Re: Questions about using the encrypted JSON guacamole auth

Wed, 10 Aug 2022 23:37:04 -0700 

On Wed, Aug 10, 2022 at 1:11 PM Pete Carlson <pgcarl...@gmail.com> wrote:
>
>
> "I am using the guacamole-auth-json for encrypted JSON. When building my 
> user.json:
>
> {
>     "username" : "arbitraryUsername",
>     "expires" : TIMESTAMP,
>     "connections" : {
>         "Connection Name" : {
>             "protocol" : "PROTOCOL",
>             "parameters" : {
>                 "name1" : "value1",
>                 "name2" : "value2",
>                 ...
>             }
>         },
>         ...
>     }
> }
> where does Connection Name exist elsewhere so it knows to relate this user to 
> this connection? Can I define this object so that it just connected to the 
> DEFAULT connection?
>

What you are defining here is a connection that exists purely in the
JSON backend, not a reference to a connection stored somewhere else.

If you want to use the encrypted JSON to authenticate users, but store
the data for connections in some other backend (one of the supported
databases), the way to accomplish that is:

1) Use Guacamole's web UI to define a connection within your database of choice.
2) Again within the web UI, define a user and grant access to that
connection. Do not set a password for this user.
3) As needed, generate encrypted JSON only as a proof of user identity
(include only "username" and "expires"), making sure that the
specified username matches the username of the user that was created
earlier.

When the encrypted JSON is submitted, Guacamole accepts that as
sufficient proof of identity, and the database then allows access to
any connections it knows are granted to that user. You can do this for
any number of users, and can leverage user groups if these users will
frequently be given access to the same sets of connections.

This same mechanism is how things like SAML and LDAP are tied together
with the database storage.

>
> I am using a md5 hash of the username and the encrypt-json.sh script from the 
> website to sign and encode this:
>
> {"username":"fred","expires":1660129180160,"connections":{"My 
> Connection":{"protocol":"vnc","parameters":{"hostname":"127.0.0.1","password":"VNCPASS","port":5900}}}}
>

What does an MD5 hash of the username have to do with the process that
you're using?

- Mike

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Reply via email to