Re: URL for a direct connection to a VNC or SSH session after upgrading from 0.9.12 to 1.4.0

[Nick Couchman <vn...@apache.org>]

On Fri, Jan 27, 2023 at 8:32 PM Timur Bazhirov <ti...@exabyte.io> wrote:

> Greetings,
>
> We have a question regarding establishing a direct connection (instead of
> a login screen) for a user to SSH or VNC sessions.
>
> We've been using Guacamole for some time and recently started work
> on updating it to the latest version. In version 0.9.12, we used to form a
> URL and then use the HMAC and secret-key-based authentication to directly
> proxy a user to a session. Here a URL would look something like this:
>
>
> <HOSTNAME>/guacamole/#/client?timestamp=1674863599405&signature=31BNen1LuL1ukF7NjW8ocbor4ME&username=john&protocol=ssh.
>
>
> When reading the version 1.4.0 documentation, we understand that HMAC is
> no longer an option, although there is JSON-based authentication and also
> quick-connect as extensions. However, we could not understand how to adjust
> the above URL to land a user in an SSH and VNC session directly without
> them having to use the Guacamole login screen with username/password.
>
> Can anyone help us with this? If there's a JavaScript implementation, in
> particular, it would be great to know.
>

Many things have changed between version 0.9.12 and 1.4.0. Things that
would, in particular, impact you in this regard:
* The way URLs for connections are generated was updated right around
0.9.12. The connection identifier, data source, and type are encoded in a
base64 parameter in the URL. So, a connection URL will look something like
this:
https://guacamole.example.local/#/client/NQBjAHBvc3RncmVzcWw
The characters after /client/ are the encoding of the components that make
up the connection. This is quite a bit different from what you have above -
the connection parameters (hostname, protocol, username, etc.) are not part
of the URI.
* It's possible that you were or are using the noauth extension, which
allowed the Guacamole interface to be used without any authentication. We
first deprecated and then removed that extension entirely, so it is no
longer available - you must use some form of authentication. You can either
use one of the existing modules or write your own, but you should not allow
access to the interface without requiring authentication. There are many
ways to do this - for example, if you have a CAS, SAML or OpenID SSO
provider, you can integrate Guacamole with those and users will be
seamlessly logged in. You can also use something like CredSSP or SPNEGO
authentication pass-through with Tomcat, combined with the Header
authentication module.

-Nick