You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "James P.D." <p....@swansea.ac.uk> on 2021/04/14 13:55:47 UTC
guacamole-auth-json error
Hi,
I have been trying to configure the guacamole-auth-json extension (https://github.com/apache/guacamole-client/tree/master/extensions/guacamole-auth-json), however I seem to be hitting roadblocks (likely due to me fumbling something). Any help on the below error would be much appreciated.
I have followed the setup instructions, but keep getting errors.
I am trying to test with the same example as given on the setup instructions. I know this is insecure, but I am just trying to get things working.
In particular, I am using the key 4c0b569e4c96df157eee1b65dd0e4d41 in the guacamole.properties file.
I then have the following JSON in the file auth.json:
{
"username" : "test",
"expires" : "1446323765000",
"connections" : {
"My Connection" : {
"protocol" : "rdp",
"parameters" : {
"hostname" : "10.10.209.63",
"port" : "3389",
"ignore-cert": "true",
"recording-path": "/recordings",
"recording-name": "My-Connection-${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}"
}
},
"My OTHER Connection" : {
"protocol" : "rdp",
"parameters" : {
"hostname" : "10.10.209.64",
"port" : "3389",
"ignore-cert": "true",
"recording-path": "/recordings",
"recording-name": "My-OTHER-Connection-${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}"
}
}
}
}
I now run:
./encrypt-json.sh 4C0B569E4C96DF157EEE1B65DD0E4D41 auth.json
and get the following output:
Ez9K+nkHjuEAWqgE8w6eIBMdQ//B8/Zi8V1y2HOpaT5wS7rCOKPxxA4gsyWlVLuS
VXueOVSQKYVpQUbAl+Lsi7HEfPyTyBJhqVF7P6GTwNqciT4Q8n8WmTLus48zIOcn
jm3HFp39Qtj6C4wQ9Px0V7aTw2V/pG+/bp/48huFW7ekh2AMSossTEDmw+zkcyIu
Vbq7J+BnX77YlIKUqFODEbpOetMkUxx6eqyDByVeozh12tsmiKiZbRiB2bw+dzsx
F9j8GNzkTeM/m7Sy1EHT1vXSRXdSwdrmE7wOKh1rfIFmCLyIyXIwe8S/QRDaDLP2
w9QL3LMNWPyl8ZOgKh5uDJOZSRh3qiVU5SfW35yHIcsQJ8noa00HOymTyJ9/ZmLG
2iYOfT/Al9hAyAHfuP5EAxsfSzjjgxU4QDpahfNWgkSr3t3h9d5HIKBqjOQxlrMW
Utqtnm9AB4PUrAs6utuDB+1/A6KEdb3G2C1TzGmtI+vifuf8nWa4pZs555hKuZ5j
bazA6UA1WX0INjGGEPWm/ICoOcRqTd6l2OI059apELTP6xHdILCpGtM7VG4qtnsI
TEOI0P7HroGgOXXsdSeoEm35Lhb1sy0s5lJEwpj1fnmePOjFvCtTB5a4zZrSXcph
B5ghk10jnU6lM5xDrGqbQCaEy3qQtXEmmuq4U42MWLhKuYd919hEFZQABqZoMgb8
rFedsU5PXQEjyMWXfI1pD5b62HCjmr0jFFqJKF0gce+lKaqZA939PXzyAY8uhbh2
WRMywHnNH200jXOOC9gupcFoZSFgZPzP+qTFvAoo2WQvkr3ukK0AemQl2vbwrca0
rTGQBIlvaxPkw/7AojvvxEubMGyHnh7mS/vy5Eug8mzwyUGlVhgbAI/agyn+8gdA
1LUBXblbZTfz85MYI+GyMDNuOZXp67qhDqv40Ud67V+rFluUPXWRBLmLbDXB2LLm
8Mo7bpe+hLCtILIlN5hDmeOPGQtMpOC8t57Wh+jfkGSKqn0ljRVrrIoPZBzpB2qr
oZ+SgU93JdaFbEfuNbnF+G8aNb9UtN3pbEZUah6LNzuz22ou5ZYjaS7KbJlDL70v
x8sv2hmK3zNRnHUKANIjOCX9RlsGZ9wHRl+1kDw65+BoN+i4JWgIHbEBsVZG5VUE
r76MIuazfaNi3xPYW8sIYw==
This output is different to the output given on the webpage. My first question is, is this a problem?
Secondly, if I store this output in a file named “enc” and then run:
curl --data-urlencode “data=$(<enc)" http://10.230.42.19:8080/guacamole/api/tokens
Then I get the response:
{"message":"Permission denied.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Permission denied."}},"statusCode":null,"expected":[],"type":"INVALID_CREDENTIALS”}
And looking in the logs (/var/log/syslog) I can see the warning:
WARN o.a.g.auth.json.user.UserDataService - Submitted data is not proper base64.
No matter what I try I cannot seem to get past this error. Obviously, I expect to get a permission denied error for the sample JSON file above, as the credentials are not correct, but the base64 warning does not seem correct. I have also tried the above process with a correct set of credentials and connection information within the JSON file which I believe should work. Here I get the same base64 warning. Are there any hints/tips/ideas at this point?
Finally, whilst testing I also noticed that when using a lower case key in the file guacamole.properties (as explained on the website) I get the error:
ERROR o.a.g.auth.json.user.UserDataService - Decryption of received data failed: Invalid hexadecimal value.
After changing the key to uppercase (as I did above) then this error was changes and instead I received the base64 warning above. But I don’t know if this is better or worse?
Any help on this issue would be much appreciated.
Best,
Phil
-----------------------
Dr. Phillip James
Senior Lecturer
Department of Computer Science / Yr Adran Gyfrifiadureg
Swansea University / Prifysgol Abertawe
Bay Campus / Campws y Bae
SA1 8EN
Re: guacamole-auth-json error
Posted by Mike WW <mw...@broward.edu>.
HiThanks for the quick reply. Fair point.I've been working backwards to get
to a working config, and had been using :`date +%s --date "+ 24 hours"`to
create a timestamp good for a day. Although it was 3 digits shorter than
the one on the reference example in the README for auth-json. I just
checked the README and indeed it says "milliseconds". I just assumed
seconds and assumed the author had added three zeroes on the end of an old
timestamp to make sure it'd work for others in the future.Many thanks, this
was my 3rd run through, but at least I have excellent documentation now.
Mike
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: guacamole-auth-json error
Posted by Mike Jumper <mi...@glyptodon.com>.
On Wed, May 5, 2021 at 1:50 PM Mike WW <mw...@broward.edu> wrote:
> Hi,
>
> I'm dealing with the same situation having used the exact same reference
> settings (json-secret-key and auth.json file) just in an attempt to get it
> working, and I'm getting the exact same signed and encrypted response
> (Ez9K+nkHjuEAWq...8sIYw==).
>
> I've attempt removing line breaks with `tr -d '\n'` but while this works
> the
> resulting encrypted block still doesn't work for me. ...
>
You'll have to make at least some changes to that JSON, as its expiration
timestamp is in the past ("1446323765000" is 2015-10-31 20:36:05 UTC). It
will be ignored by guacamole-auth-json as expired. If you are getting the
same encrypted data back, that's a good sign - you can probably just edit
the JSON to have a non-expired timestamp.
Michael Jumper
CEO, Lead Developer
Glyptodon Inc <https://glyp.to/>.
Re: guacamole-auth-json error
Posted by Mike WW <mw...@broward.edu>.
Hi,
I'm dealing with the same situation having used the exact same reference
settings (json-secret-key and auth.json file) just in an attempt to get it
working, and I'm getting the exact same signed and encrypted response
(Ez9K+nkHjuEAWq...8sIYw==).
I've attempt removing line breaks with `tr -d '\n'` but while this works the
resulting encrypted block still doesn't work for me. What method did you
use?
I have downloaded both 1.3.0 server and client from their "Apache" (so they
match, and not from glyptodon) GitHub sites, successfully compiled both with
Maven, installed and started the server, deployed Tomcat and the client
successfully and tested with BasicFileAuthentication and the
user-mapping.xml.
copied
guacamole-client-master/extensions/guacamole-auth-json/target/guacamole-auth-json-1.3.0.jar
to GUACAMOLE_HOME/extensions
(/usr/share/tomcat/.guacamole/extensions in my case)
added
json-secret-key: 4c0b569e4c96df157eee1b65dd0e4d41
to guacamole.properties
I saw in the logs (/var/log/messages) that "Encrypted JSON .." was "loaded"
on Tomcat restart
but I'm not able to get a successful authentication yet.
Did it matter that the encrypt.json.sh encrypted block was different from
the reference example in the README on the GitHub site?
What method did you use to remove the line breaks?
Any help/ideas greatly appreciated.
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json error
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Apr 22, 2021 at 5:53 PM calebc <
caleb.coverdale@provisioninfotech.com> wrote:
> How were you able to compile it? Are you able to post the *.jar file?
>
>
You need maven and a Java compiler. You can check out the code in github (
https://github.com/apache/guacamole-client) and then build:
mvn clean package
Once that completes the JAR will be in the
extensions/guacamole-auth-json/target directory.
-Nick
Re: guacamole-auth-json error
Posted by calebc <ca...@provisioninfotech.com>.
How were you able to compile it? Are you able to post the *.jar file?
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org
Re: guacamole-auth-json error
Posted by Nick Couchman <vn...@apache.org>.
On Thu, Apr 15, 2021 at 9:08 AM James P.D. <p....@swansea.ac.uk> wrote:
> Hi,
>
> Just to confirm we seem to have found the issue.
>
> The main issue seems to be regarding line breaks in the generated base64.
> I was using curl to send a file containing the generated base64 that
> included line breaks (as line breaks are naturally output by the
> encrypt-json.sh script). If I remove these line breaks then it all works
> out.
>
Thanks for following up with your solution.
>
> I will submit a pull request shortly updating the documentation with some
> hints on this (in particular, that if using the curl command with a file,
> you need to ensure all line breaks are removed from the generated base64
> output).
>
>
That would be much appreciated.
-Nick
Re: guacamole-auth-json error
Posted by "James P.D." <p....@swansea.ac.uk>.
Hi,
Just to confirm we seem to have found the issue.
The main issue seems to be regarding line breaks in the generated base64. I was using curl to send a file containing the generated base64 that included line breaks (as line breaks are naturally output by the encrypt-json.sh script). If I remove these line breaks then it all works out.
I will submit a pull request shortly updating the documentation with some hints on this (in particular, that if using the curl command with a file, you need to ensure all line breaks are removed from the generated base64 output).
Best,
Phil
On 14 Apr 2021, at 14:55, James P.D. <P....@swansea.ac.uk>> wrote:
Hi,
I have been trying to configure the guacamole-auth-json extension (https://github.com/apache/guacamole-client/tree/master/extensions/guacamole-auth-json), however I seem to be hitting roadblocks (likely due to me fumbling something). Any help on the below error would be much appreciated.
I have followed the setup instructions, but keep getting errors.
I am trying to test with the same example as given on the setup instructions. I know this is insecure, but I am just trying to get things working.
In particular, I am using the key 4c0b569e4c96df157eee1b65dd0e4d41 in the guacamole.properties file.
I then have the following JSON in the file auth.json:
{
"username" : "test",
"expires" : "1446323765000",
"connections" : {
"My Connection" : {
"protocol" : "rdp",
"parameters" : {
"hostname" : "10.10.209.63",
"port" : "3389",
"ignore-cert": "true",
"recording-path": "/recordings",
"recording-name": "My-Connection-${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}"
}
},
"My OTHER Connection" : {
"protocol" : "rdp",
"parameters" : {
"hostname" : "10.10.209.64",
"port" : "3389",
"ignore-cert": "true",
"recording-path": "/recordings",
"recording-name": "My-OTHER-Connection-${GUAC_USERNAME}-${GUAC_DATE}-${GUAC_TIME}"
}
}
}
}
I now run:
./encrypt-json.sh 4C0B569E4C96DF157EEE1B65DD0E4D41 auth.json
and get the following output:
Ez9K+nkHjuEAWqgE8w6eIBMdQ//B8/Zi8V1y2HOpaT5wS7rCOKPxxA4gsyWlVLuS
VXueOVSQKYVpQUbAl+Lsi7HEfPyTyBJhqVF7P6GTwNqciT4Q8n8WmTLus48zIOcn
jm3HFp39Qtj6C4wQ9Px0V7aTw2V/pG+/bp/48huFW7ekh2AMSossTEDmw+zkcyIu
Vbq7J+BnX77YlIKUqFODEbpOetMkUxx6eqyDByVeozh12tsmiKiZbRiB2bw+dzsx
F9j8GNzkTeM/m7Sy1EHT1vXSRXdSwdrmE7wOKh1rfIFmCLyIyXIwe8S/QRDaDLP2
w9QL3LMNWPyl8ZOgKh5uDJOZSRh3qiVU5SfW35yHIcsQJ8noa00HOymTyJ9/ZmLG
2iYOfT/Al9hAyAHfuP5EAxsfSzjjgxU4QDpahfNWgkSr3t3h9d5HIKBqjOQxlrMW
Utqtnm9AB4PUrAs6utuDB+1/A6KEdb3G2C1TzGmtI+vifuf8nWa4pZs555hKuZ5j
bazA6UA1WX0INjGGEPWm/ICoOcRqTd6l2OI059apELTP6xHdILCpGtM7VG4qtnsI
TEOI0P7HroGgOXXsdSeoEm35Lhb1sy0s5lJEwpj1fnmePOjFvCtTB5a4zZrSXcph
B5ghk10jnU6lM5xDrGqbQCaEy3qQtXEmmuq4U42MWLhKuYd919hEFZQABqZoMgb8
rFedsU5PXQEjyMWXfI1pD5b62HCjmr0jFFqJKF0gce+lKaqZA939PXzyAY8uhbh2
WRMywHnNH200jXOOC9gupcFoZSFgZPzP+qTFvAoo2WQvkr3ukK0AemQl2vbwrca0
rTGQBIlvaxPkw/7AojvvxEubMGyHnh7mS/vy5Eug8mzwyUGlVhgbAI/agyn+8gdA
1LUBXblbZTfz85MYI+GyMDNuOZXp67qhDqv40Ud67V+rFluUPXWRBLmLbDXB2LLm
8Mo7bpe+hLCtILIlN5hDmeOPGQtMpOC8t57Wh+jfkGSKqn0ljRVrrIoPZBzpB2qr
oZ+SgU93JdaFbEfuNbnF+G8aNb9UtN3pbEZUah6LNzuz22ou5ZYjaS7KbJlDL70v
x8sv2hmK3zNRnHUKANIjOCX9RlsGZ9wHRl+1kDw65+BoN+i4JWgIHbEBsVZG5VUE
r76MIuazfaNi3xPYW8sIYw==
This output is different to the output given on the webpage. My first question is, is this a problem?
Secondly, if I store this output in a file named “enc” and then run:
curl --data-urlencode “data=$(<enc)" http://10.230.42.19:8080/guacamole/api/tokens
Then I get the response:
{"message":"Permission denied.","translatableMessage":{"key":"APP.TEXT_UNTRANSLATED","variables":{"MESSAGE":"Permission denied."}},"statusCode":null,"expected":[],"type":"INVALID_CREDENTIALS”}
And looking in the logs (/var/log/syslog) I can see the warning:
WARN o.a.g.auth.json.user.UserDataService - Submitted data is not proper base64.
No matter what I try I cannot seem to get past this error. Obviously, I expect to get a permission denied error for the sample JSON file above, as the credentials are not correct, but the base64 warning does not seem correct. I have also tried the above process with a correct set of credentials and connection information within the JSON file which I believe should work. Here I get the same base64 warning. Are there any hints/tips/ideas at this point?
Finally, whilst testing I also noticed that when using a lower case key in the file guacamole.properties (as explained on the website) I get the error:
ERROR o.a.g.auth.json.user.UserDataService - Decryption of received data failed: Invalid hexadecimal value.
After changing the key to uppercase (as I did above) then this error was changes and instead I received the base64 warning above. But I don’t know if this is better or worse?
Any help on this issue would be much appreciated.
Best,
Phil
-----------------------
Dr. Phillip James
Senior Lecturer
Department of Computer Science / Yr Adran Gyfrifiadureg
Swansea University / Prifysgol Abertawe
Bay Campus / Campws y Bae
SA1 8EN