Issues with VNC and SSH on 2 different connections

["Devine, Harry (FAA)" <ha...@faa.gov.INVALID>]

I am having an issue with VNC connection on 1 server, and an SSH connection on another.  We have 2 other SSH connections that work fine.

For the VNC (which is running on RHEL 7 with TigerVNC), I see this in /var/log/messages:

Sep 10 10:08:00 ose-access guacd[21334]: Creating new client for protocol "vnc"
Sep 10 10:08:00 ose-access guacd[21334]: Connection ID is "$612676a8-2e21-48a0-89d2-66afdd3d5657"
Sep 10 10:08:00 ose-access guacd[22306]: Cursor rendering: local
Sep 10 10:08:00 ose-access guacd[22306]: User "@61860625-7c6a-4ae7-ab1c-11aed717a187" joined connection "$612676a8-2e21-48a0-89d2-66afdd3d5657" (1 users now present)
Sep 10 10:08:00 ose-access server: 10:08:00.891 [http-bio-8080-exec-13] INFO  o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "5".
Sep 10 10:08:00 ose-access server: 10:08:00.891 [http-bio-8080-exec-13] INFO  o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal.
Sep 10 10:08:00 ose-access guacd[22306]: VNC server supports protocol version 3.8 (viewer 3.8)
Sep 10 10:08:00 ose-access guacd[22306]: We have 2 security types to read
Sep 10 10:08:00 ose-access guacd[22306]: 0) Received security type 19
Sep 10 10:08:00 ose-access guacd[22306]: Selecting security type 19 (0/2 in the list)
Sep 10 10:08:00 ose-access guacd[22306]: 1) Received security type 2
Sep 10 10:08:00 ose-access guacd[22306]: Selected Security Scheme 19
Sep 10 10:08:00 ose-access guacd[22306]: Failed to initialized GnuTLS: Error in public key generation..
Sep 10 10:08:00 ose-access guacd[22306]: Unable to connect to VNC server.
Sep 10 10:08:00 ose-access guacd[22306]: User "@61860625-7c6a-4ae7-ab1c-11aed717a187" disconnected (0 users remain)
Sep 10 10:08:00 ose-access guacd[22306]: Last user of connection "$612676a8-2e21-48a0-89d2-66afdd3d5657" disconnected

For the SSH connection, I get prompted for the username and as soon as I enter it, I get the "Home/Reconnect" window and the log shows the following:

Sep 10 10:08:04 ose-access guacd[21334]: Creating new client for protocol "ssh"
Sep 10 10:08:04 ose-access guacd[21334]: Connection ID is "$a6f234a9-34e2-45bf-9ae8-5648e2012ffa"
Sep 10 10:08:04 ose-access guacd[22315]: User "@05503ef3-b943-4e58-b2bf-ae26c5256c41" joined connection "$a6f234a9-34e2-45bf-9ae8-5648e2012ffa" (1 users now present)
Sep 10 10:08:04 ose-access server: 10:08:04.193 [http-bio-8080-exec-6] INFO  o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "1".
Sep 10 10:08:04 ose-access server: 10:08:04.193 [http-bio-8080-exec-6] INFO  o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal.
Sep 10 10:08:05 ose-access guacd[21334]: Connection "$612676a8-2e21-48a0-89d2-66afdd3d5657" removed.
Sep 10 10:08:06 ose-access guacd[22315]: SSH handshake failed.
Sep 10 10:08:06 ose-access guacd[22315]: User "@05503ef3-b943-4e58-b2bf-ae26c5256c41" disconnected (0 users remain)
Sep 10 10:08:06 ose-access guacd[22315]: Last user of connection "$a6f234a9-34e2-45bf-9ae8-5648e2012ffa" disconnected
Sep 10 10:08:11 ose-access guacd[21334]: Connection "$a6f234a9-34e2-45bf-9ae8-5648e2012ffa" removed.
Sep 10 10:08:15 ose-access server: 10:08:15.975 [http-bio-8080-exec-13] INFO  o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "5". Duration: 15084 milliseconds
Sep 10 10:08:15 ose-access server: 10:08:15.980 [http-bio-8080-exec-13] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.
Sep 10 10:08:15 ose-access server: 10:08:15.980 [http-bio-8080-exec-12] INFO  o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "5". Duration: 15089 milliseconds

Any help would be appreciated.
Harry

Harry Devine
DOT/FAA/AJM-2431
Secure-OSE Administrator
Red Hat Certified System Administrator (RHCSA)
harry.devine@faa.gov
(609)485-4218
Building 300, 3rd floor, Column L20 (3L20)

Re: Issues with VNC and SSH on 2 different connections

[Nick Couchman <vn...@apache.org>]

On Tue, Oct 13, 2020 at 2:28 PM Devine, Harry (FAA)
<ha...@faa.gov.invalid> wrote:

> I apologize that this has taken me so long to answer.  Let me try and give
> an update.
>
>
>
> Our Guacamole is installed on RHEL 7.8 and is the current 1.2.0 version.
> If we set up an SSH connection to another RHEL 7 box, it works.  We have an
> SSH connection set up to go to a RHEL 8 box, and it does NOT work.  The
> guacamole log shows “SSH handshake failed”.
>
>
>
> On the RHEL 8 target box, we see the following:
>
>
>
> [root@tower1 ~]#tail -f /var/log/secure
>
> Oct 13 14:19:09 tower1 sshd[3583210]: FIPS mode initialized
>
> Oct 13 14:19:09 tower1 sshd[3583210]: Unable to negotiate with
> xxx.xxx.xxx.xxx port 34598: no matching host key type found. Their offer:
> ssh-rsa,ssh-dss [preauth]
>
>
>
> If we SSH from our guacamole server to that box directly (OS to OS), it
> works without incident.  So what could be going on in the Guacamole SSH
> library that could be causing this?
>
>
>
Guacmaole uses libssh2, which does not have quite as broad support for all
of the various key exchange algorithms and host keys that some of the
larger libraries support.  This message indicates that the Guacamole client
is attempting to get either a RSA or DSS host key from the RHEL8 server,
but it appears that RHEL8 is using a different host key type? I've not
played much with EL8, so I'm not entirely sure what RHEL8 is using that
isn't supported, but it is a mis-match in host key support between libssh2
and OpenSSH on EL8.

-Nick

>

RE: Issues with VNC and SSH on 2 different connections

["Devine, Harry (FAA)" <ha...@faa.gov.INVALID>]

I apologize that this has taken me so long to answer.  Let me try and give an update.

Our Guacamole is installed on RHEL 7.8 and is the current 1.2.0 version.  If we set up an SSH connection to another RHEL 7 box, it works.  We have an SSH connection set up to go to a RHEL 8 box, and it does NOT work.  The guacamole log shows "SSH handshake failed".

On the RHEL 8 target box, we see the following:

[root@tower1 ~]#tail -f /var/log/secure
Oct 13 14:19:09 tower1 sshd[3583210]: FIPS mode initialized
Oct 13 14:19:09 tower1 sshd[3583210]: Unable to negotiate with xxx.xxx.xxx.xxx port 34598: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

If we SSH from our guacamole server to that box directly (OS to OS), it works without incident.  So what could be going on in the Guacamole SSH library that could be causing this?

Thanks,
Harry

From: ivanmarcus <iv...@yahoo.com.INVALID>
Sent: Thursday, September 10, 2020 3:45 PM
To: user@guacamole.apache.org; Devine, Harry (FAA) <ha...@faa.gov.INVALID>
Subject: Re: Issues with VNC and SSH on 2 different connections


Harry,

I'm a little unclear as to whether this is a single instance of Guacamole accessing different servers (with some access ok, others not), or several Guacamole instances, one each with the problem you describe?

In any event this link may be of some use (?), at least with the ssh issue:

http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/SSH-handshake-failed-only-RSA-keys-possible-td2248.html
I don't see too many results on the GnuTLS issue, but if it's a single Guacamole instance and you're having both this and the ssh issue at the same time then I wonder if there was an installation problem with one or more of the secure packages (libssh2/OpenSSL)?
On 11/09/2020 2:14 a.m., Devine, Harry (FAA) wrote:
SSH handshake failed

Re: Issues with VNC and SSH on 2 different connections

[ivanmarcus <iv...@yahoo.com.INVALID>]

Harry,

I'm a little unclear as to whether this is a single instance of 
Guacamole accessing different servers (with some access ok, others not), 
or several Guacamole instances, one each with the problem you describe?

In any event this link may be of some use (?), at least with the ssh issue:

http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/SSH-handshake-failed-only-RSA-keys-possible-td2248.html

I don't see too many results on the GnuTLS issue, but if it's a single 
Guacamole instance and you're having both this and the ssh issue at the 
same time then I wonder if there was an installation problem with one or 
more of the secure packages (libssh2/OpenSSL)?

On 11/09/2020 2:14 a.m., Devine, Harry (FAA) wrote:
> SSH handshake failed