Re: Guacamole 1.4.0 problem using SAML authentication

2022-04-07 Thread Michael Jumper 
On Thu, Apr 7, 2022 at 3:03 PM Victor Martinez 
wrote:

> I am configuring the latest version 1.4 with SAML support. When I
> authenticate, in the logs I see the following error: 17:50:07.920
> [http-nio-8080-exec-3] ERROR c.onelogin.saml2.authn.SamlResponse - The
> response was received at https://miserver/guacamole/api/ext/saml/callback
> instead of https ://miserver/api/ext/saml/callback 17:50:07.920
> [http-nio-8080-exec-3] WARN oagasaAssertionConsumerServiceResource -
> Authentication attempted with an invalid SAML response: SAML response did
> not pass validation: The response was received at
> https://miserver/guacamole/api/ ext/saml/callback instead of
> https://miserver/api/ext/saml/callback If I use version 1.3 , I don't
> have this problem. Would you know what could be causing the error?
>

The 1.4.0 release tightened SAML request validation.

Rather than leverage your reverse proxy to rewrite the path from
"/guacamole" to "/", I would recommend just reploying the webapp at the
desired path to begin with, and reconfiguring your reverse proxy
accordingly. The webapp can be deployed directly at "/" by renaming the
.war file to "ROOT.war".

- Mike

Re: stalled guacd processes

2022-04-08 Thread Michael Jumper 
On Fri, Apr 8, 2022, 08:20 Philippe MARASSE
 wrote:

> Hello,
>
> Unfortunately, one week later I have a lot of stalled processes, started
> days ago :
>
> ...
>

In the source tree that you built, what does git show as the current commit?

- Mike

Re: Guac 1.4.0

2022-04-08 Thread Michael Jumper 
On Fri, Apr 8, 2022, 09:27 Fertig, Brian 
wrote:

> I just upgraded to 1.4.0 from 1.3.0.  When I look at the guac logs it says
> totp and mysql is not compatible even though everything is all 1.4.0.  Any
> ideas?
>

Delete the directory created by Tomcat when it expanded the .war file and
restart Tomcat.

The contents of the 1.3.0 .war are probably cached within that directory
and are still being deployed, thus the older 1.3.0 webapp is rightly
complaining that it can't load 1.4.0 extensions. Deleting the directory
will force Tomcat to redeploy using the newer .war file.

- Mike

Re: Compile on Ubuntu 22.04 => openssl

2022-04-26 Thread Michael Jumper 
On Tue, Apr 26, 2022, 10:22 Gerd Hoerst  wrote:

> Hi !
>
> i tried to compile the 1.4.0 package for Ubuntu 22.04 but i get some of
> this errors...
>
> make[3]: Verzeichnis
> „/root/develop/guacamole-server-1.4.0/src/common-ssh“ wird betreten
>CC   libguac_common_ssh_la-key.lo
> key.c: In function ‘guac_common_ssh_key_alloc’:
> key.c:63:9: error: ‘PEM_read_bio_RSAPrivateKey’ is deprecated: Since
> OpenSSL 3.0 [-Werror=deprecated-declarations]
> 63 | rsa_key = PEM_read_bio_RSAPrivateKey(key_bio, NULL,
> NULL, passphrase);
>| ^~~
> In file included from key.c:33:
>

I believe this has already been addressed on the latest git via the support
for OpenSSH-format keys. We no longer invoke the function in question, and
instead use the key reading functions provided by libssh2.

- Mike

Re: What is the right format to import ssh private key in user-mapping.xml (guacamole 1.4)

2022-04-26 Thread Michael Jumper 
On Thu, Apr 21, 2022, 05:29 Willy Manga  wrote:

> Hello,
>
> I certainly miss something, but I don't see what.
>
> I want to use authentication via ssh key.
>
> Here is what my user-mapping.xml looks like
> http://paste.debian.net/1238561/ ( I have just removed the actual content)
>
> When I try to connect to the remote host, I'm prompted to enter a key
> passphrase on the screen even though it was blank in my case. If I hit
> "ENTER", I have this message in the log: "Auth key import failed: (null)"
>
> Are there spaces I should remove, carriage return?
>

There are two main issues:

1) You should remove the newline before the key header, so the key header
starts immediately after the "param" tag.

2) Version 1.4.0 does not support the newer OpenSSH-specific format of
private key. You'll need to use an RSA key in PEM format, or try building
from git (support for the OpenSSH format was recently added but is not yet
released).

When possible, I'd also recommend moving away from using user-mapping.xml
and use one of the supported databases. That'll give you a full web-based
UI for managing connections, users, and user groups.

- Mike

Re: Guacamole SSL/MySQL schema changes?

2022-04-27 Thread Michael Jumper 
On Wed, Apr 27, 2022 at 1:00 PM Tom Lawson  wrote:

> Hi all,
>
> Did something change with Guac? For two weeks (on and off in spare time!)
> now I've tried to figure out why Guacamole can't connect to Guacd, where it
> was previously working just fine. I can't seem to even disable the
> requirement for SSL
>

No, nothing has changed regarding SSL.

The SQL schema has no impact on whether SSL is used, but also has not
changed. The SQL schema has actually not changed since 1.0.0.

Guacamole:
> 19:54:35.187 [http-nio-8080-exec-10] ERROR
> o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed:
> javax.net.ssl.SSLHandshakeException: Remote host terminated the handshake
>
> No SSL config is specified in guacamole.properties anymore.
>

It was specified previously?

What environment variables are you currently setting for the
"guacamole/guacamole" Docker image? Did you make changes to
guacamole.properties through any means other than the Docker image's
standard environment variables?

Guacd:
> guacd[7]: ERROR:Guacamole protocol violation. Perhaps the version
> of guacamole-client is incompatible with this version of guacd?
> guacd[7]: DEBUG:Error reading "select": Instruction parse error
>
> No SSL certs are specified in guacd.conf
>

Check your connection parameters in the UI. It's possible to override these
settings on a per-connection basis.

- Mike

Re: SQL Query for active sessions

2022-04-27 Thread Michael Jumper 
On Wed, Apr 27, 2022 at 3:30 AM Rafael Cervillera  wrote:

> Hello all.
>
> Firstable, thanks for the awesome work with Apache Guacamole.
>
> Our environment is CentOS with Guacamole 1.3.0 and RDP connections to
> Windows10 virtual clients. Now we need to query the active RDP sessions
> in order to shutdown inactive devices and start up in the moment we need
> them.
>
> Our idea is get the active sessions with an SQL query from the command
> line and launch the shutdown/start up process. So, we have looked for a
> SQL table with the active connections to make an SQL query unsucessfully.
>
> Is there any way to do that with SQL?


I wouldn't recommend doing this. Releases from 1.4.0 and older do not
record active sessions in the database.

This has changed recently, and active sessions will have an entry in the
connection history table, but you should still not rely on this. The
existence of an entry within the table doesn't guarantee that there is a
corresponding session. It could also be the case that the server or
database was forcibly shut down, went offline, etc. before the entry could
be updated with the end time.

Or do you have another idea to get the active sessions?
>

If the intent is to start/shutdown resources required for connections, I'd
recommend instead writing an extension that decorates the Connections and
ConnectionGroups of other extensions. By doing this, you can override
connect() to provide whatever additional behavior you need when the
connection starts, and override close() of the returned GuacamoleTunnel to
provide whatever additional behavior you need when the connection is
disconnected.

See:
https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#decorate(org.apache.guacamole.net.auth.UserContext,org.apache.guacamole.net.auth.AuthenticatedUser,org.apache.guacamole.net.auth.Credentials)

There are convenience classes for handling this sort of decoration:

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/DelegatingUserContext.html
https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/DecoratingDirectory.html

An overview of the format of extensions can be found here:

https://guacamole.apache.org/doc/gug/guacamole-ext.html

- Mike

Re: problem with default authentication and encoded passwords

2022-05-01 Thread Michael Jumper 
On Sun, May 1, 2022, 03:58 billib  wrote:

> Morning everybody,
>
> I cannot log in to my server if I try and use an encrypted password in
> user-mapping.xml:
>
>username="testuser1"
>  password="passwort1">
>  vnc
>  localhost
>  5901
>  vncpass1
>  
>
>
> works fine, while
>
>username="testuser2"
>  password="631b0ef29792ae5e5813b2ae4dd7aa25"
>  encoding="md5">
>  vnc
>  localhost
>  5902
>  vncpass
>  
>
> leaves me with a "WARN  o.a.g.r.auth.AuthenticationService -
> Authentication attempt from 95.191.24.244 for user "testuser2" failed"
> in catalina.out. Nothing in syslog.
> The same is true for sha256 instead of md5.
>

What exact command(s) are you using to generate the hashed password?

- Mike

Re: problem with default authentication and encoded passwords

2022-05-01 Thread Michael Jumper 
On Sun, May 1, 2022, 09:11 billib  wrote:

> My script comes up with a password, GUAC_PASS. The next line gives the
> text that is written into user-mapping.xml:
>
> GUAC_PASS_ENC=$(echo ${GUAC_PASS} | openssl md5 | cut -d' ' -f2)
>
>
> I tried
>
> echo "mypassword" | openssl md5
>
>
> (with and without double quotes) and
>
> echo "mypassword" | md5sum
>
>
> on the command line as well which gave the same results as the script,
> respectively.
>

Use echo -n instead. The "echo" command will otherwise include a newline
character at the end, which is causing the checksum to not match. You are
currently actually hashing "mypassword\n", not "mypassword".

- Mike

Re: RDP virtual printing (PDF) fails on second try

2022-05-01 Thread Michael Jumper 
If possible, please try building guacamole-server from git and see if the
issue disappears. This was recently identified and fixed for upcoming 1.5.0.

- Mine

On Sun, May 1, 2022, 11:46 Michael Niehren  wrote:

> same problem here, printing is not usable on V1.4.0
>
>
> best regrads
>
>   Michael
>
>
> 
> Angaben nach dem EHUG
>
> Firmenname :tuxlan GmbH
> Rechtsform :  GmbH
> Sitz :   Ritzelbergstr. 27, 66636 Tholey
> Geschäftsführer :  Michael Niehren
> Registergericht :   Saarbrücken, HRB 107090
> 
>
>
>
> -Ursprüngliche Nachricht-
> *Von:* Vieri 
> *Gesendet:* Donnerstag 28. April 2022 23:53
> *An:* User 
> *Betreff:* RDP virtual printing (PDF) fails on second try
>
> Hi,
>
> Running 1.4.0 virtual printing to PDF works one, but then the second attempt 
> to print freezes the session (no printing of course, but also nothing else 
> responds).
> I'm using both Chrome and Firefox.
> With Firefox, logging out of Guacamole and back in does "unfreeze" the 
> session, but as soon as I try to print again the session freezes.
> With Chrome, when I log out of Guacamole I see a new corrupt PDF is 
> downloaded. I can then log into Guacamole nd enter my RDP session. I can then 
> print to virtual PDF, and the first try is successful I can view the PDF 
> content). However, the second try freezes the session again.
>
> Am I the only one seeing this?
>
> Here's what I see in the guacd log:
>
> 23:31:28 inf-gw2 guacd[512]: Print job created
> 23:31:28 inf-gw2 guacd[512]: Created PDF filter process PID=632
> 23:31:28 inf-gw2 guacd[632]: Running gs
> 23:31:28 inf-gw2 guacd[512]: Print job closed
> --> I can properly view my first PDF.
> 23:31:48 inf-gw2 guacd[512]: Print job created
> 23:31:48 inf-gw2 guacd[512]: Created PDF filter process PID=688
> 23:31:48 inf-gw2 guacd[688]: Running gs
> --> session freeze
> 23:32:16 inf-gw2 guacd[8165]: Creating new client for protocol "rdp"
> --> I reconnect to guacamole + enter RDP session again.
>
> So, the session seems to freeze when the print job does not get "closed".
> Maybe ghostscript is the culprit.
> In fact I see too many processes on the server:
>
> # ps -ae | grep -c gs
> 245
>
> A ps aux shows processes running with these parameters:
>
> gs -q -dNOPAUSE -dBATCH -dSAFER -dPARANOIDSAFER -sDEVICE=pdfwrite 
> -sOutputFile=- -sstdout=/dev/null -f -
>
> # gs --version
> 9.55.0
>
> What can I try?
>
> Vieri
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Guacamole 1.4.0 problem using SAML authentication

2022-05-05 Thread Michael Jumper 
On Sat, Apr 9, 2022 at 2:50 AM Vieri  wrote:

> ...
> >> The 1.4.0 release tightened SAML request validation.
> >>
> >> Rather than leverage your reverse proxy to rewrite the path from
> "/guacamole" to "/", I would recommend just reploying the webapp at the
> desired path to begin with, and
> >>reconfiguring your reverse proxy accordingly. The webapp can be deployed
> directly at "/" by renaming the .war file to "ROOT.war".
>
> So with that in mind, one cannot have more than one backend on the reverse
> proxy?
>

Sure you can. You just need to make sure that the webapp's .war file
matches the path that you've specified when you registered the webapp
with your SAML IdP. If the path that the webapp is served at by Tomcat
doesn't match the publicly-visible path, then SAML validation will fail.

- Mike

Re: VNC uses weird Keyboard-Layout

2022-05-05 Thread Michael Jumper 
On Mon, May 2, 2022 at 6:47 AM Matti Kaupenjohann <
matti.kaupenjoh...@fh-dortmund.de> wrote:

> Hi,
>
> before upgrading to 1.4.0 and after fixing the ip connection problem in
> 1.4.0 for our setup, I ran into an issue with a vnc connection. I
> initial hoped the upgrade may fix it but it doesn't.
>
> I have a VM installed headless via KVM and virttools on a ubuntu system.
> I setted the VM up with graphics using vnc and listen to 0.0.0.0. This
> setup made it possible to use tigervnc from any system which is inside
> our network. The usage of togervnc workes perfectly fine and also the
> german keyboard layout is beeing recognized with no issue. But if I
> setup a connection to this system in guacamole the keyboard layout
> begins with weird stuff. First I thought oh some vnc translation errors
> and the system uses now british/us qwerty. Instead some very weird
> layout is used. With [ALT GR] I am possible to achieve a lot of unicode
> chars, which normaly are not printed out over the letter keys. I also
> tested with the on screen keyboard which is still qwertz with the same
> result.


This is because KVM cannot implement keyboard in the same way that a normal
VNC server would:

VNC accepts key events in the form of keysyms, which are layout
independent. If you type "z", the VNC server handles it as "z" and
preserves the key's identity, even if the keyboard layouts of local and
remote systems do not match. Guacamole follows this same approach.

KVM, on the other hand, is required by its own nature to transform these
into hardware scancodes to emulate the keyboard connected to the VM. These
scancodes represent key location, not identity, so there will be unexpected
behavior if the OS inside the VM is actually configured to use a different
layout from what KVM expects.

For example, if the VM is configured within KVM to use a US Qwerty layout,
but the OS within the VM is configured to use Qwertz:

1. User types "z" while using Guacamole.
2. Guacamole sends "z" to the Guacamole server.
3. The Guacamole server sends "z" to the VNC server (KVM).
4. KVM translates that "z" to a scancode that's essentially equivalent to
"the second key in the fourth row".
5. The OS within the VM receives the scancode, but handles it as "y"
because that's the key at that location according to the OS' configured
layout.

- Mike

Re: SSH failed: no matching host key type found

2022-05-05 Thread Michael Jumper 
On Sun, May 1, 2022 at 12:36 AM Yang Yang  wrote:

> Hi Nick,
>
> I found that only ssh-rsa and ssh-dss are mentioned in ssh_agent.c
> ,
> does that mean other algorithms are currently not supported?
>

No, ssh_agent.c only deals with SSH agent forwarding support which is not
in play here. For authentication with an SSH server, any key format
supported by the libssh2 library present on the system can be used.

- Mike

Re: REST API authentication with TOTP extension

2022-05-10 Thread Michael Jumper 
On Tue, May 10, 2022, 06:00 MAURIZI Lorenzo 
wrote:

> Dear all,
>
> just after solving a problem, here I am with another one!
>
>
>
> I would like to build some automated reports, for example a daily e-mail
> with the list of the connections made in the previous day.
>
> For this task, I've been thinking about using REST API.
>
>
>
> I would be happy to share the resulting bash script if anyone interested.
>
>
>
> In my installation the TOTP 2FA extension is active, so when sending
> username and password to /api/tokens, I obtain this json response:
>
>
>
> {
>"message": "A TOTP authentication code is required before login can
> continue",
>"translatableMessage":{
>   "key": "TOTP.INFO_CODE_REQUIRED",
>   "variables": null
>},
>"statusCode": null,
>"expected": [   {
>   "name": "guac-totp",
>   "type": "GUAC_TOTP_CODE"
>}],
>"type": "INSUFFICIENT_CREDENTIALS"
> }
>
>
>
> I tried to put a third guac-totp parameter to the /api/tokens POST data
> alongside username and  password, but without success, as it returns the
> same message.
>
>
>
> Which is the correct way to handle API authentication when using the TOTP
> extension?
>

That is the correct way to handle the request. In addition to the correct
username and password, include the current, correct TOTP code for that user
as the "guac-totp" parameter.

You can see this happen in practice if you open up dev tools in your
browser, log in with your own user account, and observe the contents of the
successful POST to /api/tokens.

- Mike

Re: question:guacamole connection slow over https but not on http

2022-05-16 Thread Michael Jumper 
On Mon, May 16, 2022, 21:53 Rao, Amit  wrote:

> Hi  ,
>
>
>
> I have configured Guacamole in AWS ECS using fargate which has following
> architecture .
>
> My issue is when I rdp to any server on 443 https then connection takes
> extra 5 second to load but when I use http connection is almost immediate .
>
>
>
> My nginx conf is below . can you please help what am I missing ?
>

Perhaps the host system is rapidly running out of entropy? It's common for
virtualized systems to have a hard time generating enough entropy for the
secure random number generation required for cryptography.

- Mike

Re: Guacamole Upgrade from 1.2 to 1.4

2022-05-18 Thread Michael Jumper 
On Thu, May 12, 2022 at 6:23 AM Tushar Jain  wrote:

> Hi,
>
>
>
> I am planning to upgrade guacamole from 1.2 to 1.4. Is it okay to download
> the server and client files from
> https://guacamole.apache.org/releases/1.4.0/ or should I take the latest
> for both from github ?
>

It is definitely OK to download the release from the release page.

If you want to download via git instead of the release page, you will need
to specifically check out the "1.4.0" tag to get the source of the 1.4.0
release. The current contents of git will otherwise be the primary active
development branch.


> Also, I see a staging/1.5.0 branch. Is it around the corner, or will it
> take some time?
>

It's going to take some time. My optimistic gut says next month is likely,
all of our time permitting, but I wouldn't recommend holding off on
upgrading when you are two releases behind the latest stable.

- Mike

Re: Guacamole+fail2ban

2022-05-18 Thread Michael Jumper 
On Mon, May 16, 2022 at 9:37 PM Golota S.V. 
wrote:

> Hello!! I use docker version guacamole 1.4 since I organized access
> through nginx proxy manager and attached to fail2ban from
> crazy-max/docker-fail2ban everything is fine, but there are many false
> locks after authorization. there are recommendations to analyze logs not
> from nginx but from tomcat right from the container, I can’t display the
> logback.xml settings file from the container to correct and enable
> logging, what do you recommend?
>

Can you clarify what it is you are trying to correct/enable? Logging is
always enabled within the "guacamole/guacamole" Docker image. The logs
should be visible directly within the Docker logs for the container.

- Mike

Re: Setting up HTTP header authentication

2022-05-18 Thread Michael Jumper 
On Mon, May 16, 2022 at 12:23 PM Dmitry Katsubo 
wrote:

> Dear Guacamole users,
> Dear Nick,
>
> Sorry I decided to resurrect the 4-years old challenge. I have rebased my
> changes on the latest codebase. Not so many changes are required to allow
> the user authenticated via auth-header extension to be provided
> authentication information / connection settings from user-mapping.xml.
> Without the changes the settings are not picked up from user-mapping.xml.
>

Is there a specific reason that you cannot use the database? It's intended
for what you describe, intended for production use, and will work with
header auth.


> Please check my commit b0aa658
> .
> If that is OK, then I would provide few unit tests for it. Otherwise let me
> know what is missing, preferably in terms so that I can implement a test.
>

Looking at your commit, I see that one of the primary changes here is
changing the prototype and visibility of the getAuthorizedConfigurations()
function. This will break API and ABI compatibility, and I do not think we
should do this.

For the built-in support for user-mapping.xml to be able to accept the
authentication results of other installed extensions, it will need to be
modified to use the less-simple API and implement AuthenticationProvider
and UserContext (rather than use SimpleAuthenticationProvider).

With user-mapping.xml really being intended for testing only, and with
these changes aimed at allowing user-mapping.xml to be used in a more
complex configuration aimed at production use, I think these changes really
would need to be coupled with a move to a user-mapping variant that
*is* intended
for production (proper salted hashes for passwords instead of
intentionally-simplified-for-testing hashes, the ability to define a
user/connection association that requires auth from some other extension
and otherwise has no password, etc.).

- Mike

Re: Printing funcionality and FTP

2022-05-23 Thread Michael Jumper 
On Mon, May 23, 2022, 00:44 Ricardo García 
wrote:

> Hello.
>
>
>
> I’m new with Apache Guacamole and I am working in some projects in my
> company, I have some doubts that I like to clarify with you.
>
>
>
>1. How Apache Guacamole printing functionality works? I find
>information about activate the functionality, but we would like to know how
>works.
>
>
The RDP protocol defines a mechanism for redirecting devices, including
printers. Guacamole emulates a printer, exposes that emulated printer over
the RDP connection to the RDP server, and filters received print data
through GhostScript to generate a PDF. The PDF data is streamed over the
Guacamole connection using the file transfer mechanisms built into the
Guacamole protocol.


>1. When we use the FTP function to transfer files, we have problems
>with the size of the name of the files because with long names, we obtain
>an error and we need to reduce the size of the name to 20 characters or
>less, this maximum size is configurable or how can we use long name sizes
>in file with FTP transfers?
>
>
Nothing within Guacamole defines any such limit. If you are seeing such an
issue, it must be something outside Guacamole causing that behavior, such
as a proxy in front of Guacamole or a limitation of the filesystem storing
the uploaded files.

Guacamole's filename limits depend on the protocol in use: 2048 bytes for
SFTP paths, and 4096 bytes for RDP paths. No part of Guacamole uses FTP.

- Mike

Re: Access to Guacamole with OpenVPN (behind the Firewall)

2022-05-23 Thread Michael Jumper 
On Mon, May 23, 2022, 07:53 Dark Corner  wrote:

> Guacamole is installed on a PC behind a Zyxel firewall.
> Users should connect to Guacamole via VPN and, once logged into Guacamole,
> log into their PC.
> However, the firewall cannot handle multiple VPNs. So, I wish to install
> OpenVPN, possibly on the same PC used for Guacamole.
> To access OpenVPN I would like to open a set of ports on the firewall to
> the Guacamole PC only, so that it is not necessary to use a VPN on the
> firewall.
>
> Do you have any suggestions in this regard?
>

I think it would be far better to not use the VPN at all. Putting a VPN in
front of it would just add unnecessary difficulty and complexity for users.

Part of the function of Guacamole is as a VPN replacement. It allows you to
allow users to connect to backend desktops securely and via a browser
without needing VPN at all. You should instead:

1) Allow direct access to the Guacamole server only, and only on ports 80
and 443.

2) Set up SSL termination such that access is properly encrypted and HTTP
traffic to port 80 is redirected to HTTPS at port 443.

3) Ensure via your firewall and network config that Guacamole is the sole
means of access to the desktops on the private network behind Guacamole.

You then have a single, centralized, monitored, and secured point of entry,
with access to any particular backend desktop only possible if the admin
grants that access.

- Mike

Re: Issue with LDAP users not being dynamic

2022-05-24 Thread Michael Jumper 
On Tue, May 24, 2022, 06:32 Kevin Cameron  wrote:

> I have have Guacamole 1.4 connected to Windows AD and I was able to create
> a user and group filter so that if I create a new AD nested group with
> users it will add the users from that nested group in the initial read but
> then any changes to the membership (additions or removals) are not
> reflected in Guacamole no matter how many times I log in or restart Guac.
>
> Any suggestions on what might cause this?
>

The LDAP support does not perform recursive membership queries to determine
which LDAP groups apply to a user.

The user filter may be used to reduce the user accounts available based on
AD's recursive matching operator, but the operator used inside the LDAP
support to determine group membership is just a standard attribute equality
check and is not recursive.

- Mike

Re: Guacamole 1.4 API/token returns 403

2022-05-27 Thread Michael Jumper 
On Fri, May 27, 2022, 08:06 Tushar Jain  wrote:

> Hi,
>
> I have deployed guacamole 1.4 (or rather upgraded from 1.2). In the
> browser console, it has started giving a 403 error, when the login page
> loads. Following is the snapshot
>
>
> Not that it affects the guacamole operations, but for sure something is
> not right. Where am I going wrong?
>

No, this is absolutely normal. The REST API will return HTTP error codes to
properly represent the nature of a response. A 403 indicates you are not
yet logged in. This would have happened in all past releases, as well.

- Mike

Re: Frequent disconnections occurring now

2022-05-31 Thread Michael Jumper 
On Tue, May 31, 2022, 17:50 Lockhart, Roland 
wrote:

> Hi
>
>
>
> All our current users are reporting frequent disconnections and slow
> service from Guacamole
>
>
>
> I performed the usual maintenance recently, stop / start server, and
> rollover the docker images which usually clears the issue, but its not
> fixing this now
>
>
>
> Any ideas of where to look?
>
Check the guacd logs.

> Guac has been in service for about 3 years now. I am keen to upgrade but
> that’s another thread.
>

You really should upgrade as soon as you can. Three years is a lot of fixes
to be missing out on.

- Mike

Re: Frequent disconnections occurring now

2022-05-31 Thread Michael Jumper 
On Tue, May 31, 2022, 18:35 Lockhart, Roland 
wrote:

> And these
>
>
>
> {"log":"01:21:32.408 [Thread-1461] ERROR
> o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Connection to guacd terminated
> abnormally: Connection to guacd timed
> out.\n","stream":"stdout","time":"2022-06-01T01:21:32.408781702Z"}
>
These messages indicate that Guacamole is unable to connect to guacd. The
most likely cause is guacd is not running.

If you are still seeing issues after starting guacd, you really need to
check the guacd logs. The logs you are looking at now are the Guacamole
(webapp) logs. The webapp will not be aware of the specifics of any issues
guacd may be having in connecting to your remote desktops.

- Mike

Re: Frequent disconnections occurring now

2022-05-31 Thread Michael Jumper 
On Tue, May 31, 2022, 23:37 Lockhart, Roland 
wrote:

> These are the guacd logs for a session which I was disconnected from today
> while working
>
> ...
>
> {"log":"guacd[4459]: ERROR:\u0009User is not
> responding.\n","stream":"stderr","time":"2022-06-01T05:27:37.281117085Z"}
>
If you were indeed still connected (you didn't close the browser tab), this
indicates that there was a network disruption. Something interrupted
communication and resulted in Guacamole considering your connection closed
and cleaning up your connection.

> Other users are reporting disconnected sessions of 46 seconds and such like
>
You will need to locate the logs for those disconnects to determine the
cause. The fact that other connections closed is not enough to determine
why they closed.

- Mike

Re: Guacamole and provisioning platform

2022-06-03 Thread Michael Jumper 
On Fri, Jun 3, 2022, 10:37 Sean Hulbert
 wrote:

> Hello,
>
> ...
>
> We have built a complete provisioning system ...
>
> If you like a demo please reach out, ...
>

Please do not post unsolicited promotional messages to our mailing lists.

If someone asks a direct question here to which your Guacamole-powered
product is an answer, then feel free to help answer that. Please do not
otherwise use this list to send email to broadly market/promote a product
to its subscribers.

- Mike

Re: How to restrict User from accessing connections

2022-06-04 Thread Michael Jumper 
On Sat, Jun 4, 2022, 03:04 Arkaprabha Chakraborty <
chakrabortyarkaprabha...@gmail.com> wrote:

> I have a user group with sub-user groups in guacamole. I want to
> restrict some of the connections to this sub-user group. How to do so?
>

You would need to remove that group from its parent group. The members of a
user group will always inherit the permissions of that group, whether the
members are users or other groups.

- Mike

Re: Central Configuration

2022-06-10 Thread Michael Jumper 
On Fri, Jun 10, 2022, 23:04 Dirk Laurenz  wrote:

> Hi,
>
> is there any other way than user-mapping.xml to configure guacamole?
>
> And moreover is it possible to separate Connections and users?
>
> What I mean is, to configure all sessions and only associate them to
> users. Currently all sessions exist multiple times.
>

Yes, this is exactly what you would get if you set up one of the supported
databases.

You don't need user-mapping.xml - it's really only meant for initial
testing (so you can verify things work without introducing additional
variables like whether a database is configured correctly). The other auth
mechanisms (database, LDAP, etc.) are intended for production use and
provide *much* more functionality.

- Mike

Re: Central Configuration

2022-06-11 Thread Michael Jumper 
On Sat, Jun 11, 2022, 11:11 Dirk Laurenz  wrote:

> I got further – although it is maria db one should use mysql driver and
> how do I user strong passwords like
>
>
>
> $someBigLettersAndNumberx8789%
>
>
>
> Using ‘’ to quote them in guacamole.properties doesn’t work
>

Just write them exactly as-is. If you add quotes, those quotes will be part
of the value. Everything after the colon and leading whitespace is part of
the value.

https://en.wikipedia.org/wiki/.properties

- Mike

Re: Central Configuration

2022-06-11 Thread Michael Jumper 
It is definitely the case that you can use these characters, and definitely
the case that quotes will be considered part of the value (and therefore
cause the password to not match in what you expect).

- Mike

On Sat, Jun 11, 2022, 13:42 Dirk Laurenz  wrote:

> Hi,
>
>
>
> i did this, but it didn’t work. Ich changed to an extralong password
> without any special characters. That worked…
>
>
>
> *Von:* Michael Jumper 
> *Gesendet:* Samstag, 11. Juni 2022 20:49
> *An:* user@guacamole.apache.org
> *Betreff:* Re: Central Configuration
>
>
>
> On Sat, Jun 11, 2022, 11:11 Dirk Laurenz  wrote:
>
> I got further – although it is maria db one should use mysql driver and
> how do I user strong passwords like
>
>
>
> $someBigLettersAndNumberx8789%
>
>
>
> Using ‘’ to quote them in guacamole.properties doesn’t work
>
>
>
> Just write them exactly as-is. If you add quotes, those quotes will be
> part of the value. Everything after the colon and leading whitespace is
> part of the value.
>
>
>
> https://en.wikipedia.org/wiki/.properties
>
>
>
> - Mike
>
>
>

Re: Question on the setup of 2FA

2022-06-14 Thread Michael Jumper 
The documentation was not correctly updated for this, but since 1.3.0 a
*much* easier way to do this is set the "TOTP_ENABLED" environment variable
to "true".

You don't need to manually copy/mount the .jar into place.

- Mike

On Tue, Jun 14, 2022, 06:58 CYBER PUNK  wrote:

> Thank you so much I'll test it out tomorrow when I have a moment. This is
> going to really help
> 😁
>
> Regards
> Brodie
>
> On Tue, Jun 14, 2022, 3:53 PM MAURIZI Lorenzo 
> wrote:
>
>> Hi.
>>
>> in your compose file, into the “guacamole” container definition, you
>> should add an environment variable to specify a different guacamole home
>> folder:
>>
>>
>>
>> environment:
>>
>>   MYSQL_HOSTNAME: […]
>>
>>   MYSQL_DATABASE: […]
>>
>> […]
>>
>>   GUACAMOLE_HOME: /guacamole-home
>>
>>
>>
>> Then you need to map a local directory for the “guacamole-home” directory:
>>
>>
>>
>> volumes:
>>
>>   - /some-folder/guacamole-home:/guacamole-home
>>
>>
>>
>> Then, you create /some-folder/guacamole-home in your server, and a
>> /some-folder/guacamole-home/extensions directory.
>>
>>
>>
>> Then you can put the TOTP Jar file into this extensions directory.
>>
>> Then restart the container and voila!
>>
>>
>>
>> I hope it’s clear!
>>
>>
>>
>> Best regards.
>>
>>
>> Lorenzo
>>
>>
>>
>> .
>>
>>
>>
>> *Da:* CYBER PUNK 
>> *Inviato:* martedì 14 giugno 2022 15:30
>> *A:* user@guacamole.apache.org
>> *Oggetto:* Question on the setup of 2FA
>>
>>
>>
>> Hello
>>
>> This is a docker compose file i created to remember how to set it up
>>
>> My question is what do in need to do to setup 2FA with an authentication app
>> like google auth. I tried following the docs but it flew over my head
>>
>>
>> docker-compose.yaml
>>
>>
>>
>> version: "2.1"
>>
>> services:
>>
>>   guacamole:
>>
>> image: guacamole/guacamole
>>
>> container_name: some-guacamole
>>
>> environment:
>>
>>   - MYSQL_DATABASE=guacamole_db
>>
>>   - MYSQL_USER=guacamole_user
>>
>>   - MYSQL_PASSWORD=some_password
>>
>>   - GUACD_HOSTNAME=some-guacd
>>
>>   - GUACD_PORT=4822
>>
>>   - MYSQL_HOSTNAME=some-mysql
>>
>>   - MYSQL_PORT=3306
>>
>>   - TZ=Africa/Johannesburg
>>
>> ports:
>>
>>   - 8080:8080
>>
>> restart: unless-stopped
>>
>>
>>
>>   guacd:
>>
>> image: guacamole/guacd
>>
>> container_name: some-guacd
>>
>> restart: unless-stopped
>>
>>
>>
>>   mysql:
>>
>> image: mysql
>>
>> container_name: some-mysql
>>
>> environment:
>>
>>   - MYSQL_DATABASE=guacamole_db
>>
>>   - MYSQL_USER=guacamole_user
>>
>>   - MYSQL_PASSWORD=some_password
>>
>>   - MYSQL_ROOT_PASSWORD=example
>>
>> volumes:
>>
>>   -  /home/YOURLOCATION/config/guacamole:/var/lib/mysql
>>
>> restart: unless-stopped
>>
>>
>>
>> #To bring up the containers
>>
>> sudo docker-compose up -d
>>
>>
>>
>> #Setting up the database inside the container
>>
>> sudo docker run --rm guacamole/guacamole /opt/guacamole/bin/initdb.sh 
>> --mysql > initdb.sql
>>
>> sudo docker cp initdb.sql some-mysql:/guac_db.sql
>>
>>
>>
>> #Go into the container
>>
>> sudo docker exec -it some-mysql bash
>>
>> cat guac_db.sql | mysql -u root -p guacamole_db
>>
>>
>>
>> #Now the database is set up and you can log into the web interface at 
>> http://YOURIP:8080/guacamole/
>>
>> #The default user and password is guacadmin
>>
>>

Re: Sessions tunnel id is null - unable to download/upload files

2022-06-15 Thread Michael Jumper 
On Wed, Jun 15, 2022 at 4:53 AM Kuriackovskij, Aleks
 wrote:

> Hi,
>
>
>
> I have two identical deployments of Apache Guacamole 1.3.0 running on
> Ubuntu 20.04 (NOT container). Nginx (local) as reverse proxy. Using mysql
> (local) and ldap (remote). I am 100% they are identical since both are
> deployed from scratch using ansible automation.
>
> The only difference is that the one which is working ok is located quite
> close to myself. Another one is far and there are added some latency (not
> much though, still pretty comfortable for work even with RDP).
>
>
>
> The problem is that the one which is distanced don’t allow to
> upload/download files via sftp. I compared both instances and noticed that
> when uploading or downloading files tunnel id is null, like this:
>
> *127.0.0.1 - - [15/Jun/2022:10:22:55 +] "GET
> /guacamole/api/session/tunnels/null/streams/0/pcaptoxml.py?token=9A6CC9A504421B41463F642C820E9F252449607F88917362EF704B5783A1B05A
> HTTP/1.1" 404 189*
>
> As a result it ends up with error 404. That is the same for both Downloads
> and Uploads. Refreshing the page while logged-in isn’t helping.
>
>
>
> I tried to run guacd in debug mode but couldn’t find anything wrong:
>
> *guacd[2193]: DEBUG: guac_rdp_fs_open:
> path="/pcaptoxml.py", access=0x8000, file_attributes=0x0,
> create_disposition=0x1, create_options=0x0*
>
> *guacd[2193]: DEBUG: guac_rdp_fs_open: Normalized path "/pcaptoxml.py"
> to "\pcaptoxml.py".*
>
> *guacd[2193]: DEBUG: guac_rdp_fs_open: Translated path "\pcaptoxml.py"
> to "/home/akur/pcaptoxml.py".*
>
> *guacd[2193]: DEBUG: guac_rdp_fs_open: native open:
> real_path="/home/akur/pcaptoxml.py", flags=0x0*
>
> *guacd[2193]: DEBUG: guac_rdp_fs_open: Opened "\pcaptoxml.py" as
> file_id=0*
>
> *127.0.0.1 - - [15/Jun/2022:10:22:55 +] "GET
> /guacamole/api/session/tunnels/null/streams/0/pcaptoxml.py?token=9A6CC9A504421B41463F642C820E9F252449607F88917362EF704B5783A1B05A
> HTTP/1.1" 404 189*
>
>
>
> Any ideas why tunnel id is nulled and how to get that fixed? I suspect
> that is due to an additional latency between the client and the server (I
> am just guessing that though), if that is true is there anything can be
> tweaked to get that offset tolerated?
>

This has been fixed on git master:

https://issues.apache.org/jira/browse/GUACAMOLE-1562

- Mike

Re: Disable favicon updates?

2022-06-15 Thread Michael Jumper 
On Wed, Jun 15, 2022, 15:31 Michael Root  wrote:

>
> Hi,
>
> Is there a way to disable updating the favicon when connected to a session?
>
> It's neat that it's a teeny-tiny screenshotbut I've noticed that it
> ends up making Firefox's favicons.sqlite cache grow seemingly without
> limits.  I end up deleting the multi-GB cache file every couple of
> months when I notice the whole browser getting slow.
>
> It's clearly a bug in Firefox to not cap the size of the cache.


But it's also not really that helpful to update it so often.


It's particularly useful on systems that show the icon in the taskbar, and
really shouldn't result in what you're seeing. Firefox shouldn't be caching
multiple dynamically-generated favicons for the same domain like that.

>
You could manually remove the icon update from the source for now, sure, as
a mitigating measure ... but I really think the only reasonable path
forward is for this to be fixed in Firefox.

If you haven't already, I think the next step should be reporting this to
Firefox as a bug.

- Mike

Re: Branding example of login page: how to set a different favicon?

2022-06-16 Thread Michael Jumper 
On Thu, Jun 16, 2022 at 1:56 AM MAURIZI Lorenzo
 wrote:
>
> Hi,
>
> I think you should only declare in guac-manifest.json two png images with 
> this exact name:
>
> "resources" : {
> "images/logo-64.png"   : "image/png",
> "images/logo-144.png"   : "image/png"
> },
>
> Then you put into “images” directory the two logo-64.png and logo-144.png 
> that are the favicon in 64x64 pixels and 144x144 pixels

Everything declared within "resources" will be namespaced and beneath
"app/ext/", isolated from the resources within the web application.
It's intentionally not possible to directly replace a resource used by
the webapp with a resource from an extension. See:

https://guacamole.apache.org/doc/gug/guacamole-ext.html#extension-manifest

The properties for overriding the icon are missing from the
documentation and example, but they are "smallIcon" and "largeIcon":

https://github.com/apache/guacamole-client/blob/4b161a5a6e4b7ea41087fc3a293cb2011dcafe37/guacamole/src/main/java/org/apache/guacamole/extension/ExtensionManifest.java#L95-L105

For example:

{

"guacamoleVersion" : "*",
"name" : "Guacamole Branding Example",
"namespace" : "guacamole-branding-example",

"smallIcon" : "path/to/small-icon.png",
"largelIcon" : "path/to/large-icon.png",

...

}

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Guacamole Remote APP

2022-06-20 Thread Michael Jumper 
On Mon, Jun 20, 2022, 17:09 Sean Hulbert
 wrote:

> Hello
>
>
>
> Has guacamole advanced enough to launch remote applications not needing
> active directory or Microsoft OS?
>
> I like to launch apps from Ubuntu, Mint and other distributions, is this
> possible and if so does ||APPNAME and APP PATH valid for Linux kernels?
>

This isn't a question of whether Guacamole has support for RemoteApp on
Linux, but whether any Linux-based RDP server has support for RemoteApp.

If such a server exists, it will work with Guacamole, as Guacamole speaks
the protocol and supports RemoteApp.

To my knowledge, no Linux-based RDP server exists supporting RemoteApp.

- Mike

Re: Guacamole Docker Install Error

2022-06-23 Thread Michael Jumper 
On Thu, Jun 23, 2022 at 10:23 AM Woods, Darren L  wrote:

> I’m getting this error message when I run the command:
>
> sudo docker run --name some-guacd -d -p 4822:4822 guacamole/guacd
>
>
>
> docker: Error response from daemon: Conflict. The container name
> "/some-guacd" is already in use by container
> "8062906e4e1eaee1e1433043042ce349201da78eef0f6e5d893d6c9956ca1f8e". You
> have to remove (or rename) that container to be able to reuse that name.
>
> See 'docker run --help'.
>

Yes. This means that the container name "/some-guacd" is already in use by
container
"8062906e4e1eaee1e1433043042ce349201da78eef0f6e5d893d6c9956ca1f8e". You
have to remove (or rename) that container to be able to reuse that name.

See 'docker run --help'.

- Mike

Re: Non US keyboards with VNC access to KVM VMs

2022-07-01 Thread Michael Jumper 
On Fri, Jul 1, 2022 at 5:50 AM Nick Couchman  wrote:

> On Thu, Jun 30, 2022 at 11:20 AM Marcus Rocha  wrote:
>
>> Hi there!
>>
>> Any news here, or it is still not possible to configure, for example,
>> pt-br or br-abnt2 keyboards when accessing KVM VMs using VNC connections?
>>
>
> If I recall correctly, VNC just uses standard keysyms, rather than
> scancodes, to send keystrokes, which means that you shouldn't have to do
> anything to change the keyboard layout through Guacamole.
>

Yes, this is true ... except for KVM, which emulates a hardware keyboard.
Unlike other VNC servers, the KVM VNC server has to be configured to use a
particular keyboard layout for proper translation from keysym to scancode,
and it will only be able to represent key events for keys on that hardware
keyboard regardless of what the VNC client sends.

It's not really a Guacamole issue, though there are things that could be
done to Guacamole to make KVM happier (such as adding the same keysym
translation layer that we use in RDP). Regardless, it is absolutely not
possible for a VNC client to universally "just work" with the KVM VNC
server, as the KVM VNC server simply cannot represent key events for keys
that are not on the emulated hardware keyboard.

A better way to have proper keyboard support on a KVM-virtualized VM would
be to have that VM host a VNC server (or RDP or SSH) and connect to that
instead.

- Mike

Re: Doc - Adding new protocols missing guacamole-client

2022-07-06 Thread Michael Jumper 
On Wed, Jul 6, 2022 at 11:30 AM David Haukeness  wrote:

> Hello,
> I'm working through the documentation and have worked through the
> "adding new protocols" section that covers guacd, however there's no
> guidance on what/where needs to be modified on guacamole-client to get the
> new protocols to show up in the "Add new connection" screen, or demo the
> connection.
> Is there a resource available that explains this part somewhere?
> alternatively is there someone willing to offer guidance, and i'm willing
> to write it up and PR the manual?
>

The existence of a protocol and its parameters are defined by JSON files
that separate each parameter into a typed field within a named group of
fields called a form. Built-in definitions can be found here:

https://github.com/apache/guacamole-client/tree/e348d3f89ab6488ab874aace78a5006279e2907e/guacamole-ext/src/main/resources/org/apache/guacamole/protocols
https://github.com/apache/guacamole-client/blob/e348d3f89ab6488ab874aace78a5006279e2907e/guacamole-ext/src/main/java/org/apache/guacamole/environment/LocalEnvironment.java#L56-L65

The built-in field types correspond to the types defined within
guacamole-ext and the webapp itself:

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/form/package-summary.html
https://github.com/apache/guacamole-client/blob/e348d3f89ab6488ab874aace78a5006279e2907e/guacamole/src/main/frontend/src/app/form/services/formService.js#L33-L210

Extensions can define their own field types if needed. In practice, this
most often happens for authentication extensions (the Duo, TOTP, and SAML
extensions all do this), but can be also used for protocol definitions.

Additional, third-party definitions can be added by creating the same sort
of JSON files within "GUACAMOLE_HOME/protocols/". If JSON for a built-in
protocol is found within this directory, that JSON takes precedence over
the built-in copy.

The human-readable text for the name of the protocol and for each parameter
and form are defined with translation strings. Each of these strings will
be derived from the protocol name and parameter name, canonicalized to
UPPERCASE_WITH_UNDERSCORES. For example:

https://github.com/apache/guacamole-client/blob/e348d3f89ab6488ab874aace78a5006279e2907e/guacamole/src/main/frontend/src/translations/en.json#L789-L860

In the above, the protocol ("vnc") determines the name of the namespace
containing the relevant strings ("PROTOCOL_VNC"). Within that namespace,
each parameter (like "audio-servername") is transformed to the translation
string for the field header ("FIELD_HEADER_AUDIO_SERVERNAME"), and each
form (like "authentication") is transformed to the translation string for
the section header ("SECTION_HEADER_AUTHENTICATION").

- Mike

Re: Disable Auto redirect for a user with a single connection

2022-07-08 Thread Michael Jumper 
On Fri, Jul 8, 2022, 09:45 Matt Jones  wrote:

> Hi all,
>
> We were on v1 and recently moved to 1.4.
>
> I think you added a new feature that if the user has only access to one
> connection that you now auto redirect them into the virtual machine.
>

No - this has actually been the behavior for quite some time, since before
even 1.0.0.

If a user has access to only one connection, and does not have access to
any admin functions, they will be taken to their single connection
immediately upon login.

Is it possible to turn this off in the code?
>
> We have a use case in that we added power buttons to the connection on the
> home page allowing the the user to power the virtual machine on/off as
> required.
>
> When they have the single connection and the machine is powered off they
> get stuck in a loop and can’t get back to the home page to power the
> machine on.
>

No - this behavior is not configurable, and I wouldn't recommend looking to
disable behavior that is specifically intended to avoid presenting the user
with a list having only one choice.

If you have an extension that adds power buttons, a better approach would
be to ensure your extension works as intended even if the user is not on
the home screen. You could:

* Present buttons for the current connection on the connection screen, such
as within the menu or the error notification.
* Automatically and transparently power-on when the user attempts to
connect to a connection that is powered off, rather than rely on a manual
button click.
* ... or both.

- Mike

Re: File not uploaded to Guacamole Web GUI Share due to maximum buffer size.

2022-07-15 Thread Michael Jumper 
What you're seeing has nothing to do with Tomcat, nor with file uploads,
but with the size of the data sent by the RDP server to Guacamole and the
limits built into guacd. The SVC implementation within guac's RDP support
has a built-in limit of 1 MB per received PDU:

https://github.com/apache/guacamole-server/blob/b2ae2fdf003a6854ac42877ce0fce8e88ceb038a/src/protocols/rdp/channels/common-svc.h#L37-L42

The warning you're seeing is from here:

https://github.com/apache/guacamole-server/blob/b2ae2fdf003a6854ac42877ce0fce8e88ceb038a/src/protocols/rdp/plugins/guac-common-svc/guac-common-svc.c#L114-L122

I've not seen this before with any standard RDP channel. Are you doing
anything else within the connection in question? Any custom SVC?

- Mike


On Fri, Jul 15, 2022 at 5:31 PM David Ramirez  wrote:

> Hi to all! I've been using Guacamole for a while for training gateway
> purposes and it is just great! Thanks for an amazing open source product!
> Now I am writing because I need help from the Gurus. I know it is a
> configuration parameter that will likely has to be added to:
> /var/lib/tomcat9/web-apps/guacamole/WEB-INF/web.xml
> But it has been decades since I've configured Tomcat9 directly and I am
> afraid that any change that I do will break things further.
> The error itself is self explanatory:
> Jul 15 18:16:20 suppod-1 guacd[2253]: RDP server has requested to send a
> sequence of 1048632 bytes, but this exceeds the maximum buffer space of
> 1048576 bytes. Received data may be truncated.
>
> When looking on the Guacamole documentation, nothing is mentioned that I
> could find.
> When going to the Tomcat9 documentation I found some parameters to modify,
> all on the web.xml file but as I said, I do not know where to do it on the
> guacamole WEB-INF/web.xml file.
> The parameter that *looked to me* that may be the one is the following:
> 
>   buffered
>   1
> 
>
> As the limit described on the error is 1MB.
>
> I understand this may be a silly question, if anyone could point me in the
> right direction would be really appreciated.
> Thanks for any assistance you may provide!
> David.
>
> For reference, here is a more complete section of the log with the error.
> The filename TokenDistributionPKG.zip file is the one I am trying to upload.
>
> Jul 15 18:15:58 suppod-1 guacd[2253]: File open refused (-2):
> "\desktop.ini"
> Jul 15 18:16:00 suppod-1 guacd[2253]: File open refused (-2):
> "\Download\desktop.ini"
> Jul 15 18:16:20 suppod-1 guacd[2253]: RDP server has requested to send a
> sequence of 1048632 bytes, but this exceeds the maximum buffer space of
> 1048576 bytes. Received data may be truncated.
> Jul 15 18:16:33 suppod-1 guacd[2253]: message repeated 27 times: [ RDP
> server has requested to send a sequence of 1048632 bytes, but this exceeds
> the maximum buffer space of 1048576 bytes. Received data may be truncated.]
> Jul 15 18:16:34 suppod-1 guacd[2253]: File open refused (-2):
> "\Download\TokenDistributionPKG.zip:Zone.Identifier"
> Jul 15 18:16:34 suppod-1 guacd[2253]: File open refused (-2):
> "\Download\TokenDistributionPKG.zip:Zone.Identifier"
> Jul 15 18:16:34 suppod-1 guacd[2253]: File open refused (-2):
> "\Download\TokenDistributionPKG.zip"
> Jul 15 18:16:35 suppod-1 guacd[2253]: message repeated 2 times: [ File
> open refused (-2): "\Download\TokenDistributionPKG.zip"]
> Jul 15 18:16:56 suppod-1 guacd[2253]: RDP server has requested to send a
> sequence of 1048632 bytes, but this exceeds the maximum buffer space of
> 1048576 bytes. Received data may be truncated.
> Jul 15 18:17:13 suppod-1 guacd[2253]: message repeated 27 times: [ RDP
> server has requested to send a sequence of 1048632 bytes, but this exceeds
> the maximum buffer space of 1048576 bytes. Received data may be truncated.]
> Jul 15 18:17:14 suppod-1 guacd[2253]: File open refused (-2):
> "\TokenDistributionPKG.zip:Zone.Identifier"
> Jul 15 18:17:14 suppod-1 guacd[2253]: File open refused (-2):
> "\TokenDistributionPKG.zip:Zone.Identifier"
> Jul 15 18:17:22 suppod-1 guacd[2253]: Accepted format: 16-bit PCM with 2
> channels at 44100 Hz
> Jul 15 18:17:47 suppod-1 guacd[2253]: File open refused (-2):
> "\TokenDistributionPKG.zip"
> Jul 15 18:17:55 suppod-1 guacd[2217]: User
> "@3f34a609-c8da-417b-af58-a4fc2e9df733" disconnected (0 users remain)
> Jul 15 18:17:55 suppod-1 guacd[2217]: Last user of connection
> "$5280a8eb-b216-4fa4-8fdd-1d7421630bfd" disconnected
> Jul 15 18:17:55 suppod-1 tomcat9[675]: 18:17:55.502 [http-nio-8080-exec-6]
> INFO  o.a.g.tunnel.TunnelRequestService - User "trapx" disconnected from
> connection "Win10Token". Duration: 1284470 milliseconds
> Jul 15 18:17:55 suppod-1 tomcat9[675]: Exception in thread "Thread-8"
> java.lang.IllegalStateException: Message will not be sent because the
> WebSocket session has been closed
> Jul 15 18:17:55 suppod-1 tomcat9[675]: #011at
> org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:

Re: Access user guacamole by groups Active Directory

2022-07-18 Thread Michael Jumper 
On Tue, Jul 12, 2022, 12:36 Luciano Oliveira  wrote:

> Hello,
>
> How do you allow access to guacamole?
>
> I configured the integration with Active Directory by groups, in this
> point everything is fine.
>
> My issue is that every time I need to release a new user, I put him in one
> of these groups, and in order for him to be released in guacamole I have to
> restart the servlet, knocking everybody out.
>
> Is there a sync tool?
>

Users/groups from LDAP are not imported in Guacamole; they are queried
on-demand when a user logs in. Unless you are making changes to
guacamole.properties, there is no need to restart anything, and restarting
will have no effect except to kick out established sessions.

If you make a change to a user's group memberships within LDAP, that change
will affect the user the next time they log into Guacamole. It will not
affect any of their existing Guacamole sessions - they would need to log
out and back in.

- Mike

Re: Non US keyboards with VNC access to KVM VMs

2022-07-29 Thread Michael Jumper 
For that, if KVM will not already split composed key events into their
corresponding dead keys, guac's VNC support would need to switch over to
using the same sort of automatic layout translation as we do for RDP.

Within a browser, dead keys do not produce key events like you'd expect;
they produce composition events as the character is slowly built. Guacamole
automatically handles this - once we have the full character, including the
portion that requires the dead key, then we dispatch a key event for the
fully-assembled character. For RDP, Guacamole will also automatically break
apart the received character into dead keys as necessary (or not if the
remote layout doesn't need dead keys for that character). For VNC, the RFB
standard implies that the VNC server should simulate the key events
necessary to type the character intended, but only explicitly specifies
this for the numeric/shifted state of a character. I suspect KVM does not
do this for dead keys, and guac would need to do this on KVM's behalf.

- Mike


On Mon, Jul 18, 2022 at 11:39 AM Marcus Rocha  wrote:

> Hi, Mike!
>
> Actually, I can live with a single keyboard layout for now. Thus I
> managed to get most of the keys of my keyboard to function correctly by
> using the same map for QEMU/KVM and for the guest os (Oracle Linux8).
> Exceptions are the "dead keys" such as ` ´ ^ ~
> Any tips on solving this problem?
>
> Regards,
> Marcus Rocha
>
> Michael Jumper escreveu:
> > On Fri, Jul 1, 2022 at 5:50 AM Nick Couchman  > <mailto:vn...@apache.org>> wrote:
> >
> > On Thu, Jun 30, 2022 at 11:20 AM Marcus Rocha  > <mailto:mvro...@gmail.com>> wrote:
> >
> > Hi there!
> >
> > Any news here, or it is still not possible to configure, for
> > example, pt-br or br-abnt2 keyboards when accessing KVM VMs
> > using VNC connections?
> >
> >
> > If I recall correctly, VNC just uses standard keysyms, rather than
> > scancodes, to send keystrokes, which means that you shouldn't have
> > to do anything to change the keyboard layout through Guacamole.
> >
> >
> > Yes, this is true ... except for KVM, which emulates a hardware
> > keyboard. Unlike other VNC servers, the KVM VNC server has to be
> > configured to use a particular keyboard layout for proper translation
> > from keysym to scancode, and it will only be able to represent key
> > events for keys on that hardware keyboard regardless of what the VNC
> > client sends.
> >
> > It's not really a Guacamole issue, though there are things that could
> > be done to Guacamole to make KVM happier (such as adding the same
> > keysym translation layer that we use in RDP). Regardless, it is
> > absolutely not possible for a VNC client to universally "just work"
> > with the KVM VNC server, as the KVM VNC server simply cannot represent
> > key events for keys that are not on the emulated hardware keyboard.
> >
> > A better way to have proper keyboard support on a KVM-virtualized VM
> > would be to have that VM host a VNC server (or RDP or SSH) and connect
> > to that instead.
> >
> > - Mike
> >
>
>

Re: Not showing secure flag for cookie in browser developer tools

2022-08-05 Thread Michael Jumper 
On Thu, Aug 4, 2022 at 4:10 AM Nick Couchman  wrote:
>
> On Thu, Aug 4, 2022 at 3:33 AM Madhukar Bhosale  
> wrote:
> >
> > Hi,
> >
> > I have observed that secure flag for cookie is not showing in browser 
> > developer tools, even after configuring in web.xml in tomcat.
> >
>
> I'm not all that familiar with cookies, but, if you're adjusting
> something in Tomcat, isn't this more of a Tomcat issue and not
> directly related to Guacamole?
>

I'd also like to add that Guacamole itself does not use cookies. If
you're seeing a cookie from anything, it's not from Guacamole nor its
core libraries. This has been the case since 1.0.0:

https://guacamole.apache.org/releases/1.0.0/#guacamole-no-longer-uses-cookies

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Cybersecurity white papers

2022-08-06 Thread Michael Jumper 
On Sat, Aug 6, 2022, 10:30 Sean Hulbert
 wrote:

> Hello,
>
> I am looking for cybersecurity white papers on Guacamole if any exist.
>
> What I am looking for is NIST compliancy for 800-171/172, DFARS 7012/7020,
> FIPS 140-2
>

I think Glyptodon (now bought by Keeper Security) had one for NIST, HIPAA,
and PCI DSS. I'll ask around the dayjob.

Are there any CVE on version 1.4.x
>

No. You can always find all Guacamole security reports here:

https://guacamole.apache.org/security/

- Mike

Re: Questions about using the encrypted JSON guacamole auth

2022-08-10 Thread Michael Jumper 
On Wed, Aug 10, 2022 at 1:11 PM Pete Carlson  wrote:
>
>
> "I am using the guacamole-auth-json for encrypted JSON. When building my 
> user.json:
>
> {
> "username" : "arbitraryUsername",
> "expires" : TIMESTAMP,
> "connections" : {
> "Connection Name" : {
> "protocol" : "PROTOCOL",
> "parameters" : {
> "name1" : "value1",
> "name2" : "value2",
> ...
> }
> },
> ...
> }
> }
> where does Connection Name exist elsewhere so it knows to relate this user to 
> this connection? Can I define this object so that it just connected to the 
> DEFAULT connection?
>

What you are defining here is a connection that exists purely in the
JSON backend, not a reference to a connection stored somewhere else.

If you want to use the encrypted JSON to authenticate users, but store
the data for connections in some other backend (one of the supported
databases), the way to accomplish that is:

1) Use Guacamole's web UI to define a connection within your database of choice.
2) Again within the web UI, define a user and grant access to that
connection. Do not set a password for this user.
3) As needed, generate encrypted JSON only as a proof of user identity
(include only "username" and "expires"), making sure that the
specified username matches the username of the user that was created
earlier.

When the encrypted JSON is submitted, Guacamole accepts that as
sufficient proof of identity, and the database then allows access to
any connections it knows are granted to that user. You can do this for
any number of users, and can leverage user groups if these users will
frequently be given access to the same sets of connections.

This same mechanism is how things like SAML and LDAP are tied together
with the database storage.

>
> I am using a md5 hash of the username and the encrypt-json.sh script from the 
> website to sign and encode this:
>
> {"username":"fred","expires":1660129180160,"connections":{"My 
> Connection":{"protocol":"vnc","parameters":{"hostname":"127.0.0.1","password":"VNCPASS","port":5900
>

What does an MD5 hash of the username have to do with the process that
you're using?

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Guacamole 1.4.0 support for Ubuntu 22.04 SSH

2022-08-12 Thread Michael Jumper 
On Fri, Aug 12, 2022 at 7:40 PM Don Eugene Paul Viado
 wrote:
>
> Hi,
>
> I noticed after upgrade to Ubuntu 22.04, Guacamole 1.4.0 could no longer 
> access it via SSH.
> Found out that the guacamole only supports ssh-dss?
> Workaround by adding below on sshd_config:
>
> HostKeyAlgorithms ssh-rsa,ssh-dss
> PubkeyAcceptedKeyTypes ssh-rsa,ssh-dss
>
> May we know when guacamole will support higher KeyTypes/Algo?
>

This is actually not a matter of Guacamole adding this support, but
the underlying SSH library adding this support (libssh2). With respect
to "ssh-rsa" and compatibility with newer versions of the OpenSSH
server, they did this recently:

https://github.com/libssh2/libssh2/pull/626

See: https://github.com/libssh2/libssh2/issues/634

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: OpenID configuration with Azure AD stuck in loop

2022-08-17 Thread Michael Jumper 
On Wed, Aug 17, 2022, 08:25 Hiram Amador  wrote:

> Hi,
>
> I set up guacamole under docker and I think I have Open ID set up so that
> guacamole can forward the authentication to Azure AD.  I think there is
> something wrong with the reply to URL I am using.  It feels like
> authentication is going through a loop.  The OpenID documentation doesn’t
> mention whether I’m supposed to send the auth to the guacamole home page or
> whether I should be setting very specific parameters to confirm
> authentication has succeeded.
>

What do you mean? If Guacamole is configured to use OpenID for auth, it's
Guacamole that will confirm auth succeeded.

When a user visits Guacamole, they'll be redirected to the IdP to
authenticate, the IdP will redirect them back to Guacamole, and Guacamole
will validate what it received from the IdP and allow the user in.

The Audit logs in Azure AD tells me that authentication is succeeding.  In
> fact, it looks like auth happens 9 times before Azure AD stops from all the
> auths.
>
> Let me know if there is more information I should provide.
>

What do you see in the Guacamole logs when the loop occurs? There should be
errors, warnings, etc. that describe why authentication is failing.

- Mike

Re: Guacamole on Chrome OS 103/104 ARM

2022-08-22 Thread Michael Jumper 
On Mon, Aug 22, 2022, 11:20 Brian 
wrote:

> Yes, I posted about this exact thing about a month ago. I can see my
> posting has been deleted.
>
Posts to the mailing lists are never deleted:

https://www.apache.org/foundation/public-archives.html

If you were subscribed and you posted but don't see your message in the
archives, then it never went out to the list, presumably blocked as
suspected spam.

- Mike

Re: Guacamole support

2022-08-24 Thread Michael Jumper 
On Wed, Aug 24, 2022, 08:26 Brian Sorto  wrote:

> We’ve been using it for over a year and had issues with settings getting
> changed and been able to support it. Everything seems to be working fine.
> The only issue now is making connections via RDP. We’ve been adding
> connections like we always have but can make a connection to anything now.
> Don’t know what could’ve changed this time. Any help or advice will be
> greatly appreciated.
>

Is guacd running?

If guacd is running, what do you see in the guacd logs when connecting
fails?

- Mike

Re: Need advice on implementing RDP services using FreeRDP in Web.

2022-08-24 Thread Michael Jumper 
On Wed, Aug 24, 2022 at 8:12 PM 김찬수  wrote:
>
> Hello,
> I am using FreeRDP to make RDP functions available without installation on 
> the web.
>
> I'm Java Developer.
>
> Therefore, you configure the FreeRDP Headless Client and connect it using the 
> JNI.
>

No, Guacamole does not use JNI at all. Guacamole uses a native service
written in C called "guacd" that dynamically translates between native
protocols like VNC, RDP, etc. and the Guacamole protocol. The webapp
communicates with guacd over the local network, similar to how you
might have a webapp communicate with a database.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Security Scan

2022-08-29 Thread Michael Jumper 
On Mon, Aug 29, 2022 at 12:40 PM Sean Hulbert
 wrote:

> Hello,
>
>
>
> We did a light weight scan of the Guacamole system 1.3.0 and 1.4.0
>

It will not be useful to scan anything but the latest release (1.4.0). Any
finding from scanning an older release that does not apply to the current
release would be remediated by upgrading.

This is the results we got.
>

Going forward, please report any security-related findings to the private
secur...@guacamole.apache.org list in favor of posting to a public list.
See:

https://guacamole.apache.org/security/

The discussion can always be moved to a public list after analysis has
determined that no action is needed on our part.

My question is are you aware and is it documented for remediation ?
>

They are not applicable. Each of the findings noted relate only to versions
of JavaScript libraries that are not present in the current release of
Guacamole (1.4.0):

- CVE-2018-16487 (applies only to Lodash < 4.17.11, whereas Guacamole
uses 4.17.21)
- CVE-2019-10744 (applies only to Lodash < 4.17.12, whereas Guacamole
uses 4.17.21)
- CVE-2019-11358 (applies only to jQuery < 3.4.0, whereas Guacamole uses
3.6.0)
- CVE-2020-8203 (applies only to Lodash < 4.17.20, whereas Guacamole
uses 4.17.21)
- CVE-2020-11022 (applies only to jQuery < 3.5.0, whereas Guacamole uses
3.6.0)
- CVE-2020-11023 (applies only to jQuery < 3.5.0, whereas Guacamole uses
3.6.0)
- CVE-2020-28500 (applies only to Lodash < 4.17.21, whereas Guacamole
uses 4.17.21)
- CVE-2021-23337 (applies only to Lodash < 4.17.21, whereas Guacamole
uses 4.17.21)

IIRC, the above also would not apply as neither jQuery nor Lodash are used
by Guacamole in the processing of untrusted data, but we are mercifully
saved from performing an in-depth analysis by the fact that the relevant
versions are not used by the current Guacamole release. ;)

- Mike

Re: Start Menu for Guacamole in ChromeOS

2022-08-30 Thread Michael Jumper 
On Tue, Aug 30, 2022, 08:46 Don Eugene Paul Viado 
wrote:

> Hi,
>
> I know there are a few chrome OS users here.  Last time, i managed to make
> start key (Windows) to work in Guacamole using web apps.  But I cannot
> really remember which key combination i tried to make it work permanently.
> Does anyone know?
>

The "Search" key on ChromeOS is the Meta/Windows/Command key, unless it's
been configured in ChromeOS settings to be a different key like Caps Lock.

- Mike

Re: Document Typo

2022-08-31 Thread Michael Jumper 
On Wed, Aug 31, 2022, 10:10 Robert Simmons  wrote:

> I have found a typo in the documentation. Where is the best place to
> report this?
>

The bug/issue tracker: https://issues.apache.org/jira/browse/GUACAMOLE/

The following link should take you directly to the typo and highlight it.
>
>
> https://guacamole.apache.org/doc/gug/installing-guacamole.html#optional-dependencies:~:text=libavutil%2Ddev%2C-,libswsccale%2Ddev,-Fedora%20/%20CentOS%20/%20RHEL
>
> If that didn't work, the typo is the Debian / Ubuntu package name under
> FFmpeg. "libswsccale-dev" should be "libswscale-dev".
>
> Here is a link to that section of the documentation without the
> highlighting stuff:
>
>
> https://guacamole.apache.org/doc/gug/installing-guacamole.html#optional-dependencies
>
> Here is a link to the package listing in Ubuntu's repository for
> verification:
>
> https://packages.ubuntu.com/jammy-updates/libswscale-dev
>

This has been reported via:

https://issues.apache.org/jira/browse/GUACAMOLE-1650

- Mike

Re: Web analytics

2022-09-07 Thread Michael Jumper 
On Wed, Sep 7, 2022 at 5:50 AM Antoine Besnier
 wrote:
>
> Indeed, the branding extension need a CSS selector, so it will not work for 
> the head section.
> Maybe you can unzip guacamole-1.4.0.war, modifiy the file 
> app/element/templates/blank.html, and repackage and re-deploy the war file.
>

Please do not do this - that file has a very specific purpose and
needs to be what the name suggests: blank. It is also not advisable to
make changes to the web application directly, especially through
attempting to modify the .war file itself. Instead, the extension
system should be used (as you are already attempting to do).

Does this Umami tool require that things be added with a "script" tag?
If not, Guacamole's extension system provides its own method for
adding arbitrary JavaScript, and that would be much easier than
tracking down the best place for tag insertion. See the "js" entry for
guac-manifest.json:

https://guacamole.apache.org/doc/gug/guacamole-ext.html#extension-manifest

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Guacamole FIPS 140-2

2022-09-08 Thread Michael Jumper 
On Thu, Sep 8, 2022 at 9:31 AM Sean Hulbert
 wrote:
>
> Hello
>
> Here are some security questions I have about Guacamole.
>
> 1.   Does it support FIPS 140-2
> a.   If enabled on Ubuntu 20.04 LTS are there any known issues

The current known issues with FIPS are:
https://issues.apache.org/jira/browse/GUACAMOLE-1674?jql=project%20%3D%20GUACAMOLE%20AND%20type%20%3D%20Bug%20AND%20text%20~%20fips

> 2.   We noticed that cookies aren’t used anymore, is there a setting to 
> time out the session if idle for X time or is that based on Guest OS?

You should never rely on cookie expiration alone for session
expiration. Guacamole handles session expiration on the server side,
with a default session timeout of 1 hour.

https://guacamole.apache.org/doc/gug/configuring-guacamole.html#guacamole-properties

> 3.   The MFA TOTP what is the location of control file or the 
> pre-compiled code, we like to review it for adding additional functions.

I don't understand what you're asking here. What control file and what
pre-compiled code? The source to the entire web application, including
the TOTP support and all other extensions, is in the
"apache/guacamole-client" repository:
https://github.com/apache/guacamole-client/

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: this user account is not currently valid

2022-09-12 Thread Michael Jumper 
On Mon, Sep 12, 2022 at 12:00 PM Sean Hulbert
 wrote:
>
> Why would an account with MFA enabled experience this error “this user 
> account is not currently valid” (Note: there are no time restrictions enabled)
>
> The account was established for 2 months no issues then today they got this 
> error.
>
> We have to delete and recreate it and have them redo their MFA QR.
>

Date restrictions are the only possibility. That error ("This user
account is not currently valid.") can only occur when a user defined
in the database auth is outside the "valid-from" ("Enable Account
After") and "valid-until" ("Disable Account After") dates. It has
nothing to do with MFA, which has no impact on whether this error
appears, and there is no other code path that leads to that error.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: RealVNC encryption (Was: Re: WELCOME to user@guacamole.apache.org)

2022-09-13 Thread Michael Jumper 
On Tue, Sep 13, 2022, 19:29 Venu Banda  wrote:

> Hi Guacamole, I have a questions
>
> -- Does Apache Guacamole support encrypted connection to a RealVNC Server
>

My understanding is that RealVNC implements their own proprietary
encryption that only their own proprietary client supports. There may be a
non-proprietary encryption standard that RealVNC also implements that would
allow you to use other non-proprietary clients to connect, though I believe
you have to manually enable that.

I would advise instead keeping your VNC connection on a private, trusted
network, and letting your Guacamole server be the only publicly-reachable
gateway into that network. That way, Guacamole functions as your security
layer, and you avoid having any form of VNC going over the internet.

- Mike

Re: [EXTERNAL] - RE: Default Clipboard Settings

2022-09-21 Thread Michael Jumper 
The JSON that Adrian is referring to is the JSON submitted for
authentication when you're using the "guacamole-auth-json" extension,
not the JSON that describes the parameters available for a particular
protocol (the "rdp.json" file that you've already tried editing).

If you've modified "rdp.json" and changed the value shown from "true"
to "false", what you've actually done is tell Guacamole that the value
it should set for the parameter when that checkbox is checked is
"false", which will render that field useless. If you revert your
changes, rebuild the webapp, and then edit the affected connections to
re-check those boxes (thus setting the value "true" for those
parameters), clipboard should be disabled as expected.

- Mike

On Wed, Sep 21, 2022 at 7:57 AM Hannah Mortimer  wrote:
>
> Hi – I’ve tried that – but that does not fix the issue. Even checking the 
> radio buttons in the UI does not disable the clipboard for copy/paste.
>
> Hannah Mortimer
>
> From: Adrian Owen 
> Sent: Wednesday, September 21, 2022 7:54 AM
> To: user@guacamole.apache.org
> Subject: [EXTERNAL] - RE: Default Clipboard Settings
>
> Copy/paste is enabled by default.   In JSON you can set:
>
> "disable-copy", "true"
> "disable-paste", "true" Adrian
>
>> From: Hannah Mortimer [mailto:hmorti...@plexsys.com]
>> Sent: 21 September 2022 15:24
>> To: user@guacamole.apache.org
>> Subject: Default Clipboard Settings
>>
>> Good morning,
>>
>> I was wondering if someone would be able to help me determine where I can 
>> change the default clipboard settings.
>>
>> When we create a new connection I would like the option to not show (for 
>> RDP) as well as the setting for the clipboard copy/paste to be automatically 
>> set to disabled. We want to prevent users from copying and pasting outside 
>> of the RDP connection.
>>
>> I have tried changing the BOOLEAN value in 
>> /guacamole-ext/src/main/resources/org/apache/guacamole/protocols/rdp.json – 
>> but to no avail that did not set the clipboard to disabled.
>>
>> Please let me know what information you may need so that we may find a 
>> solution!
>>
>> Hannah Mortimer
>>

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Cannot connect while using Resize Method 'Display Update'

2022-09-24 Thread Michael Jumper 
On Mon, Sep 5, 2022, 09:34 Thomas Marsh 
wrote:

> We are currently running Guacamole on an Alpine 3.15 container and trying
> to connect to a Windows 2019 server hosted on an EC2 instance. Recently,
> when connecting with 'Resize Method' set to 'Display Update (RDP8.1+)' we
> started receiving the red banner -"The remote desktop server is currently
> unavailable". When changing the resize method to 'blank' or 'reconnect', it
> works as expected. I tried updating to Alpine 3.16 with the same results.
>
> Guacd shows...
>
> INFO: Resize Method: display update
> INFO: No clipboard line-ending normalisation specified
> INFO: User '' joined connected
> INFO: Loading keymap 'base'
> INFO: Loading keymap 'en-us-qwerty'
> ERROR: Connection closed
> INFO: Internal RDP client disconnected
> (unable to copy-paste verbatim, but these are what the logs look like, in
> that order)
>
> Have you come across this issue before by any chance?
>

My guess would be that something is wrong with the way FreeRDP is installed
that is resulting in the FreeRDP plugin implementing the Display Update
channel not being found.

Do you see this if you try building the latest from git? We recently
switched the base of that image to Alpine.

What about debug-level logging?

- Mike

Re: Error SSL_ERROR_RX_RECORD_TOO_LONG in browser

2022-10-01 Thread Michael Jumper 
On Sat, Oct 1, 2022 at 4:50 AM Simon  wrote:
>
> I run the following docker container: mariadb, guacd, guacamole.
> ...
> This is the error in the browser:
>
> SSL_ERROR_RX_RECORD_TOO_LONG
>
> This is my logs of guacamole
> ...
> 29-Sep-2022 15:01:35.162 INFO [main] org.apache.coyote.AbstractProtocol.start 
> Starting ProtocolHandler ["http-nio-8080"]
> 29-Sep-2022 15:01:35.192 INFO [main] 
> org.apache.catalina.startup.Catalina.start Server startup in 10515 ms
> 29-Sep-2022 15:01:35.276 INFO [http-nio-8080-exec-1] 
> org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request 
> header
>  Note: further occurrences of HTTP request parsing errors will be logged at 
> DEBUG level.
> java.lang.IllegalArgumentException: Invalid character found in method 
> name [0x160x030x010x020x000x010x000x010xfc0x030x030xa30xbe0xd80xae0x09 ]. 
> HTTP method names must be tokens
> ...

You are using SSL (HTTPS) to connect to an HTTP service. You need SSL
termination in front of Tomcat to use SSL.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Password Authentication not populating into RDP connection windows password field.

2022-10-03 Thread Michael Jumper 
On Mon, Oct 3, 2022, 12:11 Johnson, Nachay [USA]
 wrote:

> Hi,
>
> I am attempting to auto-populate my username and password into a windows
> server. I manually set my credentials in guac connection settings, but only
> the username is populated into the windows login screen. Does anyone know
> what’s causing this problem.
>

Do you see an authentication error from Windows just before you see that
login screen?

Is the destination Windows machine domain-joined?

- Mike

Re: [External] Re: Password Authentication not populating into RDP connection windows password field.

2022-10-03 Thread Michael Jumper 
Are you specifying the domain connection parameter as well as the username
and password parameters?

On Mon, Oct 3, 2022, 12:35 Johnson, Nachay [USA]
 wrote:

> No, I don’t see an authentication error. The destination windows machine
> is domain-joined.
>
>
>
> *From:* Michael Jumper 
> *Sent:* Monday, October 3, 2022 3:32 PM
> *To:* user@guacamole.apache.org
> *Subject:* [External] Re: Password Authentication not populating into RDP
> connection windows password field.
>
>
>
> On Mon, Oct 3, 2022, 12:11 Johnson, Nachay [USA] <
> johnson_nac...@bah.com.invalid> wrote:
>
> Hi,
>
> I am attempting to auto-populate my username and password into a windows
> server. I manually set my credentials in guac connection settings, but only
> the username is populated into the windows login screen. Does anyone know
> what’s causing this problem.
>
>
>
> Do you see an authentication error from Windows just before you see that
> login screen?
>
>
>
> Is the destination Windows machine domain-joined?
>
>
>
> - Mike
>
>
>

Re: Audit trail

2022-10-16 Thread Michael Jumper 
On Wed, Oct 12, 2022 at 7:11 AM Broekema, Andries 
wrote:

> Hi All,
>
>
>
> We are using guacamole with a few different sets of permissions. Is it
> possible to have some sort of "audit trail", that shows who changed when
> which permission? E.g. is there eventually a way to get this information
> from the logging system in guacamole? Or directly from the database? If so,
> how can that be setup? I greatly appreciate any help, or answer, or pointer
> to more information!
>

This is being worked on as we speak:

https://issues.apache.org/jira/browse/GUACAMOLE-1224

Part of the necessary support was recently merged:

https://github.com/apache/guacamole-client/pull/768

- Mike

Re: Enabling Audio and/or Drive Breaks RDP

2022-10-21 Thread Michael Jumper 
On Fri, Oct 21, 2022 at 10:28 AM Sean Hulbert
 wrote:

> Hello,
>
>
>
> You may want to make sure Pulse audio is installed.
>

PulseAudio has no bearing on audio for RDP. PulseAudio is used only to
provide audio for VNC, which unlike RDP does not have its own standard for
streaming audio.


> For your file transfer look at the image below, the key here is the
> ${GUAC_USERNAME} this will create a folder in the path specified for the
> user account logging in.
>
> Also never use 777 set the permission recursive chmod –R 755
> /home/guacamole/share.
>
> Then you will need to make sure the guacd service is owner of the folder
> path chown –r guacd: /home/guacamole/share
>
> Note the –r maybe –R if you get an error.
>

Dylan, can you share your guacd logs for when the failure occurs? The log
messages should point to the cause of the behavior you're seeing. Without
the logs, we'll just be blindly guessing.

- Mike

Re: SAML - SSO Logs

2022-10-25 Thread Michael Jumper 
On Tue, Oct 25, 2022 at 2:54 PM Jonathan Rugther 
wrote:

> When guacamole-auth-sso-saml enabled , is it possible to get an audit log
> file of the ip address or id of the instance a user is trying to connect to?
>

Yes - this is already logged by Guacamole and should show up wherever your
Tomcat install logs its messages. This could be within the systemd journal
(journalctl), somewhere beneath /var/log, in a file called "catalina.out",
etc. The location of the Tomcat logs varies by how Tomcat was installed and
who packaged it.

The source IP addresses of all authentication attempts are logged,
regardless of what auth backend ultimately handles that request. You'll see
messages like the following:

User "foo" successfully authenticated from 1.2.3.4.
Authentication attempt from 1.2.3.4 for user "foo" failed.

After a user has successfully authenticated, the ID of any connection(s)
that an authenticated user attempts to use is logged like:

User "guacadmin" connected to connection "123"

Before switching over to SSO, the tomcat9 logs had a reference to the
> guac_id that we were able to utilize but I don't see anything similar now.
>

What guac_id are you referring to here? It sounds like you might be looking
at the query parameters of requests within Tomcat's access logs, not the
logs of the Guacamole webapp.

- Mike

Re: Managing connections with SAML authentication

2022-10-26 Thread Michael Jumper 
On Wed, Oct 26, 2022 at 10:41 AM Guertin, David S. 
wrote:

> I've got a new Guacamole installation set up and configured with SAML
> authentication, so that all users can log in with their Azure Active
> Directory credentials. The authentication is working, and all allowed users
> can log in, but there are no connections showing because none have been
> configured yet.
>
> Earlier, I had played around with basic auth and gotten connections set up
> in the user-mapping.xml file, but when I tried to read how to configure
> connections with SAML auth, all I can find is:
>
> "This module does not provide any capability for storing or retrieving
> connections, and must be layered with other authentication extensions that
> provide connection management."
>
> At this point I'm lost. I can't find documentation describing how I would
> layer SAML auth with another authentication extension. Is there a
> documented procedure for doing this?
>

Yes - you need to set up one of the supported databases. See:
https://guacamole.apache.org/doc/gug/jdbc-auth.html

>From above:

"... While most authentication extensions function independently, the
database authentication can act in a subordinate role, allowing users and
user groups from other authentication extensions to be associated with
connections within the database. Users and groups are considered identical
to those within the database if they have the same names, and the
authentication result of another extension will be trusted if it succeeds.
..."

You can have users authenticated by SAML, group memberships defined by SAML
or the database, and connection configurations and authorizations defined
by the database. After the database support is installed, the
database-backed aspects of this are managed through the web UI.

- Mike

Re: Guacamole on Docker Failed Login for guacadmin

2022-10-26 Thread Michael Jumper 
Can you post your entire logs from the point that the Guacamole container
started through the first authentication failure?

- Mike

On Wed, Oct 26, 2022 at 11:58 AM Tourville, Jeremy A CTR USARMY DEVCOM AVMC
(USA)  wrote:

> Hello,
>
> I have been reading the manual and trying to figure out what I am doing
> wrong.  I presume I have a simple mistake somewhere or something that I
> have missed when reading the manual.
>
>
>
> I setup a new instance of Guacamole using Docker and Docker Compose.
>
>
>
> version: '3.0'
>
>
>
> networks:
>
>   guacnetwork:
>
>
>
> services:
>
>   guacd:
>
> container_name: guacd
>
> image:
> registry1.dso.mil/ironbank/opensource/apache/guacamole/guacamole-server:1.4.0
>
> networks:
>
>   guacnetwork:
>
> restart: always
>
>
>
>   postgres:
>
> container_name: postgres
>
> image:
> registry1.dso.mil/ironbank/opensource/postgres/postgresql12:12.12
>
> environment:
>
>   PGDATA: /var/lib/postgresql/data/guacamole
>
>   POSTGRES_DB: guacamoledb
>
>   POSTGRES_PASSWORD: 'guacamole'
>
>   POSTGRES_USER: 'guacamole'
>
> networks:
>
>   guacnetwork:
>
> restart: always
>
> volumes:
>
> - ./init:/docker-entrypoint-initdb.d:z
>
> - ./data:/var/lib/postgresql/data:Z
>
>
>
>   guacamole:
>
> container_name: guacamole
>
> image:
> registry1.dso.mil/ironbank/opensource/apache/guacamole/guacamole-client:1.4.0
>
>
> depends_on:
>
> - guacd
>
> - postgres
>
> environment:
>
>   GUACD_HOSTNAME: guacd
>
>   POSTGRES_DATABASE: guacamoledb
>
>   POSTGRES_HOSTNAME: postgres
>
>   POSTGRES_PASSWORD: 'guacamole'
>
>   POSTGRES_USER: 'guacamole'
>
> links:
>
> - guacd
>
> networks:
>
>   guacnetwork:
>
> ports:
>
> - 8080:8080/tcp
>
> restart: always
>
>
>
> I have observed the following:
>
>1. The general setup of the containers work and no containers are
>restarting due to misconfigurations or errors.
>2. The web UI is available
>3. The logs show the database is created and the schema is applied to
>the DB.
>4. I can see the guacadmin user account creation is part of the init
>script
>5. When I try to login via the web UI as guacadmin I get the error
>message “Invalid Login”
>6. docker logs -f guacamole shows:
>
> 16:15:17.956 [http-nio-8080-exec-4] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.28.0.1
> for user "guacadmin" failed.
>
>
>
> Why is auth failing?  I did review the GUACAMOLE_HOME/extensions and
> GUACAMOLE_HOME/lib directories.
>
>
>
> Extesions folder contains a file:
>
> guacamole-auth-jdbc-postgresql-1.4.0.jar
>
>
>
> Lib folder contains a file:
>
> postgresql-42.3.3.jar
>
>
>
> My guacamole.properties is as follows:
>
>
>
> # guacamole.properties - generated Wed Oct 26 14:53:23 UTC 2022
>
> guacd-hostname: guacd
>
> guacd-port: 4822
>
> postgresql-username: guacamole
>
> postgresql-password: guacamole
>
> postgresql-database: guacamoledb
>
> postgresql-hostname: postgres
>
> postgresql-port: 5432
>
>
>
> Everything seems to be generally correct based on what I have read.  What
> else can someone suggest to troubleshoot?
>
>
>
> Jeremy
>
>
>
>
>

Re: Guacamole can't connect to anything, no errors

2022-10-29 Thread Michael Jumper 
Look around to see if you can find your Tomcat logs. The location of the
Tomcat logs varies by how Tomcat was installed and by who created the
Tomcat package. There should definitely be an error in the logs that
corresponds to the error you're seeing in the UI. Common locations would be
within the systemd journal (accessed via journalctl) or "catalina.out"
beneath a directory within /var/log, such as /var/log/tomcat or
/var/log/tomcat/9 or similar.

I suspect that your system may have configured the "localhost" name such
that guacd is binding to IPv6 localhost, while the Guacamole webapp is
attempting to connect to IPv4 localhost. If this is the case, you can force
guacd to listen on 127.0.0.1 by editing /etc/guacamole/guacd.conf, creating
the file first if necessary:

[server]
bind_host = 127.0.0.1

See:
https://guacamole.apache.org/doc/gug/configuring-guacamole.html?highlight=bind_host#configuring-guacd

- Mike


On Sat, Oct 29, 2022 at 8:05 AM Rytis  wrote:

> Hi Nick,
> thank you for quick response.
>
> guacd is running
> root@orangepi:/var/log# systemctl status guacd
> ● guacd.service - Guacamole Server
>  Loaded: loaded (/etc/systemd/system/guacd.service; enabled; vendor
> preset: enabled)
>  Active: active (running) since Sat 2022-10-29 14:38:00 UTC; 25min ago
>Docs: man:guacd(8)
>Main PID: 5948 (guacd)
>   Tasks: 1 (limit: 4603)
>  Memory: 9.8M
> CPU: 45ms
>  CGroup: /system.slice/guacd.service
>  └─5948 /usr/local/sbin/guacd -f
>
> 2022-10-29, št, 18:00 Nick Couchman  rašė:
>
>> On Sat, Oct 29, 2022 at 10:50 AM Rytis  wrote:
>> >
>> >   Hello,
>> > I am stuck for awhile with Guacamole - I have installed it using this
>> guide: https://idroot.us/install-apache-guacamole-debian-11/ (using
>> Orange Pi, Debian 11 (arm64)).
>> >
>> > Guacamole application works well and I can login to it, but I can't
>> connect to any server (does not matter - ssh, rdp, application provides
>> instant "An internal error has occurred within the Guacamole server, and
>> the connection has been terminated. If the problem persists, please notify
>> your system administrator, or check your system logs.").
>> >
>> > /var/log/syslog provides no guacd, tomcat9 errors or anything else
>> related to this.
>>
>> Is guacd running? I'm unfamiliar with that install guide you
>> mentioned, but have you started the guacd service, either using
>> systemctl, an init script, or by running the guacd binary directly?
>>
>> -Nick
>>
>> -
>> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
>> For additional commands, e-mail: user-h...@guacamole.apache.org
>>
>>
>
> --
> Best regards
> Rytis Savickis
>
> Phone number: +370 629 57720
>

Re: Integration with Okta and SSO

2022-10-29 Thread Michael Jumper 
On Tue, Oct 25, 2022 at 8:56 PM Lockhart, Roland 
wrote:

> Hi team
>
>
>
> Have you any guides on how to integrate Guacamole with Okta as an IDP? Do
> we just add in the SAML module and work from there?
>

Yes - there's no guide specific to Okta, but the SAML support should work
with any IdP implementing the SAML standard.

- Mike

Re: Guacamole on Docker Failed Login for guacadmin

2022-10-29 Thread Michael Jumper 
 |
>
> postgres | waiting for server to start2022-10-26 19:07:43.898 UTC
> [30] LOG:  starting PostgreSQL 12.12 on x86_64-pc-linux-gnu, compiled by
> gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-10), 64-bit
>
> postgres | 2022-10-26 19:07:43.901 UTC [30] LOG:  listening on Unix
> socket "/var/run/postgresql/.s.PGSQL.5432"
>
> postgres | 2022-10-26 19:07:43.907 UTC [30] LOG:  listening on Unix
> socket "/tmp/.s.PGSQL.5432"
>
> postgres | 2022-10-26 19:07:43.941 UTC [30] LOG:  redirecting log
> output to logging collector process
>
> postgres | 2022-10-26 19:07:43.941 UTC [30] HINT:  Future log output
> will appear in directory "log".
>
> postgres |  done
>
> postgres | server started
>
> postgres | CREATE DATABASE
>
> postgres |
>
> postgres |
>
> postgres | /usr/local/bin/docker-entrypoint.sh: running
> /docker-entrypoint-initdb.d/initdb.sql
>
> postgres | CREATE TYPE
>
> postgres | CREATE TYPE
>
> postgres | CREATE TYPE
>
> postgres | CREATE TYPE
>
> postgres | CREATE TYPE
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE TABLE
>
> postgres | CREATE TABLE
>
> postgres | CREATE TABLE
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE INDEX
>
> postgres | CREATE TABLE
>
> postgres | CREATE INDEX
>
> postgres | INSERT 0 1
>
> postgres | INSERT 0 1
>
> postgres | INSERT 0 6
>
> postgres | INSERT 0 3
>
> postgres |
>
> postgres |
>
> postgres | waiting for server to shut down done
>
> postgres | server stopped
>
> postgres |
>
> postgres | PostgreSQL init process complete; ready for start up.
>
> postgres |
>
> postgres | 2022-10-26 19:07:50.375 UTC [1] LOG:  starting PostgreSQL
> 12.12 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat
> 8.5.0-10), 64-bit
>
> postgres | 2022-10-26 19:07:50.375 UTC [1] LOG:  listening on IPv4
> address "0.0.0.0", port 5432
>
> postgres | 2022-10-26 19:07:50.375 UTC [1] LOG:  listening on IPv6
> address "::", port 5432
>
> postgres | 2022-10-26 19:07:50.388 UTC [1] LOG:  listening on Unix
> socket "/var/run/postgresql/.s.PGSQL.5432"
>
> postgres | 2022-10-26 19:07:50.395 UTC [1] LOG:  listening on Unix
> socket "/tmp/.s.PGSQL.5432"
>
> postgres | 2022-10-26 19:07:50.431 UTC [1] LOG:  redirecting log
> output to logging collector process
>
> postgres | 2022-10-26 19:07:50.431 UTC [1] HINT:  Future log output
> will appear in directory "log".
>
> guacamole| 19:08:13.517 [http-nio-8080-exec-10] WARN
> o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.29.0.1
> for user "guacadmin" failed.
>
>
>
> *From:* Michael Jumper 
> *Sent:* Wednesday, October 26, 2022 2:04 PM
> *To:* user@guacamole.apache.org
> *Subject:*

Re: socket was closed by server

2022-10-29 Thread Michael Jumper 
On Thu, Oct 27, 2022 at 9:43 PM Ahmed Taleb 
wrote:

> We have been getting some intermittent disconnections while RDP'ing into
> any machine setup in guacamole. I believe I've tracked the issue in the
> logs to point to 2 potential issues that may be causing the problem:
>
>1. websocket tunnel fail
>
> [http-apr-8080-exec-8] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint -
> Creation of WebSocket tunnel to guacd failed: Requested tunnel destination
> does not exist.
>
>
What do you see in the guacd logs when you are unexpectedly disconnected?

2. Database connection issue
>
> [pool-1-thread-1] WARN  o.a.i.d.pooled.PooledDataSource - Execution of
> ping query 'SELECT 1' failed: (conn=109971414) unexpected end of stream,
> read 0 bytes from 4 (socket was closed by server)
>

This indicates network connectivity issues between the webapp and your
database. This wouldn't cause a disconnect, but could be a symptom of the
same environmental problem if the unexpected disconnects are also caused by
network issues.

- Mike

Re: telnet can not login

2022-10-31 Thread Michael Jumper 
On Mon, Oct 31, 2022 at 7:27 AM 李安安  wrote:

> Hello,
> When I use guacd,have the problem.
>
> Use guacd connect device, most of them succeed, a few fail.The “connect”
> args:
>
> {"hostname":"**","username":"admin","password":"***","username-regex":"Username:","password-regex":"Password:","backspace":"8","port":23,"font-size":"18","color-scheme":"gray-black"}
>
> The error msg:
>
> Warning: Telnet is not a secure protocol, and it is recommended to use 
> Stelnet.
> Login authentication
>
> Username:
> Error: The username times out.
> Username:
> Error: The username times out.
> Username:
> Error: The username times out.
>
>
There may be something wrong with this particular Telnet server and its
handling of input and/or its handling of the received username. When
connecting via Telnet and provided credentials, Guacamole will:

1) Send the username via the standard mechanism for this provided by Telnet
(the "USER" environment variable, set via "NEW-ENVIRON"). If the Telnet
server supports this, the username regex will be ignored as unnecessary.
   a) If the Telnet server doesn't support this, wait for the username
prompt to appear by searching for the username regex.
   b) Once a string matching the username regex appears, send the username
and one newline.
2) Wait for the password prompt to appear by searching for the password
regex.
3) Once a string matching the password regex appears, send the password and
one newline.

Your example output shows at least three newlines, but Guacamole will not
send that many newlines on its own while doing this. It will send just one
after the username (if the Telnet server doesn't support the standard
mechanism for receiving the username) and one after the password, so
usually one and at most two.

What do you see in the guacd logs after enabling debug-level logging?

- Mike

Re: [URL Verdict: Neutral][Non-DoD Source] Re: Guacamole on Docker Failed Login for guacadmin

2022-10-31 Thread Michael Jumper 
On Mon, Oct 31, 2022 at 11:46 AM Tourville, Jeremy A CTR USARMY DEVCOM AVMC
(USA)  wrote:

> This isn’t my own custom image per se’.  The image URL is from Iron Bank.
>  https://ironbank.dso.mil/about
>
> “The Iron Bank is the DoD repository of digitally signed, binary container
> images that have been hardened and accredited for DoD-wide use across
> classifications. All containers provide a variety of information such as
> their build and approval date, approval status, scan results, and more. The
> goal is to provide a place where DoD programs can find and utilize
> cutting-edge software and tools for their programs! Prior to creating a new
> container image, DoD programs can now check to see if the software they
> want to use is already containerized and exists in the Iron Bank for their
> use. If no container image exists, requests can be made with the Iron Bank
> onboarding team to add the container to our list. All containers must be
> sponsored by a DoD progam or directly by a vendor.”
>
>
>
> The Iron Bank Image is derived from the Guacamole image.  They take the
> image and rebase it.  They also try to harden all images for security.
>

You'll definitely need to reach out to your vendor with respect to their
image. We can't help with a third-party image (but can if you retry with
the image we provide). If your vendor isn't sure what's going on, feel free
to direct them to this list and perhaps we can help them.

That being said, I will take a look at the location you referenced.  I had
> seen other forums mention that path and some seemed to indicate it was a
> false positive.
>

It indicates at least that the image deviates from the image we
provide, and it directly affects whether Guacamole can find its
configuration files. If the log messages state that GUACAMOLE_HOME is
"/etc/guacamole", but that's not where guacamole.properties is, then things
will definitely not work. Here's what things normally look like:

21:47:20.082 [localhost-startStop-1] INFO
 o.a.g.environment.LocalEnvironment - GUACAMOLE_HOME is
"/home/guacamole/.guacamole".
21:47:20.242 [localhost-startStop-1] INFO
 o.a.g.GuacamoleServletContextListener - Read configuration parameters from
"/home/guacamole/.guacamole/guacamole.properties".

Reading from /etc/guacamole instead is fine, but if your image can't find
its guacamole.properties at all, then your vendor has broken something in
their image.

- Mike

Re: Set sftp path in ssh connections

2022-11-04 Thread Michael Jumper 
On Fri, Nov 4, 2022 at 5:40 AM Jorge Lopez
 wrote:

> Hi,
>
> I'm using my own development of guacamole server through a django project
> and I will like to specify and sftp path for drag and drop files upload. I
> tried with sftp-root-directory as specified in
> https://guacamole.apache.org/doc/gug/configuring-guacamole.html#ssh but I
> think it's just for file browser, because if a user drops a file in the
> window the file is upload to the user's home directory, not at the path
> specified in sftp-root-directory, and, in some cases this path doesn't
> exist so file is not uploaded or I can't find where the file is uploaded.
>

The "sftp-root-directory" parameter only affects the file browser. From the
documentation for that parameter:

"The directory to expose to connected users via Guacamole’s file browser.
If omitted, the root directory will be used by default."


Uploads that are just dragged into the browser window will go to whichever
path the SFTP server considers the default, typically the user's home
directory.

As I see in guacd container logs, there is no error and sftp is connected
> succesfully. With RDP connections 'drive_path' option is working as
> expected, but not for ssh. I also tried adding the absolute path to the
> filename once I created the FileStream in my .js client implementation:
>
> filename = `/tmp/test/${filename}`
>
> let stream = guac.createFileStream(mimetype, filename);
>
> But as I see in guacd logs, it's raising an error
>
> Filename "/tmp/test/test.docx" is invalid or resulting path is too long
>
>
The filename of a file stream is just the filename of the destination file,
not the destination path. The attempt to upload is being rejected because
of the inclusion of path separators in that filename. To upload to a
specific path, you'll need to use the same mechanism as the file browser,
leveraging the filesystem object received at the beginning of the
connection and then createOutputStream() of that filesystem object instead
of the client-level createFileStream(). For example:

// After setting a handler for guac.onfilesystem so we have a reference to
any received filesystem ...
let stream = filesystem.createOutputStream('application/octet-stream',
'/tmp/test/test.docx');


Unlike the file stream, the filesystem object has defined behavior for path
separators in stream names and will handle those as directories.

- Mike

Re: Guacamole & special characters issue

2022-11-11 Thread Michael Jumper 
On Fri, Nov 11, 2022, 6:25 AM Yves Auffret  wrote:

> Hi all,
>
> I'm using Guacamole 1.4.0 (VNC Protocol) on Debian 10 with LXDE.
>
> Everything works perfectly, except for a few special characters on the
> keyboard: | (pipe symbol) and {} (brackets).
>
> The result is the same regardless of the browser: Chrome (Windows or
> macOS), Firefox (Windows or macOS) or Safari (macOS).
>
> I have read and tried this without success
> https://guacamole.apache.org/faq/#keyboard-shortcuts
>
> What would be the best way to remap or rebind these keys to be compatible
> with a browser on Windows and macOS?
>

You shouldn't need to.

What VNC server are you using? What happens when you attempt to type these
characters?

- Mike

Re: Guacamole & special characters issue

2022-11-11 Thread Michael Jumper 
On the client system, are you having to press Ctrl+Alt to emulate AltGr? Or
do you have a dedicated AltGr key?

The VNC server is supposed to automatically press/release modifier keys as
necessary to type the intended symbol. It sounds like the VNC server is not
doing that quite right, though this is the first I've heard of such issues
with TigerVNC.

- Mike

On Fri, Nov 11, 2022, 9:40 AM Yves Auffret  wrote:

> Hi Mike,
>
> I'm using tigervnc-standalone-server.
>
> The behavior is really weird.
>
> I use a PC French keyboard which has a key that combines the "6", the "-"
> (minus) and the "|" (pipe).
>
> For example, if I use Eclipse as a text editor. When I want to get the
> symbol "|" (pipe) with the combination "Alt Gr" and "6", Eclipse interprets
> this as if I had typed "Ctrl" and "-" because I get a zoom out.
>
> But if I enter several characters such as "blablabla...   " *before* "Alt
> Gr" and "6", I get the right symbol "I" (pipe) !!! 🙃
>
> This is the same behavior with the brackets "{" and "}"
>
> Le ven. 11 nov. 2022 à 17:22, Michael Jumper  a
> écrit :
>
>> On Fri, Nov 11, 2022, 6:25 AM Yves Auffret  wrote:
>>
>>> Hi all,
>>>
>>> I'm using Guacamole 1.4.0 (VNC Protocol) on Debian 10 with LXDE.
>>>
>>> Everything works perfectly, except for a few special characters on the
>>> keyboard: | (pipe symbol) and {} (brackets).
>>>
>>> The result is the same regardless of the browser: Chrome (Windows or
>>> macOS), Firefox (Windows or macOS) or Safari (macOS).
>>>
>>> I have read and tried this without success
>>> https://guacamole.apache.org/faq/#keyboard-shortcuts
>>>
>>> What would be the best way to remap or rebind these keys to be
>>> compatible with a browser on Windows and macOS?
>>>
>>
>> You shouldn't need to.
>>
>> What VNC server are you using? What happens when you attempt to type
>> these characters?
>>
>> - Mike
>>
>>

Re: Guacamole & special characters issue

2022-11-11 Thread Michael Jumper 
On Fri, Nov 11, 2022, 10:33 AM Yves Auffret  wrote:

> I have a dedicated AltGr key.
>
> I've done more tests, when I switch by software the keyboard language on
> my Windows PC client it works properly (except that the keys are misplaced).
>

It's the client machine that dictates the identity of keys pressed, whereas
the VNC server is required to make any adjustments necessary to cause those
same keys to be pressed within the remote desktop.

If you are manually changing the keyboard layout within the VNC session,
that might be defeating the VNC server's ability to make those adjustments.

It seems that this issue is related to the french keyboard language.
>

There should not be any issues with using any keyboard on the client side:

https://guacamole.apache.org/faq/#does-guacamole-support-my-keyboard-layout

You can confirm Guacamole's keyboard handling here:

https://guacamole.apache.org/pub/tests/guac/keyboard-test.html

- Mike

Re: Guacamole & special characters issue

2022-11-11 Thread Michael Jumper 
On Fri, Nov 11, 2022 at 12:51 PM Yves Auffret  wrote:

> You can confirm Guacamole's keyboard handling here:
>
> https://guacamole.apache.org/pub/tests/guac/keyboard-test.html
>
>
> Yes, pipe symbol « | » and curly brackets «{}» are working properly with
> this keyboard test.
>
> Do you have any leads to check ?
>

Did you make any changes to the keyboard configuration of the remote
desktop itself? Perhaps something is causing a mismatch between the
configuration of the environment and TigerVNC's expectations?

- Mike

Re: Guacamole & special characters issue

2022-11-12 Thread Michael Jumper 
On Sat, Nov 12, 2022, 5:26 AM Yves Auffret  wrote:

> Hello Mike,
>
> I didn't modify anything for the keyboard in LXDE, I just tested in boot
> start "setxkbmap fr" or "setxkbmap us" or without specifying anything, it's
> the same behavior.
>
> I tested with TightVNC instead of TigerVNC but I get the same behavior.
>
> I came back to TigerVNC and did another interesting test.
>
> By opening a web browser (Chromium) on my remote LXDE desktop via
> Guacacole and going to the site
> https://guacamole.apache.org/pub/tests/guac/keyboard-test.html
>
> All the special characters I type are well recognized by the keyboard-test
> website!
>
> However, it still does not work with a text editor or any other program
> with LXDE.
>
> Is there a filter somewhere?
>
> I don't know what to think…
>

Perhaps the keybindings within LXDE have somehow been automatically weirdly
configured? I recall a similar issue with Gnome or MATE where all windows
would minimize when typing "D", and the cause was that MATE had somehow
configured itself to bind just "D" to "Show desktop" (rather than
Ctrl+Alt+D).

- Mike

Re: Guacamole & special characters issue

2022-11-12 Thread Michael Jumper 
On Sat, Nov 12, 2022 at 12:22 PM Yves Auffret  wrote:

> At the moment, I don't know where the bug is.
>
> Sometimes it works, but most of the time it doesn't.
>
> Most often it works when I type several characters before the pipe symbol
> or the curly brackets.
>
> When it doesn't work, I have to release all the keys, wait a bit and try
> again, and sometimes by some miracle it works.
>
> It's like LXDE (or Guacamole) can't quite figure out the key combination.
>

Try installing the "xev" tool (which logs X11 events, including
keypresses), run it within a terminal in the VNC session, and see what is
reported when keys are behaving as expected vs. not.

If you're seeing correct behavior in the keyboard tester at
https://guacamole.apache.org/pub/tests/guac/keyboard-test.html, then it's
unlikely that there's an issue with Guacamole's keyboard handling. The
keysyms that you see there would be passed exactly as-is to the VNC server.
Something as fundamental as the ability to type "{}" or "|" on a French
keyboard would also likely have been noticed:

https://guacamole.apache.org/faq/#probably-not-a-bug

It's not impossible that there is some modifier state getting stuck through
some difficult-to-replicate sequence of events, but the fact that you're
seeing incorrect behavior immediately suggests that is not the case. There
is also next to zero additional key event processing in the case of VNC -
unlike RDP, we can just send the events straight through untouched.

How is the combination of CTRL+ALT+SHIFT handled in Guacamole, doesn't this
> event handle side effects?
>

The keys Ctrl, Alt, and Shift are sent immediately upon being pressed. For
Ctrl+Alt+Shift, when the third key in that sequence is pressed, the
Guacamole withholds *that* event and automatically sends release events
for the two that were pressed. For example:

1. Press Ctrl (Guacamole sends press event for Ctrl)
2. Press Alt (Guacamole sends press event for Alt)
3. Press Shift (Guacamole sends release events for Ctrl and Alt, and opens
the menu)

or:

1. Press Shift (Guacamole sends press event for Shift)
2. Press Ctrl (Guacamole sends press event for Ctrl)
3. Press Alt (Guacamole sends release events for Shift and Ctrl, and opens
the menu)

etc.

Guacamole will also automatically release ALL keys that it knows you have
pressed once the browser window loses focus (since Guacamole will no longer
be able to know whether you have released those keys).

- Mike

Re: Issue with users in behind ZScaler

2022-11-13 Thread Michael Jumper 
On Sun, Nov 13, 2022, 6:33 PM Lockhart, Roland 
wrote:

> Hi
>
>
>
> This is a follow on from the previous email
>
>
>
> Our Guacamole logs are recording two public addresses for these users that
> experience intermittent disconnections.
>
>
>
> One address is their Businesses external egress address and the other one
> the Zscaler network.
>
>
>
> Could this be making their connection reliability lower for the Guac
> sessions?
>

Sure. It's not impossible that their corporate network is interfering. If
they have no issue outside that network, that would be pretty conclusive.

- Mike

Re: Re: State of Audio Input ?

2022-11-14 Thread Michael Jumper 
On Sun, Nov 13, 2022, 2:46 PM Leslie Mann  wrote:

> Hi Nick:
>
> I've done a bit more testing with browsers and it turns out that audio
> with Firefox is working as expected!  I thought I had tried Firefox
> previously but I've been mostly 100% using Chrome due to the clipboard
> integration.  I'm seeing the same behaviour on Windows, Firefox audio
> works but Chrome (and Edge) does not.  No prompt to use the microphone
> and no audio in being seen.
>
> Any thoughts on what might be causing this?
>

Do you see any errors/warnings in the JavaScript console when you try to
use the connection?

- Mike

Re: Re: State of Audio Input ?

2022-11-14 Thread Michael Jumper 
On Mon, Nov 14, 2022, 7:09 PM Leslie Mann  wrote:

> I see a number of 'Feature-Policy' unrecognized feature errors and a
> 'AudioContext was not allowed to start' error.
>
> Here is the console log:
>
> Error with Feature-Policy header: Unrecognized feature: 
> 'ambient-light-sensor'.
>
>
This is interesting and not a header that Guacamole sets...

Do you have a reverse proxy in place adding this header? What value is it
setting? Any other headers added by that proxy?


> all.min.js:3 The AudioContext was not allowed to start. It must be resumed 
> (or created) after a user gesture on the page. https://goo.gl/7K7WLu
>
> getAudioContext @ all.min.js:3
>
> Guacamole.RawAudioPlayer.getSupportedTypes @ all.min.js:8
>
>
You can ignore this. This is Guacamole trying to get access to audio
output. The browser will block some of these attempts, particularly Chrome.
It'll keep trying and eventually succeed. In Chrome, that'll typically
happen after some user interaction with the page.

This probably has no bearing on audio input.

- Mike

Re: Post-login redirections ?

2022-11-15 Thread Michael Jumper 
On Tue, Nov 15, 2022, 9:26 AM Alexandre Cariage  wrote:

> Hi again,
>
> I'm looking for a way to make Guacamole send the user to a specific
> Connexion after login.
> With a specifig login URL, e.g., or any other method.
>
> They idea being to skip the Home menu, and the need to choose a
> Connection. I know it's the way it works when a single Connection is
> associated to a user; here it would work as a way of pre-choosing one, even
> when a user has various possible connections.
>

You can directly link to the connection so that they are on that connection
once logged in. The URL for a connection is deterministic and based on
connection type and unique identifier.

Otherwise, no, if a user has access to multiple connections, they will be
presented with those multiple connections. They will also be able to
navigate to the home screen or switch connections from whatever their
current connection is.

- Mike

Re: Config host in LDAP / No historical informations

2022-11-15 Thread Michael Jumper 
On Tue, Nov 15, 2022, 2:36 AM Philippe CAMELIO 
wrote:

> Hi guys
>
>
>
> I  deployed a Guacamole 1.4.0 (docker stack) to use Active Directory for
> both users and hosts configurations.
>
> It is working fine but log connection informations are not available
> (Historical).
>
>
>
> If I create a local connection, logs connection for this host using an AD
> account are OK. Is this behaviour normal /expected ?
>

Yes - the database currently only logs the history of connections it
maintains. This has changed recently via
https://issues.apache.org/jira/browse/GUACAMOLE-1616 .

- Mike

Re: Is it possible to change the cursor color for a ssh connection?

2022-11-15 Thread Michael Jumper 
On Tue, Nov 15, 2022, 5:00 PM Dana Shaw  wrote:

> Is it possible to change the cursor color in a ssh connection?
>
> I'm able to change the foreground/background color without issue.
>
> Currently extending GuacamoleHTTPTunnelServlet to create a tunnel to guacd
> for ssh.


No, the text cursor in the terminal emulator is just the inverse
(foreground/background swapped) of whatever is beneath the cursor.

- Mike

Re: Shared folder issue on Windows 10 pro OS

2022-11-16 Thread Michael Jumper 
On Wed, Nov 16, 2022, 7:18 AM Anburaj Palraj  wrote:

> Hi Nick,
>
> Could see the below error logs in the messages file.
>
>
> [image: image.png]
>

This is an error being reported by Windows to guacd. Check your GPOs and
whether there are any corresponding events in the Windows event log.

- Mike

Re: [EXTERNAL] RE: OpenSSH-format private keys / Ed25519

2022-11-23 Thread Michael Jumper 
On Tue, Nov 22, 2022, 11:53 PM Jorge Lopez
 wrote:

> But we want to avoid doing this (down grade ssh) in new servers. If new
> servers don’t accept this protocol it’s by security reasons and we have a
> lot of new servers that we are unable to connect by this reason.
>
> Is there an option like this, not in the whole servers but on guacd side:
>
> “You could add the following lines to your ~/.ssh/config and/or sshd_config
>

You can install and build the current "staging/1.5.0" branch from
Guacamole's git against a newer libssh2. You may need to build libssh2 from
source if your distro does not offer a new enough version, and you may need
to build from git (see below).

This aspect of behavior is actually dictated by the underlying SSH library,
not Guacamole itself. The only changes on the Guacamole side with respect
to improving key handling were:

* Migrate to recent libssh2's built-in support for reading private keys
from memory (we previously had to do this manually), which supports
OpenSSH's new key format.

* Rearchitect the Docker image build to build libssh2 (and all other
protocol libraries) from their latest release source, so that users don't
need to rely on their distro releasing updated packages.

The issue with recent OpenSSH deprecating and disabling ssh-rsa were noted
here:

https://github.com/libssh2/libssh2/issues/634

I'm not sure whether libssh2 has cut a release with this support. Using an
elliptic curve key could work with the latest libssh2 and "staging/1.5.0"
guac. Using a build of libssh2 from git with "staging/1.5.0" guac should
work with RSA keys and recent OpenSSH, too.

As I ask in the previous mail, is expected to fix this in v1.5 guacd
> release and when is expected the release?
>

Everyone's been pretty busy lately. It should be out this year. Beyond
that, it's difficult to make a more accurate guess.

Please definitely feel free to build the latest from git and give that some
solid testing. The more testing the merrier, and it should also happily
solve your immediate issue.

- Mike

Re: SAML authentication working, but UX experience is not ideal

2022-11-24 Thread Michael Jumper 
On Thu, Nov 24, 2022, 9:08 AM Timothy Dilbert 
wrote:

> We use SAML to authenticate into Guacamole. For the most part, it has been
> working flawlessly, and we have no complaints, except for one thing... it
> is difficult to recognise our users.
>
> When a user signs in for the first time, they get what appears to be a
> random username (e.g. uuidb964e028-b2e0--a725-XX834988ceXX).
>

This is because of how your SAML IdP is configured, not Guacamole. You need
to configure your IdP to send across the username, email, or similar as the
name ID.

- Mike

Re: SAML authentication working, but UX experience is not ideal

2022-11-24 Thread Michael Jumper 
On Thu, Nov 24, 2022, 10:27 AM Timothy Dilbert  wrote:

> Hi Michael,
>
> I've checked everything I can within the IdP.
>

Which IdP are you using?


>- I'm already sending the email address as the Name ID.
>
> Perhaps so, but your IdP appears to not be honoring that setting, and is
instead sending a UUID-like value. If it were sending the email address as
the name ID, then that's what you'd see in Guacamole.

>
>- I've even tried selecting "Send all known attributes" but I am
>getting the following error in Tomcat:
>```
>Unexpected internal error: Duplicate key SAML_GIVEN_NAME
>```
>
> It seems your IdP is now sending an invalid SAML assertion...

It's just not clear what I should do next to troubleshoot further.
>

Try using a SAML tracing extension for your browser so you can see the
assertion. That might reveal what your IdP is doing wrong, the the fact
that it's sending duplicate keys and failing to honor your name ID settings
is troubling.

Once you have obtained the SAML assertion and can see where it differs vs.
the way you have configured your IdP, you may need to reach out to your
IdP's support to correct things.

I feel like I'm missing documentation that tells me what attributes to send
> and their names.
>
> Also, could setting `sqlserver-auto-create-accounts` to TRUE be the reason
> because the uuid accounts being created?
>

No. The only reason there would be UUIDs anywhere for usernames is if that
is what the IdP is sending. Guacamole does not generate usernames on its
own; it simply uses the value received verbatim.

- Mike

Re: SAML authentication working, but UX experience is not ideal

2022-11-24 Thread Michael Jumper 
On Thu, Nov 24, 2022, 10:47 AM Timothy Dilbert  wrote:

> We're using IBM Security Verify.
>

You need to configure your IdP to send the NameID in your desired format:
https://www.ibm.com/docs/en/security-verify?topic=provider-configuring-saml-subject-mapping-attributes

If you have already done this but the IdP is still sending its own UUIDs
instead, you'll need to reach out to your IdP for assistance. There really
isn't anything on the Guacamole side to be done here.

The SAML standard dictates identity with NameIDs. Guacamole will honor
whatever value your SAML IdP says is your identity (NameID). Your IdP is
currently sending a UUID, but appears to have options to change this
behavior.

Shouldn't there be a list of attribute names in the Guacamole documentation
> that the SAML IdP should be sending over? Do you have a list of attribute
> names I should be sending?
>

No, SAML is a standard that already dictates this. Your identity is
determined by the NameID. If your identity is not coming through as
expected, you need to configure your IdP to send what you expect for the
NameID.

- Mike

Re: Guacd connects to debian ssh but not Mac ssh?

2022-12-02 Thread Michael Jumper 
On Fri, Dec 2, 2022, 6:03 AM Doug Baggett  wrote:

> Hello to fellow guacamole users!
>
> I have my guacamole server set up successfully and it connects to a ssh
> server on debian, but using the exact same settings it will not connect to
> my Mac (via ssh) and guacd logs say:
> ---
> Dec  2 08:46:11 debian guacd[370606]: Error parsing given address or port:
> Name or service not known
> Dec  2 08:46:11 debian guacd[370606]: guacd[370606]: ERROR:#011Error
> parsing given address or port: Name or service not known
> ---
>
> I'm using a straight IP address. I'm scratching my head on this.
>
> Any assistance would be appreciated!
>

Did some spaces sneak into the address?

- Mike

Re: Additional field (select options) on login screen?

2022-12-05 Thread Michael Jumper 
On Mon, Dec 5, 2022, 9:26 AM Joachim Lindenberg 
wrote:

> Hello,
>
> I´d like to add an additional field to the login screen. The field should
> be a select option (at least that is the html I would use, regardless of
> how it is generated) and ideally the field can be prepopulated via the url
> (subject to available options).
>
To what end?

> I assume something like this can be done via an authentication extension
> and I already have one, but so far it does not add the additional field,
> nor is clear to me, how to make any additional UI element depend on
> configuration or backend information.
>
What does your auth extension currently do?

- Mike

Re: Additional field (select options) on login screen?

2022-12-05 Thread Michael Jumper 
You can accept arbitrary credentials as a part of the auth process. The
content of the login screen is determined by the credentials requested by
the GuacamoleInvalidCredentialsException thrown, so you would just include
username, password, and the desired select field in the set of fields:

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/credentials/GuacamoleInvalidCredentialsException.html

A select field is represented by an EnumField:

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/form/EnumField.html

- Mike

On Mon, Dec 5, 2022, 9:42 AM Joachim Lindenberg 
wrote:

> Hello Mike,
>
> my current auth extension calls to my backup software (which also manages
> virtual machines created from backups), authenticates the user, and creates
> a list of configurations (existing vms or to-be-created-vms) for the user
> to pick from. As I am in fact running multiple backup servers, I want to
> allow the users to choose the server to use from a list that could be
> stored in guacamole.properties or similar.
>
> Thanks,
>
> Joachim
>
>
>
> *Von:* Michael Jumper 
> *Gesendet:* Montag, 5. Dezember 2022 18:28
> *An:* user@guacamole.apache.org
> *Betreff:* Re: Additional field (select options) on login screen?
>
>
>
> On Mon, Dec 5, 2022, 9:26 AM Joachim Lindenberg 
> wrote:
>
> Hello,
>
> I´d like to add an additional field to the login screen. The field should
> be a select option (at least that is the html I would use, regardless of
> how it is generated) and ideally the field can be prepopulated via the url
> (subject to available options).
>
> To what end?
>
> I assume something like this can be done via an authentication extension
> and I already have one, but so far it does not add the additional field,
> nor is clear to me, how to make any additional UI element depend on
> configuration or backend information.
>
> What does your auth extension currently do?
>
>
>
> - Mike
>
>
>

Re: Additional field (select options) on login screen?

2022-12-05 Thread Michael Jumper 
On Mon, Dec 5, 2022 at 3:01 PM Joachim Lindenberg 
wrote:

> Hello Mike,
>
>
>
> I modified my code to show an addition filed using that exception, however
> the result is not exactly what I was looking for.
>
> With code like…
>
>
>
>*static* *final* String *backupserver* = "backup-server-to-connect-to";
>
> *private* *static* Field *BACKUPSERVER* = *null*;
>
> *private* *static* CredentialsInfo *SERVER_USERNAME_PASSWORD* = *null*
> ;
>
> …
>
>   *if* (*BACKUPSERVER* == *null*) *BACKUPSERVER* = *new* EnumField(
> *backupserver*, *getBackupServerCollection*());
>
>   *if* (*SERVER_USERNAME_PASSWORD* == *null*)
> *SERVER_USERNAME_PASSWORD* =
>
> *new* CredentialsInfo(Arrays.*asList*(
>
>  *BACKUPSERVER*,
>
>   CredentialsInfo.*USERNAME*,
>
>   CredentialsInfo.*PASSWORD*
>
>   ));
>
>   *throw* *new* GuacamoleInsufficientCredentialsException ("server,
> user & password required", *SERVER_USERNAME_PASSWORD*);
>
>
>
> … I get a drop down with the content
> LOGIN.FIELD_OPTION_BACKUP_SERVER_TO_CONNECT_TO_BACKUP2_LINDENBERG_ONE in
> the UI.
>
> Looks like the client application takes my field name and values,
> concatenates them, and probably also tries to translate them, whereas I
> want to use the Values in EnumField as provided. How can I achieve that?
>

You cannot do this with EnumField. All of the standard field types included
with Guacamole that allow you to specify possible values will expect
translation strings for each of those possible values. You would have to
define your own custom field type if you cannot provide translation strings
for the possible values ahead of time.

Is there some other UI element more appropriate?
>
>
>
> Also while the exception provides an easy way to define fields, the
> Credentials type does not reflect that. I figured out I have to use
> something like
>
> credentials.getRequest().getParameter(*backupserver*))
>
> correct?
>

Yes, convenience functions are provided only for username and password. You
need to use the generic getParameter() for anything more specialized.

- Mike

Re: Shared connection input passthrough

2022-12-05 Thread Michael Jumper 
I think you'd be better off writing an extension that decorates the
Connection objects returned by other extensions:

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AbstractAuthenticationProvider.html#decorate(org.apache.guacamole.net.auth.UserContext,org.apache.guacamole.net.auth.AuthenticatedUser,org.apache.guacamole.net.auth.Credentials)

After decorating the UserContext of another extension, you can further
decorate the Directory returned by getConnectionDirectory().
The DecoratingDirectory class is intended to make this easier:

https://guacamole.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/DecoratingDirectory.html

You can then decorate (wrap) any Connection returned by that Directory with
your own implementation that does whatever it likes. In this case, you'd
wrap the GuacamoleTunnel returned by connect() and inspect the instructions
received. The FilteredGuacamoleSocket class would be the best candidate for
that kind of checking:

https://guacamole.apache.org/doc/guacamole-common/org/apache/guacamole/protocol/FilteredGuacamoleSocket.html

That class lets you provide filters that can inspect, drop, or override
instructions that are sent or received.

- Mike

On Fri, Dec 2, 2022 at 1:35 AM Dejan Milovanovic <
dejan.milovano...@mylivezone.com> wrote:

> Hi Nick,
>
> thank you for the response.
>
> I did manage to record guac protocol to a file, but that removes the
> "real-time" factor of the analysis.
>
> You've mentioned recording guacd protocol to socket, I haven't seen an
> example of that online. What would I have to do to achieve this?
> Do I need to make some changes to guacd code, or is there some
> configuration magic that I don't know of?
>
> Kind regards,
> Dejan
> --
> *From:* Nick Couchman 
> *Sent:* 01 December 2022 19:32
> *To:* user@guacamole.apache.org 
> *Subject:* Re: Shared connection input passthrough
>
> On Thu, Dec 1, 2022 at 4:52 AM Dejan Milovanovic
>  wrote:
> >
> > Hi all,
> >
> > I'm using guacamole to provide users with access to remote windows
> machines, and I'm trying to analyse user's actions on these machines in
> real-time.
> >
> > What I tried to do is generate shared connection and listen for
> guacamole protocol messages on that shared connection. This works great,
> but the issue I have with this approach is that keyboard and mouse actions
> are not transmitted on the shared connection socket.
> >
> > Is there a way to have these missing messages in the shared connection ?
> > Or is there another way of observing users tunnel without disturbing
> their RDP session?
>
> No, I do not think what you're asking to do is going to work, because
> the input from a share connection is not sent to all of the users, nor
> is there any particular way to enable that at the moment. The
> non-owner participants in a connection are usually only going to get
> the image data that is sent from guacd back to any joined connections.
>
> It is likely possible to implement what you're asking for - it's
> essentially what enabling recording does, which just writes the guac
> protocol data to a file. Have you considered trying to record to a
> file (or, perhaps, a socket) and then pointing your analysis tool at
> that, instead? Beyond that, you'd probably need some code changes to
> guacd to do what you're wanting to do.
>
> -Nick
>
> -
> To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
> For additional commands, e-mail: user-h...@guacamole.apache.org
>
>

Re: Guacd connects to debian ssh but not Mac ssh?

2022-12-05 Thread Michael Jumper 
The error in question ("Error parsing given address or port") means pretty
much exactly what it says: Guacamole gave the OS the hostname/address and
port that it was provided for the connection, but the OS refused to resolve
that address and port, and instead returned an error. It usually means that
you mistyped the domain/address or accidentally included some
whitespace, or it could be a problem with DNS. The detail that follows that
error ("Name or service not known") is the exact error string given to us
by the OS when resolution failed.

- Mike


On Mon, Dec 5, 2022 at 5:34 AM Doug Baggett  wrote:

> It’s an interesting idea, though I don’t see how. I’ll try and collect
> more info. The error below does not give many breadcrumbs.
>
> On Fri, Dec 2, 2022 at 12:43 PM Michael Jumper  wrote:
>
>> On Fri, Dec 2, 2022, 6:03 AM Doug Baggett  wrote:
>>
>>> Hello to fellow guacamole users!
>>>
>>> I have my guacamole server set up successfully and it connects to a ssh
>>> server on debian, but using the exact same settings it will not connect to
>>> my Mac (via ssh) and guacd logs say:
>>> ---
>>> Dec  2 08:46:11 debian guacd[370606]: Error parsing given address or
>>> port: Name or service not known
>>> Dec  2 08:46:11 debian guacd[370606]: guacd[370606]: ERROR:#011Error
>>> parsing given address or port: Name or service not known
>>> ---
>>>
>>> I'm using a straight IP address. I'm scratching my head on this.
>>>
>>> Any assistance would be appreciated!
>>>
>>
>> Did some spaces sneak into the address?
>>
>> - Mike
>>
>>

Re: Guacamole over proxy

2022-12-05 Thread Michael Jumper 
On Mon, Dec 5, 2022 at 5:35 PM Don Eugene Paul Viado
 wrote:

> Hi,
>
> If the guacamole is accessed from a transparent proxy environment e.g. (About
> SSL Inspection | Zscaler
> )
> May I know what kind of information can be extracted or replayed?  Does
> guacamole support perfect forward secrecy on sessions?
> Is there possibility to see in clear the user sessions or worst access the
> guacamole without authentication?
> I assume that in such case it will be limited to the session that was
> captured and is not able to compromise the entire Guacamole without proper
> authentication and 2FA?
> Hope someone can provide more inputs how to better tighten the security in
> Guacamole in such kind of environments.
>

Guacamole relies on SSL/TLS for security of the connection to the server.
You should not use _any_ web application in an environment where you cannot
trust TLS.

I don't believe there is any countermeasure that could be developed that a
corporate firewall vendor would not eventually work around. TLS is already
designed to do exactly this.

- Mike

Re: Additional field (select options) on login screen?

2022-12-06 Thread Michael Jumper 
There isn't currently any specific documentation on registering custom
field types, but there are some examples in the source that might be
instructive. You don't need to modify the guacamole-client source - there
is a system built-in intended for custom field types. You can do this
purely with an extension.

Take a look at the TOTP extension, which uses a fairly involved custom
field type for the enrollment process:

https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-totp/src/main/java/org/apache/guacamole/auth/totp/form/AuthenticationCodeField.java
(Java definition)

https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-totp/src/main/resources/config/totpConfig.js
(JavaScript registration of the type)

https://github.com/apache/guacamole-client/blob/master/extensions/guacamole-auth-totp/src/main/resources/totpModule.js
(JavaScript registration of the AngularJS module handling the custom field
registration)

The Java field will be automatically serialized into JSON, included in the
auth response, and then processed and passed to your custom field when
received by the browser.

The Duo extension also leverages custom fields for similar purposes.

- Mike

On Mon, Dec 5, 2022, 10:23 PM Joachim Lindenberg 
wrote:

> Hello Mike,
>
> is there any documentation or example on how to add a custom field type? I
> assume this would require to clone or contribute to guacamole-client?
>
> Thanks,
> Joachim
>
>
>
> *Von:* Michael Jumper 
> *Gesendet:* Dienstag, 6. Dezember 2022 00:42
> *An:* user@guacamole.apache.org
> *Betreff:* Re: Additional field (select options) on login screen?
>
>
>
> On Mon, Dec 5, 2022 at 3:01 PM Joachim Lindenberg <
> guacam...@lindenberg.one> wrote:
>
> Hello Mike,
>
>
>
> I modified my code to show an addition filed using that exception, however
> the result is not exactly what I was looking for.
>
> With code like…
>
>
>
>*static* *final* String *backupserver* = "backup-server-to-connect-to";
>
> *private* *static* Field *BACKUPSERVER* = *null*;
>
> *private* *static* CredentialsInfo *SERVER_USERNAME_PASSWORD* = *null*
> ;
>
> …
>
>   *if* (*BACKUPSERVER* == *null*) *BACKUPSERVER* = *new* EnumField(
> *backupserver*, *getBackupServerCollection*());
>
>   *if* (*SERVER_USERNAME_PASSWORD* == *null*)
> *SERVER_USERNAME_PASSWORD* =
>
> *new* CredentialsInfo(Arrays.*asList*(
>
>  *BACKUPSERVER*,
>
>   CredentialsInfo.*USERNAME*,
>
>   CredentialsInfo.*PASSWORD*
>
>   ));
>
>   *throw* *new* GuacamoleInsufficientCredentialsException ("server,
> user & password required", *SERVER_USERNAME_PASSWORD*);
>
>
>
> … I get a drop down with the content
> LOGIN.FIELD_OPTION_BACKUP_SERVER_TO_CONNECT_TO_BACKUP2_LINDENBERG_ONE in
> the UI.
>
> Looks like the client application takes my field name and values,
> concatenates them, and probably also tries to translate them, whereas I
> want to use the Values in EnumField as provided. How can I achieve that?
>
>
>
> You cannot do this with EnumField. All of the standard field types
> included with Guacamole that allow you to specify possible values will
> expect translation strings for each of those possible values. You would
> have to define your own custom field type if you cannot provide translation
> strings for the possible values ahead of time.
>
>
>
> Is there some other UI element more appropriate?
>
>
>
> Also while the exception provides an easy way to define fields, the
> Credentials type does not reflect that. I figured out I have to use
> something like
>
> credentials.getRequest().getParameter(*backupserver*))
>
> correct?
>
>
>
> Yes, convenience functions are provided only for username and password.
> You need to use the generic getParameter() for anything more specialized.
>
>
>
> - Mike
>
>
>

Re: Guacamole commercial support

2022-12-07 Thread Michael Jumper 
On Wed, Dec 7, 2022, 5:46 AM Martin Gilles (PSI) 
wrote:

> ... why Guacamole Apache webpage for commercial support doesn't list this
> company.
>

We only list companies that ask to be listed.

- Mike

  1   2   3   4   >