establishing trust for guacd-RDP connections?

[Joachim Lindenberg <jo...@lindenberg.one>]

Hello Nick, Mike,

„Guacamole kind of already supports” – can you please clarify how this is supposed to work especially in a docker environment? The documentation lacks anything on exposing a certificate store or how to prepopulate it with trusted certs. Or am I blind?

Thanks, Joachim

 

 

Von: Joachim Lindenberg <jo...@lindenberg.one> 
Gesendet: Samstag, 28. März 2020 20:19
An: user@guacamole.apache.org
Betreff: AW: freerdp support for certificate fingerprints - also with Guacamole?

 

Hi Nick,

Thanks for following up. However, afaik this requires someone to run a freerdp client manually in the same environment that Guacamole is using, and to all hosts relevant.

If you want to run Guacamole with docker, then this is pretty cumbersome to do. Also certificates expire, one would then have to redo the manual work.

At least in my scenario, I can provide the correct fingerprint dynamically at runtime.

Perhaps others should comment, what their experience is..

Thanks,

Joachim

 

Von: Nick Couchman <vnick@apache.org <ma...@apache.org> > 
Gesendet: Samstag, 28. März 2020 20:06
An: user@guacamole.apache.org <ma...@guacamole.apache.org> 
Betreff: Re: freerdp support for certificate fingerprints - also with Guacamole?

 

On Sat, Mar 28, 2020 at 2:56 PM Joachim Lindenberg <joachim@lindenberg.one <ma...@lindenberg.one> > wrote:

Hello all,

I guess most of us are ignoring  certificates with RDP. If you are like me and looked at Microsofts documentation how to replace a self-signed certificate, there is a clear trade off… and so far I am running Guacamole on the same physical host then my virtual machines it interfaces to, but I guess this is a rather atypical scenario. You may also argue, NLA/CredSSP is used after TLS connection is established and mitigates the risk, but from a privacy pov at least you disclose communication metadata (including the PDU for Hyper-V connections) prior to that, and if you are located in Europe like me, discussions like this trigger data protection impact assessments…

The good news is that FreeRDP now supports to supply known certificate fingerprints starting with  <https://github.com/FreeRDP/FreeRDP/pull/5880> https://github.com/FreeRDP/FreeRDP/pull/5880.. I am already leveraging that when my software interfaces to wfreerdp via command line, but with Guacamole I cannot.  I definitely would appreciate if that could be added to Guacamole as well, probably as part of the connection properties.

Thanks & Best Regards, Joachim

 

Guacamole kind of already supports this - by default, the FreeRDP library tries to create a directory within the current user's home directory, and when Mike was implementing FreeRDP 2 support we ran into the fact that FreeRDP doesn't really take no for an answer, anymore.  So, you should be able to add certificates to this store that FreeRDP auto-creates and un-tick that Ignore Certificates box.

 

-Nick

 

 

Re: establishing trust for guacd-RDP connections?

[Nick Couchman <vn...@apache.org>]

On Wed, Apr 8, 2020 at 3:22 AM Joachim Lindenberg <jo...@lindenberg.one>
wrote:

> Hello Nick, Mike,
>
> „Guacamole kind of already supports” – can you please clarify how this is
> supposed to work especially in a docker environment? The documentation
> lacks anything on exposing a certificate store or how to prepopulate it
> with trusted certs. Or am I blind?
>
> Thanks, Joachim
>
>
>

What I mean is, Guacamole's verification of server certificates is just
part of the FreeRDP API - so, if you do not check the box to ignore server
certificates, FreeRDP (and, thus, Guacamole) will require valid
certificates.  In order to properly configure this, you need to create a
certificate store in the location that the FreeRDP libraries expect so that
it can look up those certificates and validate them.  In this respect,
Guacamole does not given any options for configuring the location of that
certificate store nor for adding certificates to the store - that has to be
created on the server where guacd runs, in the location where the FreeRDP
libraries look.  From looking at log files, looks like this should be in
the home directory of the user running guacd, under the ".config/freerdp"
directory.

-Nick