 
guacdr plugin. Sound will not work. Drive redirection and printing MAY not work.

Feb 16 18:55:21 localhost guacd[110757]: Error connecting to RDP server

Feb 16 18:55:21 localhost guacd[110757]: User 
"@b245c2ef-a019-498c-91d7-bs2s5fag7bqe" disconnected (0 users remain)

Feb 16 18:55:21 localhost server: 18:55:21.156 [http-bio-8080-exec-48] INFO  
o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from 
connection "4". Duration: 3018 milliseconds

Feb 16 18:55:21 localhost guacd[110757]: Last user of connection 
"$8f7d1cb3-d4f8-403a-b907-6ef8eb5673ba" disconnected

Feb 16 18:55:21 localhost guacd[94927]: Connection 
"$8f7d1cb3-d4f8-403a-b907-6ef8eb5673ba" removed.

AW: [ANNOUNCE] Apache Guacamole 1.0.0

2019-01-20 Thread Joachim Lindenberg

Hi Mike, Nick,

just wanted to tell that I got my extension code fixed and it now works with
1.0.0. Thanks for spotting the issue and the hints.

Thanks & Best Regards, Joachim

Von: Mike Jumper
Gesendet: Montag, 14. Januar 2019 06:44
An: user@guacamole.apache.org
Betreff: Re: [ANNOUNCE] Apache Guacamole 1.0.0

On Sun, Jan 13, 2019 at 12:11 PM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hi Nick,

thanks. I am attaching my source code. You´ll likely notice, Java is not my
favorite programming language, but anyway. Testing the code could be more
challenging. My software is available from
https://software.lindenberg.one/backup, and the integration is documented at
https://software.lindenberg.one/backup/en/documentation/guacamole-integration
(replacing 0.9.14 by 1.0.0)... I actually also have some unit test classes but
removed them do to passwords etc.

The goal of the extension is that my customers can fire up a virtual machine
out of their backups of windows systems. E.g. in case their laptop is lost,
they can access the most recent version from another system (keyboard and
screen resolution makes sense though). There are multiple ways to start – via
guacamole entry point, via my web ui, and via the windows ui.

This error points you exactly where you need to look - there's a
NullPointerException occuring in the ConfiguredGuacamoleSocket.java file, in
the init() method, on line 128, which is called by the SimpleConnection
connection() method, on line 124, etc. You need to trace back why something
null is being passed there (presumably from your custom extension) and correct
that issue.

You are passing a null GuacamoleConfiguration to the constructor:

https://github.com/apache/guacamole-client/blob/801a5df9f1d7095c52e594dda1a5276fe8cf6524/guacamole-common/src/main/java/org/apache/guacamole/protocol/ConfiguredGuacamoleSocket.java#L128

As for your overridden connect(GuacamoleClientInformation info, Map tokens) method, that is not being called because that is not the
prototype of that function. The prototype has changed on git master, yes, but
this API change was not part of 1.0.0. The connect() for Connectable in the
1.0.0 extension API only takes a GuacamoleClientInformation. See:

http://guacamole.apache.org/doc/1.0.0/guacamole-ext/org/apache/guacamole/net/auth/Connectable.html#connect-org.apache.guacamole.protocol.GuacamoleClientInformation-

Since your connection is based on SimpleConnection, you're not actually
overriding a method of SimpleConnection, but adding a new method which isn't
used elsewhere. The original connect() function remains unoverridden and
continues to be called.

I suggest wiping out your local Maven repository and rebuilding your extension.
I haven't looked at your code, but assuming you're using a proper @Overrides
annotation, I suspect your code won't compile due to there being no such
function to override. If you recently built from guacamole-client git, your
local Maven repository likely has a git master build of guacamole-ext (which
would still have the 1.0.0 version number), not the guacamole-ext which is part
of the 1.0.0 release and on Maven central.

Sure, but why is not my overridden method called? I want to do some magic
(starting virtual machines) behind the scenes. This actually took most of the
time to figure out what call sequence on which objects is done and where I can
intercept – and then I didn´t really spend time to clean the code up once I got
it to work – and also I see that would probably have been waste as now the
inner logic changes.

There are *many* things that have changed between 0.9.14 and 1.0.0, and pretty
much of all of those changes are intentional :-).

Sure, but what I kind of miss is a docuemtation what changed for extension
coders and how to adopt to the changes. Or did I miss that?

Yep. What you're looking for is the "deprecation / compatibility notes" section
of the release notes. We write one whenever a release breaks compatibility in
some way with a past release, including changes to the extension API:

http://guacamole.apache.org/releases/1.0.0/#deprecation--compatibility-notes

The changes to SimpleUser and the Simple*Directory classes are deprecations and
don't break anything directly. Your code will produce warnings during
compilation, and you should migrate when possible, but it should continue to
build:

http://guacamole.apache.org/releases/1.0.0/#deprecation-of-simpleuserdirectory-simpleconnectiondirectory-and-simpleconnectiongroupdirectory-classes

http://guacamole.apache.org/releases/1.0.0/#deprecation-of-simpleuser-convenience-constructors

There are changes to the User interface which would break the build for you if
you implemented User directly, but users of AbstractUser or SimpleUser should
be unaffected. Default implementations of the new func

WG: [ANNOUNCE] Apache Guacamole 1.0.0

2019-01-13 Thread Joachim Lindenberg

Hi Nick,

thanks. I am attaching my source code. You´ll likely notice, Java is not my 
favorite programming language, but anyway. Testing the code could be more 
challenging. My software is available from 
https://software.lindenberg.one/backup, and the integration is documented at 
https://software.lindenberg.one/backup/en/documentation/guacamole-integration 
(replacing 0.9.14 by 1.0.0)... I actually also have some unit test classes but 
removed them do to passwords etc.

 

The goal of the extension is that my customers can fire up a virtual machine 
out of their backups of windows systems. E.g. in case their laptop is lost, 
they can access the most recent version from another system (keyboard and 
screen resolution makes sense though). There are multiple ways to start – via 
guacamole entry point, via my web  ui, and via the windows ui.

 

This error points you exactly where you need to look - there's a 
NullPointerException occuring in the ConfiguredGuacamoleSocket.java file, in 
the init() method, on line 128, which is called by the SimpleConnection 
connection() method, on line 124, etc.  You need to trace back why something 
null is being passed there (presumably from your custom extension) and correct 
that issue.

 

Sure, but why is not my overridden method called? I want to do some magic 
(starting virtual machines) behind the scenes. This actually took most of the 
time to figure out what call sequence on which objects is done and where I can 
intercept – and then I didn´t really spend time to clean the code up once I got 
it to work – and also I see that would probably have been waste as now the 
inner logic changes.

 

There are *many* things that have changed between 0.9.14 and 1.0.0, and pretty 
much of all of those changes are intentional :-).

 

Sure, but what I kind of miss is a docuemtation what changed for extension 
coders and how to adopt to the changes. Or did I miss that?


Thanks & Best Regards, Joachim

 

<>

AW: [ANNOUNCE] Apache Guacamole 1.0.0

2019-01-13 Thread Joachim Lindenberg

Hi Nick,

thanks. I am attaching my source code. You´ll likely notice, Java is not my 
favorite programming language, but anyway. Testing the code could be more 
challenging. My software is available from 
https://software.lindenberg.one/backup, and the integration is documented at 
https://software.lindenberg.one/backup/en/documentation/guacamole-integration 
(replacing 0.9.14 by 1.0.0)... I actually also have some unit test classes but 
removed them do to passwords etc.

 

The goal of the extension is that my customers can fire up a virtual machine 
out of their backups of windows systems. E.g. in case their laptop is lost, 
they can access the most recent version from another system (keyboard and 
screen resolution makes sense though). There are multiple ways to start – via 
guacamole entry point, via my web  ui, and via the windows ui.

 

This error points you exactly where you need to look - there's a 
NullPointerException occuring in the ConfiguredGuacamoleSocket.java file, in 
the init() method, on line 128, which is called by the SimpleConnection 
connection() method, on line 124, etc.  You need to trace back why something 
null is being passed there (presumably from your custom extension) and correct 
that issue.

 

Sure, but why is not my overridden method called? I want to do some magic 
(starting virtual machines) behind the scenes. This actually took most of the 
time to figure out what call sequence on which objects is done and where I can 
intercept – and then I didn´t really spend time to clean the code up once I got 
it to work – and also I see that would probably have been waste as now the 
inner logic changes.

 

There are *many* things that have changed between 0.9.14 and 1.0.0, and pretty 
much of all of those changes are intentional :-).

 

Sure, but what I kind of miss is a docuemtation what changed for extension 
coders and how to adopt to the changes. Or did I miss that?


Thanks & Best Regards, Joachim

 

<>

AW: [ANNOUNCE] Apache Guacamole 1.0.0

2019-01-13 Thread Joachim Lindenberg

Hello Mike, all,

I really love Guacamole! Was using 0.9.14 for almost a year now, and also did 
my own extension…

Today I installed Guacamole 1.0.0 on a VM with docker and I also updated my 
authentication extension to compile against 1.0.0 and have the proper version.

Unfortunately it doesn´t work. I get a list of configurations, but when I 
select one of them it doesn´t really connect. Same when I use my token approach.

 

The log contains the following exception:

 

13-Jan-2019 16:50:13.610 SEVERE [http-nio-8080-exec-7] 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process Error reading 
request, ignored

java.lang.NullPointerException

at 
org.apache.guacamole.protocol.ConfiguredGuacamoleSocket.(ConfiguredGuacamoleSocket.java:128)

at 
org.apache.guacamole.net.auth.simple.SimpleConnection.connect(SimpleConnection.java:124)

at 
org.apache.guacamole.tunnel.TunnelRequestService.createConnectedTunnel(TunnelRequestService.java:219)

at 
org.apache.guacamole.tunnel.TunnelRequestService.createTunnel(TunnelRequestService.java:393)

at 
org.apache.guacamole.tunnel.websocket.RestrictedGuacamoleWebSocketTunnelEndpoint.createTunnel(RestrictedGuacamoleWebSocketTunnelEndpoint.java:113)

at 
org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.onOpen(GuacamoleWebSocketTunnelEndpoint.java:200)

at 
org.apache.tomcat.websocket.server.WsHttpUpgradeHandler.init(WsHttpUpgradeHandler.java:133)

at 
org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:852)

at 
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)

at 
org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)

at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at 
org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Thread.java:748)

 

My extension actually returns objects that derive from GuacamoleConfiguration, 
SimpleConnection or AbstractConnectionGroup in the user context, and the class 
deriving from SimpleConnection overrides connect(GuacamoleClientInformation 
info, Map tokens). I cannot see my connect method being called 
(I am doing some output there) as in 0.9.14, but the stack trace indicates that 
SimpleConnection.connect() is called. Now I am wondering how I can get my 
overrides being called as in 0.9.14. Also not really sure, but speculating I 
would assume guacamole kind of copies the contents of Connection rather than 
using the ones I return in the context.

 

I didn´t change anything with respect to permissions, nor did I replace 
references to SmpleUser(Directory) or SimpleConnection(Group)Directory.

Was this a deliberate change in 1.0 that I missed to recognize? Side effect of 
something else? Is there any other cause you can think of what I am doing wrong 
or should try differently?

 

Thanks & Best Regards,

Joachim

 

 

Von: Mike Jumper  
Gesendet: Donnerstag, 10. Januar 2019 05:12
An: annou...@apache.org; annou...@guacamole.apache.org; 
d...@guacamole.apache.org; user@guacamole.apache.org
Betreff: [ANNOUNCE] Apache Guacamole 1.0.0

 

The Apache Guacamole community is proud to announce the release of Apache

Guacamole 1.0.0.

 

Apache Guacamole is a clientless remote desktop gateway which supports standard 
protocols like VNC, RDP, and SSH. We call it "clientless" because no plugins or 
client software are required; once Guacamole is installed on a server, all you 
need to access your desktops is a web browser.

 

The 1.0.0 release features support for user groups, improved clipboard 
integration leveraging the Asynchronous Clipboard API, as well as support for 
TOTP (Google Authenticator), RADIUS, and dead keys.

 

A full list of the changes in this release, along with links to downloads and 
updated documentation, can be found in the release notes:

 

http://guacamole.apache.org/releases/1.0.0/

 

For more information on Apache Guacamole, please see:

 

http://guacamole.apache.org/

 

Thanks!

 

The Apache Guacamole Community

RE: multiple guacamole to one guacd?

2018-11-28 Thread Joachim Lindenberg

Hi Nick,

thanks. I am aware of the multiple webapp challenge and I was planning to run 
all services with docker anyway, but something like 1 nginx, 2 guacamole, 1 
guacd..

Thanks & Best Regards, Joachim

 

From: Nick Couchman  
Sent: Mittwoch, 28. November 2018 23:05
To: user@guacamole.apache.org
Subject: Re: multiple guacamole to one guacd?

 

On Wed, Nov 28, 2018 at 1:08 PM Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello,

right now I am running two complete installations of guacamole on two different 
servers. I am considering to consolidate them onto one, with two guacamole 
webapps but one guacd. Is this a supported configuration or do I have to run 
one guacd per guacamole webapp?

Thanks, Joachim

 

Pointing two webapps at a single guacd should work perfectly fine.  Running two 
different webapps on the same server might be a bit more challenging - it 
doesn't really work to deploy two different copies of the same WAR into the 
same Tomcat instance, so you'll have to do something to isolate these - either 
run two different instances of Tomcat (on different ports, and then use 
something like Nginx or httpd to proxy them to different URLs), or run the 
webapps in Docker and run a couple of different Docker containers.

 

-Nick

multiple guacamole to one guacd?

2018-11-28 Thread Joachim Lindenberg

Hello,

right now I am running two complete installations of guacamole on two
different servers. I am considering to consolidate them onto one, with two
guacamole webapps but one guacd. Is this a supported configuration or do I
have to run one guacd per guacamole webapp?

Thanks, Joachim

AW: Ubuntu 18.04.1 + Docker -> Installed version of FreeRDP lacks support for the preconnection PDU

2018-10-02 Thread Joachim Lindenberg

I figured out I needed to clone https://github.com/apache/guacamole-server.git 
locally and adapt file paths.

 

When I now connect to a virtual machine I get the following:

 

guacd[8]: INFO: Guacamole proxy daemon (guacd) version 1.0.0 started

guacd[8]: INFO: Listening on host 0.0.0.0, port 4822

guacd[8]: INFO: Creating new client for protocol "rdp"

guacd[8]: INFO: Connection ID is "$9569945d-bcf0-4a8f-b433-92f655a4ff01"

guacd[10]: INFO:Security mode: NLA

guacd[10]: INFO:Resize method: none

guacd[10]: INFO:User "@2427aa77-8bb5-40d5-9e38-1f14dafd4a51" joined 
connection "$9569945d-bcf0-4a8f-b433-92f655a4ff01" (1 users now present)

guacd[10]: INFO:Loading keymap "base"

guacd[10]: INFO:Loading keymap "de-de-qwertz"

connected to Tom.samba.lindenberg.one:2179

creating directory /root/.config/freerdp

creating directory /root/.config/freerdp/certs

creating directory /root/.config/freerdp/server

certificate_store_open: error opening [/root/.config/freerdp/known_hosts] for 
writing

guacd[10]: ERROR:   User is not responding.

guacd[10]: INFO:User "@2427aa77-8bb5-40d5-9e38-1f14dafd4a51" 
disconnected (0 users remain)

guacd[10]: INFO:Last user of connection 
"$9569945d-bcf0-4a8f-b433-92f655a4ff01" disconnected

Unable to find a match for unix timezone: Etc/UTC

guacd[10]: WARNING: Client did not terminate in a timely manner. Forcibly 
terminating client and any child processes.

guacd[8]: INFO: Connection "$9569945d-bcf0-4a8f-b433-92f655a4ff01" removed.

 

15:46:09.627 [http-nio-8080-exec-7] INFO  o.a.g.tunnel.TunnelRequestService - 
User "33619559-8fbc-4120-906a-111bd6b92512" connected to connection 
"joachim8-sandisk-ultra-ii-240gb-cc-e8-a3-86.20180919-020611-142-success.vhdx".

15:46:24.688 [Thread-7] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - 
Connection to guacd terminated abnormally: Connection to guacd timed out.

15:46:24.693 [Thread-7] INFO  o.a.g.tunnel.TunnelRequestService - User 
"33619559-8fbc-4120-906a-111bd6b92512" disconnected from connection 
"joachim8-sandisk-ultra-ii-240gb-cc-e8-a3-86.20180919-020611-142-success.vhdx". 
Duration: 15057 milliseconds

 

Not sure what´s going wrong. Something in Guacamole or my extension? Worked on 
previous installations..

 

Best Regards,

Joachim

 

Von: Joachim Lindenberg [mailto:joac...@lindenberg.one] 
Gesendet: Dienstag, 2. Oktober 2018 15:55
An: user@guacamole.apache.org
Betreff: RE: Ubuntu 18.04.1 + Docker -> Installed version of FreeRDP lacks 
support for the preconnection PDU

 

I copied https://github.com/apache/guacamole-server/blob/master/Dockerfile and 
modified my docker-compose to reference it rather than the image. I was 
assuming it is self-contained.

Thanks, Joachim

 

 

From: Mike Jumper mailto:mjum...@apache.org> > 
Sent: Dienstag, 2. Oktober 2018 08:56
To: user@guacamole.apache.org <mailto:user@guacamole.apache.org> 
Subject: Re: Ubuntu 18.04.1 + Docker -> Installed version of FreeRDP lacks 
support for the preconnection PDU

 

On Mon, Oct 1, 2018, 23:43 Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hi Mike,

thanks for the clarification. I tried to build the container but got

 

…

Step 7/21 : COPY src/guacd-docker/bin "${PREFIX_DIR}/bin/"

ERROR: Service 'guacd' failed to build: COPY failed: stat 
/var/lib/docker/tmp/docker-builder355330442/src/guacd-docker/bin: no such file 
or directory

 

How are you building the image?

 

 Actually I´d very much appreciate if the images on docker hub were updated..

 

New Docker images are uploaded when new releases are produced. Old releases are 
not updated retroactively.

 

- Mike

RE: Ubuntu 18.04.1 + Docker -> Installed version of FreeRDP lacks support for the preconnection PDU

2018-10-02 Thread Joachim Lindenberg

I copied https://github.com/apache/guacamole-server/blob/master/Dockerfile and 
modified my docker-compose to reference it rather than the image. I was 
assuming it is self-contained.

Thanks, Joachim

 

 

From: Mike Jumper  
Sent: Dienstag, 2. Oktober 2018 08:56
To: user@guacamole.apache.org
Subject: Re: Ubuntu 18.04.1 + Docker -> Installed version of FreeRDP lacks 
support for the preconnection PDU

 

On Mon, Oct 1, 2018, 23:43 Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hi Mike,

thanks for the clarification. I tried to build the container but got

 

…

Step 7/21 : COPY src/guacd-docker/bin "${PREFIX_DIR}/bin/"

ERROR: Service 'guacd' failed to build: COPY failed: stat 
/var/lib/docker/tmp/docker-builder355330442/src/guacd-docker/bin: no such file 
or directory

 

How are you building the image?

 

 Actually I´d very much appreciate if the images on docker hub were updated..

 

New Docker images are uploaded when new releases are produced. Old releases are 
not updated retroactively.

 

- Mike

RE: Ubuntu 18.04.1 + Docker -> Installed version of FreeRDP lacks support for the preconnection PDU

2018-10-01 Thread Joachim Lindenberg

Hi Mike,

thanks for the clarification. I tried to build the container but got

 

…

Step 7/21 : COPY src/guacd-docker/bin "${PREFIX_DIR}/bin/"

ERROR: Service 'guacd' failed to build: COPY failed: stat 
/var/lib/docker/tmp/docker-builder355330442/src/guacd-docker/bin: no such file 
or directory

 

Actually I´d very much appreciate if the images on docker hub were updated..

Thanks, Joachim

 

 

From: Mike Jumper  
Sent: Montag, 1. Oktober 2018 21:25
To: user@guacamole.apache.org
Subject: Re: Ubuntu 18.04.1 + Docker -> Installed version of FreeRDP lacks 
support for the preconnection PDU

 

If the version of FreeRDP in the Docker image for 0.9.14 is too old, you could 
try building the guacd Docker image from guacamole-server master. The 
Dockerfile for guacamole-server has been updated to use Debian stable, which 
has a newer FreeRDP.

 

- Mike

 

 

On Mon, Oct 1, 2018 at 11:37 AM, Joachim Lindenberg mailto:joac...@lindenberg.one> > wrote:

Hello,

I installed a new virtual machine, docker, docker-compose, configured the 
system – I am referencing guacamole/guacd and guacamole/guacamole from my 
docker-compose.yml.

 

Connections to Hyper-V VMs are disconnected immediately (didn´t test anything 
else). 

Docker logs guacd reveals the following:

 

guacd[86]: INFO:Security mode: NLA

guacd[86]: WARNING: Installed version of FreeRDP lacks support for the 
preconnection PDU. The specified preconnection BLOB and/or ID will be ignored.

guacd[86]: INFO:Resize method: none

guacd[86]: INFO:User "@d22fb955-b202-44f3-8e0f-918085a68e68" joined 
connection "$fbccda9f-4170-4a4c-87ab-e824d1ae8434" (1 users now present)

guacd[86]: INFO:Loading keymap "base"

guacd[86]: INFO:Loading keymap "de-de-qwertz"

recv: Connection reset by peer

guacd[86]: ERROR:   Error connecting to RDP server

guacd[86]: INFO:User "@d22fb955-b202-44f3-8e0f-918085a68e68" 
disconnected (0 users remain)

guacd[86]: INFO:Last user of connection 
"$fbccda9f-4170-4a4c-87ab-e824d1ae8434" disconnected

connected to Tom.samba.lindenberg.one:2179

Error: protocol security negotiation failure

guacd[1]: INFO: Connection "$fbccda9f-4170-4a4c-87ab-e824d1ae8434" removed.

 

docker exec -it guacd xfreerdp --version

This is FreeRDP version 1.0.2

 

Is this a known issue? How can I check the freerdp library version? Can I 
upgrade the container? What else can I do?

Thanks & Best Regards, Joachim

Ubuntu 18.04.1 + Docker -> Installed version of FreeRDP lacks support for the preconnection PDU

2018-10-01 Thread Joachim Lindenberg

Hello,

I installed a new virtual machine, docker, docker-compose, configured the
system  I am referencing guacamole/guacd and guacamole/guacamole from my
docker-compose.yml.

 

Connections to Hyper-V VMs are disconnected immediately (didn´t test
anything else). 

Docker logs guacd reveals the following:

 

guacd[86]: INFO:Security mode: NLA

guacd[86]: WARNING: Installed version of FreeRDP lacks support for the
preconnection PDU. The specified preconnection BLOB and/or ID will be
ignored.

guacd[86]: INFO:Resize method: none

guacd[86]: INFO:User "@d22fb955-b202-44f3-8e0f-918085a68e68" joined
connection "$fbccda9f-4170-4a4c-87ab-e824d1ae8434" (1 users now present)

guacd[86]: INFO:Loading keymap "base"

guacd[86]: INFO:Loading keymap "de-de-qwertz"

recv: Connection reset by peer

guacd[86]: ERROR:   Error connecting to RDP server

guacd[86]: INFO:User "@d22fb955-b202-44f3-8e0f-918085a68e68"
disconnected (0 users remain)

guacd[86]: INFO:Last user of connection
"$fbccda9f-4170-4a4c-87ab-e824d1ae8434" disconnected

connected to Tom.samba.lindenberg.one:2179

Error: protocol security negotiation failure

guacd[1]: INFO: Connection "$fbccda9f-4170-4a4c-87ab-e824d1ae8434" removed.

 

docker exec -it guacd xfreerdp --version

This is FreeRDP version 1.0.2

 

Is this a known issue? How can I check the freerdp library version? Can I
upgrade the container? What else can I do?

Thanks & Best Regards, Joachim

AW: Enable share Menu

2018-09-04 Thread Joachim Lindenberg

Imho an Administrator that can monitor everything is a significant privacy 
issue. I don´t want my users to be anxious about being monitored. I´d prefer if 
this is not the standard and requires either additional configuration or even 
an additional extension.

Similarly, I like the idea of recordings, but only if only the user owning the 
session is the only user able to access it by default.

Best Regards, Joachim

 

Von: Nick Couchman [mailto:vn...@apache.org] 
Gesendet: Dienstag, 4. September 2018 15:15
An: user@guacamole.apache.org
Betreff: Re: Enable share Menu

 

On Tue, Sep 4, 2018 at 8:37 AM Asbern mailto:asber...@trainocate.com> > wrote:

Thanks Nick, is it possible to create a share connection from Admin login 
without login into the respective connection?

 

I suspect that what you're wanting to know is, is it possible, as an 
Administrator, to view and/or interact with existing connections in Guacamole, 
without having to go through the process of generating the Shared Key?

 

The answer is, not today.  This has been requested pretty frequently on these 
lists and in JIRA lately, so it's definitely something on our list of things to 
do, but it is not possible at the moment.

 

-Nick

AW: Enable share Menu

2018-09-01 Thread Joachim Lindenberg

Hi Nick,

how can one enable this with other extensions?

Thanks, Joachim

 

 

Von: Nick Couchman [mailto:vn...@apache.org] 
Gesendet: Freitag, 31. August 2018 20:38
An: user@guacamole.apache.org
Betreff: Re: Enable share Menu

 

On Fri, Aug 31, 2018 at 3:50 AM Asbern mailto:asber...@trainocate.com> > wrote:

Hi all,

 

May I know where I need to configure to enable the “share” menu as per 
https://guacamole.apache.org/doc/gug/using-guacamole.html#client-share-menu? 
Thanks.

 

 

In order for connection sharing to work, and, thus, the Share menu, you need to 
be using the JDBC authentication module, and create a share profile for the 
connection you'd like to share.  There isn't much too it, but it does rely on 
the JDBC module.

 

-Nick

AW: guacamole.apache for windows os

2018-08-28 Thread Joachim Lindenberg

Hi,

if you are primarily interested in RDP, then Myrtille and freerdp-webconnect 
are alternatives that work on Windows. Myrtille also supports SSH. Obviously 
user interface and features vary…

If you want to use Guacamole on Windows… I run two Guacamole instances (one 
using Docker, one compiled from scratch) on two virtual machines (Ubuntu 18.04 
or 16.04) on two different Hyper-V hosts (one Hyper-V-2016, one Windows 10 Pro) 
without any issues. I also wrote a how-to for my own software @ 
https://software.lindenberg.one/backup/en/documentation/guacamole-integration, 
but if you just ignore my application specifics, the basic process should fit 
other scenarios as well. I definitely recommend to use a Linux VM instead of 
running Docker for Windows..

Joachim

 

Von: Mike Jumper [mailto:mjum...@apache.org] 
Gesendet: Dienstag, 28. August 2018 19:01
An: jaydeepsinh jadeja 
Cc: user@guacamole.apache.org
Betreff: Re: guacamole.apache for windows os

 

On Tue, Aug 28, 2018, 07:37 jaydeepsinh jadeja mailto:jaydeepvjad...@gmail.com> > wrote:

Hi,

 

Please don't email multiple lists at the same time.

 

https://www.apache.org/dev/contrib-email-tips.html#rightlist

 

 

I wish to use guacamole.apache but as I read its document feel that I can't 
make Guacamole server on windows operating system.

Does guacamole.apache work for windows operating system? I want to use 
guacamole server and client both on windows operating system.

 

No. With the exception of libguac, guacamole-server depends on POSIX features 
and behavior not present in Windows. It's conceivable that it could be ported, 
but probably not worth the effort given that (1) there is very little demand 
for a Windows port and (2) those that do need such a port can already use a VM 
or Docker.

 

Keep in mind also that you do not need to install Guacamole on the desktops you 
will be connecting to. Guacamole is a gateway, and the Guacamole server will 
happily connect to your Windows machines. It only needs to be installed on one, 
centralized server to make that happen.

 

If you truly use only Windows servers and cannot deploy a Linux server to host 
Guacamole, I'd recommend using a VM or Docker to give Guacamole the platform it 
needs independent of the server OS.

 

- Mike

starting a specific connection via URL?

2018-08-12 Thread Joachim Lindenberg

Hello,

I am wondering what is the best way to start a connection (with parameters
made available from my own authentication extension, but could be any) from
another web application. I am aware of the following approaches:

*   I can pass username & password via the URL, however I don´t know how
to pass the connection identifier or whether that is available to my
authentication extension). More important, I dislike the fact that username
and password are shown by the browser in the url, visible to anyone looking
at the screen.

*   There is an extension https://github.com/grncdr/guacamole-auth-hmac
that probably does something similar, but the code is unmaintained and I
don´t know whether it works with 0.9.14+.

*   I can generate a one-time-token in my web application, retrieve the
token from the URL in my authentication extension, use it to identify user
and connection, return just that one connection to Guacamole, and rely on
the convention that Guacamole starts the connection automatically if there
is just one. Not sure what life-time the token will need  e.g. will refresh
work if the token is no longer valid?

Any options I miss out? Any obstacles I haven´t seen?

Thanks & Best Regards,

Joachim

1 2 >

1 - 100 of 132 matches

Mail list logo