Running guacamole inside of a secured environment

[Howard Lander <ho...@renci.org>]

Hi all

We are running guacamole inside of a secured environment. By this I mean 
that by the time the user can access our Guacamole server they have 
already authenticated. So we really don't want them to have to 
authenticate again.  I see that there was a noauth extension, but it 
doesn't seem to be supported in either version 1.0 or 1.1.  I found the 
docs that describe how to write a custom authentication module, but I'm 
not sure I want to go down that path. What, if anything, is the 
currently approved method of providing access without authentication? 
Did I just miss the noauth support in later versions? If it matters. the 
service we are allowing the users to connect to is VNC.

Thanks much
Howard
-- 
Howard Lander <ma...@renci.org>
Senior Research Software Developer
Renaissance Computing Institute (RENCI) <http://www.renci.org>
The University of North Carolina at Chapel Hill
100 Europa Drive
Suite 540
Chapel Hill, NC 27517
919-445-9651

Re: Running guacamole inside of a secured environment

["Lander, Howard Michael" <ho...@renci.org>]

No, I think using the SQL will be the way to go! I'm really not in the mood for packet sniffing!

Will let you know if I get stuck, and will post the results once I get it going.

Thanks again for all the help!
Howard
________________________________
From: Nick Couchman <vn...@apache.org>
Sent: Wednesday, September 9, 2020 4:36 PM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: Running guacamole inside of a secured environment

On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael <ho...@renci.org>> wrote:
Thanks for such a quick response.

I am updating to 1.2.0 now.

Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.


Oh, it is definitely possible - that's all the WebUI does.  Basically what you'll need to do is:
- Grab the entity_id of the user or group you want to associate
- Grab the connection_id of the connection you want to associate
- Add an entry to the <guacamole_connection_permission> table with the entity id, the connection id, and "READ" permission.

You can do this with SQL on the database itself, or you can automate via Guacamole's REST API. Unfortunately right now documentation for the REST API is lacking, so if you go that route you'll have to figure out the calls to make by looking at the network traffic on the web interface and duplicating that.

-Nick

Re: Running guacamole inside of a secured environment

[Stefan Bogdan Cimpeanu <bo...@cimpeanu.org>]

Hi,
If you’re more familiar with MySQL, stick with that, it’ll be easier for you in the long run.
Unless you’re running some super duper distributed active-active DB cluster, you shouldn’t find any issues (performance wise) with MySQL as a db provider.

Bogdan

> On 10 Sep 2020, at 21:10, Lander, Howard Michael <ho...@renci.org> wrote:
> 
> Hi Nick
> 
> I've just about got this working, but there is one sticking point:  I realized that I need to create the user myself rather than depending on the mechanism enabled by postgresql-auto-create-accounts,  The documentation is pretty clear on how to do this in mysql, but much less forthcoming on how to do this in postgresql.  A few minutes of Google searching didn't seem to find a simple recipe.  Can you offer any advice on this?  I have considered switching to mysql, since I really don't care much which database is running. 
> 
> Thanks
> Howard
> 
> From: Nick Couchman <vn...@apache.org>
> Sent: Wednesday, September 9, 2020 4:36 PM
> To: user@guacamole.apache.org <us...@guacamole.apache.org>
> Subject: Re: Running guacamole inside of a secured environment
>  
> On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael <howard@renci.org <ma...@renci.org>> wrote:
> Thanks for such a quick response.
> 
> I am updating to 1.2.0 now.
> 
> Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.
> 
> 
> Oh, it is definitely possible - that's all the WebUI does.  Basically what you'll need to do is:
> - Grab the entity_id of the user or group you want to associate
> - Grab the connection_id of the connection you want to associate
> - Add an entry to the <guacamole_connection_permission> table with the entity id, the connection id, and "READ" permission.
> 
> You can do this with SQL on the database itself, or you can automate via Guacamole's REST API. Unfortunately right now documentation for the REST API is lacking, so if you go that route you'll have to figure out the calls to make by looking at the network traffic on the web interface and duplicating that.
> 
> -Nick

Re: Running guacamole inside of a secured environment

["Lander, Howard Michael" <ho...@renci.org>]

Hi Nick

I've just about got this working, but there is one sticking point:  I realized that I need to create the user myself rather than depending on the mechanism enabled by postgresql-auto-create-accounts,  The documentation is pretty clear on how to do this in mysql, but much less forthcoming on how to do this in postgresql.  A few minutes of Google searching didn't seem to find a simple recipe.  Can you offer any advice on this?  I have considered switching to mysql, since I really don't care much which database is running.

Thanks
Howard

________________________________
From: Nick Couchman <vn...@apache.org>
Sent: Wednesday, September 9, 2020 4:36 PM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: Running guacamole inside of a secured environment

On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael <ho...@renci.org>> wrote:
Thanks for such a quick response.

I am updating to 1.2.0 now.

Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.


Oh, it is definitely possible - that's all the WebUI does.  Basically what you'll need to do is:
- Grab the entity_id of the user or group you want to associate
- Grab the connection_id of the connection you want to associate
- Add an entry to the <guacamole_connection_permission> table with the entity id, the connection id, and "READ" permission.

You can do this with SQL on the database itself, or you can automate via Guacamole's REST API. Unfortunately right now documentation for the REST API is lacking, so if you go that route you'll have to figure out the calls to make by looking at the network traffic on the web interface and duplicating that.

-Nick

Re: Running guacamole inside of a secured environment

[Nick Couchman <vn...@apache.org>]

On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael <ho...@renci.org>
wrote:

> Thanks for such a quick response.
>
> I am updating to 1.2.0 now.
>
> Is it not possible to do the mapping between users and connections using
> psql? Sort of looks like it is in the docs... I am doing an automated
> deployment and can't really use the GUI.
>
>
Oh, it is definitely possible - that's all the WebUI does.  Basically what
you'll need to do is:
- Grab the entity_id of the user or group you want to associate
- Grab the connection_id of the connection you want to associate
- Add an entry to the <guacamole_connection_permission> table with the
entity id, the connection id, and "READ" permission.

You can do this with SQL on the database itself, or you can automate via
Guacamole's REST API. Unfortunately right now documentation for the REST
API is lacking, so if you go that route you'll have to figure out the calls
to make by looking at the network traffic on the web interface and
duplicating that.

-Nick

>

Re: Running guacamole inside of a secured environment

["Lander, Howard Michael" <ho...@renci.org>]

Thanks for such a quick response.

I am updating to 1.2.0 now.

Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.

Howard

________________________________
From: Nick Couchman <vn...@apache.org>
Sent: Wednesday, September 9, 2020 4:28 PM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: Running guacamole inside of a secured environment

On Wed, Sep 9, 2020 at 4:25 PM Howard Lander <ho...@renci.org>> wrote:
Hi Nick

I'm finally getting back to this.  auth_header is working fine and I have
installed postgres and the needed plugin. I think all the connections are
set up properly because I have the guacadmin user in the entity table and in
the user table. In my guacamole.properties file I have set

 postgresql-auto-create-accounts: true

I had expected that when I logged as a user, with the REMOTE_USER header,
that I would see an entry for the user in the entity and user tables. Is
that incorrect?  I am using version 1.0.  Maybe I need to upgrade?


Yes, the account auto-creation feature was introduced in version 1.2.0, so you'll need to bump up to that version to get that feature.

Past that, I see in the documentation how I should add a connection, but I
am missing how to link between the user and the connection.  Any advice?


Links between connection and user are done by assigning a user (or group) permissions to a particular connection.  This is done in the web UI.

-Nick

Re: Running guacamole inside of a secured environment

[Nick Couchman <vn...@apache.org>]

On Wed, Sep 9, 2020 at 4:25 PM Howard Lander <ho...@renci.org> wrote:

> Hi Nick
>
> I'm finally getting back to this.  auth_header is working fine and I have
> installed postgres and the needed plugin. I think all the connections are
> set up properly because I have the guacadmin user in the entity table and
> in
> the user table. In my guacamole.properties file I have set
>
>  postgresql-auto-create-accounts: true
>
> I had expected that when I logged as a user, with the REMOTE_USER header,
> that I would see an entry for the user in the entity and user tables. Is
> that incorrect?  I am using version 1.0.  Maybe I need to upgrade?
>
>
Yes, the account auto-creation feature was introduced in version 1.2.0, so
you'll need to bump up to that version to get that feature.


> Past that, I see in the documentation how I should add a connection, but I
> am missing how to link between the user and the connection.  Any advice?
>
>
Links between connection and user are done by assigning a user (or group)
permissions to a particular connection.  This is done in the web UI.

-Nick

Re: Running guacamole inside of a secured environment

[Howard Lander <ho...@renci.org>]

Hi Nick

I'm finally getting back to this.  auth_header is working fine and I have
installed postgres and the needed plugin. I think all the connections are
set up properly because I have the guacadmin user in the entity table and in
the user table. In my guacamole.properties file I have set 

 postgresql-auto-create-accounts: true

I had expected that when I logged as a user, with the REMOTE_USER header, 
that I would see an entry for the user in the entity and user tables. Is
that incorrect?  I am using version 1.0.  Maybe I need to upgrade?

Past that, I see in the documentation how I should add a connection, but I
am missing how to link between the user and the connection.  Any advice?

Howard



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

Re: Running guacamole inside of a secured environment

[Nick Couchman <vn...@apache.org>]

On Thu, May 7, 2020 at 4:55 PM Howard Lander <ho...@renci.org> wrote:

> Hi Nick
>
> Thanks so much for the quick reply.
>
> Funny thing is that I tried deleting the password attribute from the
> user_mapping file but that didn't work either.. Oh well. I could actually
> live with no security on the connection, since this is running within a
> secure environment. If I store the connections in the JDBC module, would I
> still use the header-auth module? It turns out that this would be pretty
> convenient for us since the authentication system we are using already can
> easily send the REMOTE_USER header. At first glance I don't quite see how
> to use the JDBC module, but I will look into it some more.
>
>
Yes, if you store connections in the JDBC module you can still use the
Header module for authentication.  The authentication system "layers" the
users such that, if username matches, it will apply permissions across the
modules.

http://guacamole.apache.org/doc/gug/jdbc-auth.html

http://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database

That second one covers using LDAP and JDBC, but the concept is the same for
any of the modules + JDBC.

-Nick

>

Re: Running guacamole inside of a secured environment

[Howard Lander <ho...@renci.org>]

Hi Nick

Thanks so much for the quick reply.

Funny thing is that I tried deleting the password attribute from the 
user_mapping file but that didn't work either.. Oh well. I could 
actually live with no security on the connection, since this is running 
within a secure environment. If I store the connections in the JDBC 
module, would I still use the header-auth module? It turns out that this 
would be pretty convenient for us since the authentication system we are 
using already can easily send the REMOTE_USER header. At first glance I 
don't quite see how to use the JDBC module, but I will look into it some 
more.

Thanks again
Howard

On 5/7/20 4:39 PM, Nick Couchman wrote:
> On Thu, May 7, 2020 at 4:11 PM Lander, Howard Michael 
> <howard@renci.org <ma...@renci.org>> wrote:
>
>     Hi Nick
>
>     Thanks for the reply.  I've been playing around with the
>     header-auth module and I can login to guacamole using the
>     REMOTE_USER header. So that part is working great. But I use a
>     user-mapping.xml file that looks like this:
>
>     <user-mapping>
>
>         <!-- Example user configurations are given below. For more
>     information,
>              see the user-mapping.xml section of the Guacamole
>     configuration
>              documentation:
>     http://guac-dev.org/Configuring%20Guacamole -->
>
>         <!-- Per-user authentication and config information -->
>         <authorize username="fakename" password="fakepassword">
>             <protocol>vnc</protocol>
>             <param name="hostname">localhost</param>
>             <param name="port">5901</param>
>             <param name="password">fakepassword</param>
>         </authorize>
>     </user-mapping>
>
>     and the upshot of this is when the user logged in, they were taken
>     immediately to the VNC service. That's not happening any more. 
>     Instead I get a screen like the following. I couldn't find
>     anything about this in the header-auth documentation. Any
>     suggestions or ideas?
>
>
> Yes, the basic user-mapping.xml authentication extension does not 
> usually work with the other authentication extensions.  It's intended 
> to be a very basic extension for testing your installation.  It 
> *might* work, but at least one of the isues is that, in your 
> user-mapping.xml file above you have a "password" specified for the 
> "fakename" user - and the Header authentication extension will never 
> pass through this password (or any password, for that matter), so the 
> user won't be authenticated to the user-mapping.xml extension.  If you 
> put an entry in with no password then you lack any security on that 
> connection.
>
> You probably want to consider setting up the JDBC module to store your 
> connections...
>
> -Nick
>

-- 
Howard Lander <ma...@renci.org>
Senior Research Software Developer
Renaissance Computing Institute (RENCI) <http://www.renci.org>
The University of North Carolina at Chapel Hill
100 Europa Drive
Suite 540
Chapel Hill, NC 27517
919-445-9651

Re: Running guacamole inside of a secured environment

[Nick Couchman <vn...@apache.org>]

On Thu, May 7, 2020 at 4:11 PM Lander, Howard Michael <ho...@renci.org>
wrote:

> Hi Nick
>
> Thanks for the reply.  I've been playing around with the header-auth
> module and I can login to guacamole using the REMOTE_USER header. So that
> part is working great. But I use a user-mapping.xml file that looks like
> this:
>
> <user-mapping>
>
>     <!-- Example user configurations are given below. For more information,
>          see the user-mapping.xml section of the Guacamole configuration
>          documentation: http://guac-dev.org/Configuring%20Guacamole -->
>
>     <!-- Per-user authentication and config information -->
>     <authorize username="fakename" password="fakepassword">
>         <protocol>vnc</protocol>
>         <param name="hostname">localhost</param>
>         <param name="port">5901</param>
>         <param name="password">fakepassword</param>
>     </authorize>
> </user-mapping>
>
> and the upshot of this is when the user logged in, they were taken
> immediately to the VNC service. That's not happening any more.  Instead I
> get a screen like the following. I couldn't find anything about this in the
> header-auth documentation. Any suggestions or ideas?
>
>
Yes, the basic user-mapping.xml authentication extension does not usually
work with the other authentication extensions.  It's intended to be a very
basic extension for testing your installation.  It *might* work, but at
least one of the isues is that, in your user-mapping.xml file above you
have a "password" specified for the "fakename" user - and the Header
authentication extension will never pass through this password (or any
password, for that matter), so the user won't be authenticated to the
user-mapping.xml extension.  If you put an entry in with no password then
you lack any security on that connection.

You probably want to consider setting up the JDBC module to store your
connections...

-Nick

>

Re: Running guacamole inside of a secured environment

["Lander, Howard Michael" <ho...@renci.org>]

Hi Nick

Thanks for the reply.  I've been playing around with the header-auth module and I can login to guacamole using the REMOTE_USER header. So that part is working great. But I use a user-mapping.xml file that looks like this:

<user-mapping>

    <!-- Example user configurations are given below. For more information,
         see the user-mapping.xml section of the Guacamole configuration
         documentation: http://guac-dev.org/Configuring%20Guacamole -->

    <!-- Per-user authentication and config information -->
    <authorize username="fakename" password="fakepassword">
        <protocol>vnc</protocol>
        <param name="hostname">localhost</param>
        <param name="port">5901</param>
        <param name="password">fakepassword</param>
    </authorize>
</user-mapping>

and the upshot of this is when the user logged in, they were taken immediately to the VNC service. That's not happening any more.  Instead I get a screen like the following. I couldn't find anything about this in the header-auth documentation. Any suggestions or ideas?

Here's the screen shot:

[cid:9eee3449-0559-4e91-9887-3814b799bb36]
Thanks much
Howard

________________________________

From: Nick Couchman <vn...@apache.org>
Sent: Thursday, April 9, 2020 5:11 PM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: Running guacamole inside of a secured environment

On Thu, Apr 9, 2020 at 10:37 AM Howard Lander <ho...@renci.org>> wrote:
Hi all

We are running guacamole inside of a secured environment. By this I mean that by the time the user can access our Guacamole server they have already authenticated. So we really don't want them to have to authenticate again.  I see that there was a noauth extension, but it doesn't seem to be supported in either version 1.0 or 1.1.  I found the docs that describe how to write a custom authentication module, but I'm not sure I want to go down that path. What, if anything, is the currently approved method of providing access without authentication? Did I just miss the noauth support in later versions? If it matters. the service we are allowing the users to connect to is VNC.

First, regarding the noauth module, no, you are not missing it in the current versions.  It was deprecated in version 0.9.13 or 0.9.14, and completely removed from version 1.0.0 and later.

Regarding working in a trusted environment, first, please read the following:

http://guacamole.apache.org/faq/#disable-auth

Beyond this, there are a couple of ways you can work through the authentication mechanism to make the experience more seamless for users.  The most common is to use a SSO extension of some sort to authenticate through an existing SSO provider.  Guacamole currently supports CAS and OpenID providers, and also has a Header authentication module that can be used to authenticate users through HTTP headers in trusted environments.

http://guacamole.apache.org/doc/gug/cas-auth.html
http://guacamole.apache.org/doc/gug/openid-auth.html
http://guacamole.apache.org/doc/gug/header-auth.html

Depending on your environment, another option is to use the parameter tokens as pass through authentication from Guacamole to your destination systems.  This works particularly well in environments where you have AD authentication and use that with the LDAP extension, and then pass through the LDAP username and password to the RDP hosts that use the same AD domain.

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

-Nick

Re: Running guacamole inside of a secured environment

[Nick Couchman <vn...@apache.org>]

On Thu, Apr 9, 2020 at 10:37 AM Howard Lander <ho...@renci.org> wrote:

> Hi all
>
> We are running guacamole inside of a secured environment. By this I mean
> that by the time the user can access our Guacamole server they have already
> authenticated. So we really don't want them to have to authenticate again.
> I see that there was a noauth extension, but it doesn't seem to be
> supported in either version 1.0 or 1.1.  I found the docs that describe how
> to write a custom authentication module, but I'm not sure I want to go down
> that path. What, if anything, is the currently approved method of providing
> access without authentication? Did I just miss the noauth support in later
> versions? If it matters. the service we are allowing the users to connect
> to is VNC.
>

First, regarding the noauth module, no, you are not missing it in the
current versions.  It was deprecated in version 0.9.13 or 0.9.14, and
completely removed from version 1.0.0 and later.

Regarding working in a trusted environment, first, please read the
following:

http://guacamole.apache.org/faq/#disable-auth

Beyond this, there are a couple of ways you can work through the
authentication mechanism to make the experience more seamless for users.
The most common is to use a SSO extension of some sort to authenticate
through an existing SSO provider.  Guacamole currently supports CAS and
OpenID providers, and also has a Header authentication module that can be
used to authenticate users through HTTP headers in trusted environments.

http://guacamole.apache.org/doc/gug/cas-auth.html
http://guacamole.apache.org/doc/gug/openid-auth.html
http://guacamole.apache.org/doc/gug/header-auth.html

Depending on your environment, another option is to use the parameter
tokens as pass through authentication from Guacamole to your destination
systems.  This works particularly well in environments where you have AD
authentication and use that with the LDAP extension, and then pass through
the LDAP username and password to the RDP hosts that use the same AD domain.

http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens

-Nick

>