You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Nico Schottelius <ni...@ungleich.ch> on 2019/01/24 13:07:33 UTC
Session management for an enterprise / automaticly creating VNC sessions
Hello Guacamole users,
we are evaluating guacamole for a bigger environment. We have seen
support for LDAP and 2FA in Guacamole, which is great.
We would like to use guacamole for a big number of users, who should not
create their VNC ("backend") sessions manually and were wondering, if
anyone has solved the problem of "creating backend [VNC]" sessions
automatically already?
We are comparing Guacamole to nomachine/x2go at the moment and the
feature to be "just able to create a new session" is very interesting
from a management point of view, as you don't have do manually manage
the sessions.
Any pointer in this direction is appreciated.
Best,
Nico
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
Re: Session management for an enterprise / automaticly creating VNC sessions
Posted by Mike Jumper <mj...@apache.org>.
On Fri, Jan 25, 2019, 08:44 Nico Schottelius <nico.schottelius@ungleich.ch
wrote:
>
> ... I had a longer discussion off-list today about it and wanted to
> share my thoughts:
>
> Guacamole already supports VNC and SSH. Thus session management
> ("autostart") could be implement as easy as the following:
>
> a) Adding support for a generic connection with variable support
>
> Assuming we could use variables in connections, for instance the
> username, we could implement sessions that *contain* the username in the
> connection string.
>
The settings driving a connection should be dictated by server-side logic.
It is dangerous/insecure to trust the user to not manipulate something like
a string submitted from the client side.
> All users could have the "same" connection, just different variable parts
>
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens
You should also look into the extension API. The main reason the extension
API exists is to allow connection details to be driven by completely
arbitrary logic.
b) Adding support for vnc-over-ssh-over-unix-socket
>
> You probably know that you can easily tunnel vnc through ssh [0].
>
Until libvncclient has such support, it isn't possible to integrate this
into the VNC support. You will need to accomplish this through other logic,
presumably in an extension.
> If guacamole would support combining ssh with vnc, guacamole could do
> the following:
>
> ssh user@host "
> if [ ! -f .guacamole.sock ]; then
> vncserver-on-.guacamole.sock
> fi
>
> socat - .guacamole.sock"
>
Guacamole definitely shouldn't attempt to implement this through shell
scripting. If this is to be added as a feature for Guacamole, it would need
to be through leveraging the VNC and SSH libraries available.
https://issues.apache.org/jira/browse/GUACAMOLE-312
You can already do what you're looking to accomplish through leveraging the
extension API, however. You would dynamically derive the connection
parameters based on the user connecting, preparing a temporary SSH tunnel
for that connection as part of that process.
> Obviously this is only sample code and the admin could be able to
> specify custom code.
>
I definitely don't think executing arbitrary custom shell scripting should
be a standard mechanism built into guac. The extension API is the way to go
here.
- Mike
Re: Session management for an enterprise / automaticly creating VNC sessions
Posted by Nico Schottelius <ni...@ungleich.ch>.
... I had a longer discussion off-list today about it and wanted to
share my thoughts:
Guacamole already supports VNC and SSH. Thus session management
("autostart") could be implement as easy as the following:
a) Adding support for a generic connection with variable support
Assuming we could use variables in connections, for instance the
username, we could implement sessions that *contain* the username in the
connection string.
All users could have the "same" connection, just different variable parts
b) Adding support for vnc-over-ssh-over-unix-socket
You probably know that you can easily tunnel vnc through ssh [0].
If guacamole would support combining ssh with vnc, guacamole could do
the following:
ssh user@host "
if [ ! -f .guacamole.sock ]; then
vncserver-on-.guacamole.sock
fi
socat - .guacamole.sock"
Obviously this is only sample code and the admin could be able to
specify custom code.
Guacamole could either use the user credentials (as logged in) for the
ssh connection or an ssh keypair or a different [saved?] password.
The advantage of this approach is also that there are no listeners that
could potentially be used by people to brute force the VNC password
(that was our original motivation for this some years ago).
c) Combining (a) and (b)
If we combine both approaches, we have a very cheap and easy to use
session management with added security.
What do you think about this approach?
Best,
Nico
[0] https://www.nico.schottelius.org/blog/tunneling-qemu-kvm-unix-socket-via-ssh/
If we could add the following
Nico Schottelius <ni...@ungleich.ch> writes:
> Hello Guacamole users,
>
> we are evaluating guacamole for a bigger environment. We have seen
> support for LDAP and 2FA in Guacamole, which is great.
>
> We would like to use guacamole for a big number of users, who should not
> create their VNC ("backend") sessions manually and were wondering, if
> anyone has solved the problem of "creating backend [VNC]" sessions
> automatically already?
>
> We are comparing Guacamole to nomachine/x2go at the moment and the
> feature to be "just able to create a new session" is very interesting
> from a management point of view, as you don't have do manually manage
> the sessions.
>
> Any pointer in this direction is appreciated.
>
> Best,
>
> Nico
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
Re: Session management for an enterprise / automaticly creating VNC sessions
Posted by Mike Jumper <mj...@apache.org>.
On Thu, Jan 24, 2019 at 7:53 AM Nick Couchman <vn...@apache.org> wrote:
>...
>>
>> Hypothetically, if there is a hook and if what we create is generic
>> enough, we could in theory think about open sourc'ing it later as a
>> Guacamole add-on (I will have to discuss with our client first though).
>
>
> We would certainly love the contributions of source code to the project - we want to build a community around the project, and the best way is if everyone contributes to that :-).
>
It should be possible to be very generic on this, particularly with
the new decoration API. Attributes which describe how the remote
desktop server should be started could be dynamically added to the
connection, and the extension could handle automatically
starting/stopping the applicable services during the connection
process by intercepting the call to connect().
>>
>>
>> In terms of fixed resolution: this is certainly a drawback, however much
>> less from our point of view then having users to create their own
>> session.
>
>
> This might be something you could work around with the event listener - you might be able to pull the browser information and pass that along somehow or another during that capture of the event. Not 100% certain about that, but might be possible.
>
As far as fixed vs. dynamic resolution goes, the X.Org driver would
handle this quite nicely. It's probably time to revive development of
that. I've been working recently to make sure support for the "RENDER"
extension for X11 is functional in the driver, but once that's done,
it may be PR time.
https://issues.apache.org/jira/browse/GUACAMOLE-168
Outside of that, there are VNC servers which support setting the
resolution via a request from the client. The main thing limiting us
from implementing that is lack of support for this within the
underlying library (libvncclient). If libvncclient sprouts that
feature, or if we provide an alternative to building against
libvncclient for the VNC backend, this can be done.
- Mike
Re: Session management for an enterprise / automaticly creating VNC sessions
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Jan 24, 2019 at 10:31 AM Nico Schottelius <
nico.schottelius@ungleich.ch> wrote:
>
> Hello,
>
> and thanks, wow!
>
> Thanks for the great feedback, Nick and Adam - I certainly haven't
> expected that and also that fast!
>
> We were already thinking about modifying the database to match sessions
> created by a script from outside.
>
> Is there any kind of "hook mechanism" in guacamole that would allow us
> to create a new session, when the user logins? We could check if the
> user already has a session entry and if not, we would connect to the
> "VNC server" backend and launch a new session.
>
There's nothing directly implemented today that would do this for you, but
the capability to implement is definitely there. Guacamole has Event
Listeners for several types of events, including User Logon, User Logoff,
Tunnel Connect, and Tunnel Disconnect. It would be relatively easy to
listen for a User Logon event, for example, and start a VNC session on that
event, and then make sure it's shut down when the user logs off (if you so
desire). You could probably also use something like this combined with the
decoration capability to actually track what VNC session is associated with
a particular user, and do some sort of session persistence. Just thinking
out loud - anyway, point is, it should be doable.
Here's the documentation on the Event Listeners, including example
implementations:
http://guacamole.apache.org/doc/gug/event-listeners.html
>
> Hypothetically, if there is a hook and if what we create is generic
> enough, we could in theory think about open sourc'ing it later as a
> Guacamole add-on (I will have to discuss with our client first though).
>
We would certainly love the contributions of source code to the project -
we want to build a community around the project, and the best way is if
everyone contributes to that :-).
>
> In terms of fixed resolution: this is certainly a drawback, however much
> less from our point of view then having users to create their own
> session.
>
This might be something you could work around with the event listener - you
might be able to pull the browser information and pass that along somehow
or another during that capture of the event. Not 100% certain about that,
but might be possible.
-Nick
Re: Session management for an enterprise / automaticly creating VNC sessions
Posted by Nico Schottelius <ni...@ungleich.ch>.
Hello,
and thanks, wow!
Thanks for the great feedback, Nick and Adam - I certainly haven't
expected that and also that fast!
We were already thinking about modifying the database to match sessions
created by a script from outside.
Is there any kind of "hook mechanism" in guacamole that would allow us
to create a new session, when the user logins? We could check if the
user already has a session entry and if not, we would connect to the
"VNC server" backend and launch a new session.
Hypothetically, if there is a hook and if what we create is generic
enough, we could in theory think about open sourc'ing it later as a
Guacamole add-on (I will have to discuss with our client first though).
In terms of fixed resolution: this is certainly a drawback, however much
less from our point of view then having users to create their own
session.
Best regards,
Nico
Adam Thorn <al...@cam.ac.uk> writes:
> On 24/01/2019 13:07, Nico Schottelius wrote:
>
>> We would like to use guacamole for a big number of users, who should not
>> create their VNC ("backend") sessions manually and were wondering, if
>> anyone has solved the problem of "creating backend [VNC]" sessions
>> automatically already?
>
> One option would be to use the MySQL extension for storing guacamole
> connection data - you can e.g. use MySQL for connection data and LDAP
> (or another extension) for authenticating users. You can then write a
> script to populate the connection data; see
>
> https://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema
>
> I posted some info on the queries I run on the mailing list recently:
>
> http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-SQL-queries-td4411.html
>
> which I think needs some updating for guacamole 1.0.0, but the docs
> include a few example queries which should let you achieve what you're
> after.
>
> Regards,
>
> Adam
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
Re: Session management for an enterprise / automaticly creating VNC
sessions
Posted by Adam Thorn <al...@cam.ac.uk>.
On 24/01/2019 13:07, Nico Schottelius wrote:
> We would like to use guacamole for a big number of users, who should not
> create their VNC ("backend") sessions manually and were wondering, if
> anyone has solved the problem of "creating backend [VNC]" sessions
> automatically already?
One option would be to use the MySQL extension for storing guacamole
connection data - you can e.g. use MySQL for connection data and LDAP
(or another extension) for authenticating users. You can then write a
script to populate the connection data; see
https://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-schema
I posted some info on the queries I run on the mailing list recently:
http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/Guacamole-SQL-queries-td4411.html
which I think needs some updating for guacamole 1.0.0, but the docs
include a few example queries which should let you achieve what you're
after.
Regards,
Adam
Re: Session management for an enterprise / automaticly creating VNC sessions
Posted by Nico Schottelius <ni...@ungleich.ch>.
Hey Nick,
Nick Couchman <vn...@apache.org> writes:
>
> There are other solutions out there to handle automatic creation of VNC
> sessions. The most common one, that has been around for the longest amount
> of time, is using inetd/xinetd to launch the sessions. An example of this
> is documented, here:
>
> https://www.ibm.com/developerworks/library/os-multiuserloginsvnc/index.html
Wow, that looks pretty cool!
Assuming that we can create a session entry per user
(semi-)automatically in the guacamole DB, does it automatically mean
that guacamole will create a new tcp session?
If yes, then this could be a way to go for the moment. The user will
then probably have to double (triple even in our setup) login, but this
might be acceptable, if it solves the session creation problem easily.
Best regards from sunny Zurich,
Nico
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
Re: Session management for an enterprise / automaticly creating VNC sessions
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Jan 24, 2019 at 8:07 AM Nico Schottelius <
nico.schottelius@ungleich.ch> wrote:
>
> Hello Guacamole users,
>
> we are evaluating guacamole for a bigger environment. We have seen
> support for LDAP and 2FA in Guacamole, which is great.
>
> We would like to use guacamole for a big number of users, who should not
> create their VNC ("backend") sessions manually and were wondering, if
> anyone has solved the problem of "creating backend [VNC]" sessions
> automatically already?
>
There are other solutions out there to handle automatic creation of VNC
sessions. The most common one, that has been around for the longest amount
of time, is using inetd/xinetd to launch the sessions. An example of this
is documented, here:
https://www.ibm.com/developerworks/library/os-multiuserloginsvnc/index.html
>
> We are comparing Guacamole to nomachine/x2go at the moment and the
> feature to be "just able to create a new session" is very interesting
> from a management point of view, as you don't have do manually manage
> the sessions.
>
> Any pointer in this direction is appreciated.
>
>
I think one of the biggest issues and differences between how Guacamole
currently handles those and how NoMachine/X2Go does is the lack of session
persistence in Guacamole. It's something we've discussed and that I think
we'll address in the future, but, today, there's no way for a user in
Guacamole to connect to a VNC session in the xinetd scenario above, and
then get back to that session if they had to disconnect.
Also, when creating the sessions, X2Go/NX facilitate the negotiation of the
screen resolution between the client and the sever, whereas with VNC and
Guacamole, again, at present, you would have to have a fixed resolution for
the VNC server side.
There are definitely some areas for us to improve Guacamole - I would
certainly love to see session persistence implemented within Guacamole
(there's a JIRA issue for it), and negotiating screen resolution would be
interesting, though I'm not sure how achievable.
-Nick