You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by tek0011 <th...@gmail.com> on 2017/01/10 12:33:52 UTC
Re: Connection errors on no-auth unless logout first.
Anyone have a response to this?
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connection-errors-on-no-auth-unless-logout-first-tp93p235.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
Re: Connection errors on no-auth unless logout first.
Posted by Mike Jumper <mi...@guac-dev.org>.
On Tue, Mar 21, 2017 at 12:31 PM, tek0011 <th...@gmail.com> wrote:
> Mike Jumper wrote
> > For the sake of anyone happening across this email while searching for
> > similar things: beware that this is not a recommended approach. Embedding
> > credentials within a URL not good practice.
>
> While true, I am so happy I found the ability to do that after 100's of
> links opened in google. Our internal lab houses a good 10,000 servers and
> there is no access to the outside world, so we really hate security. In
> this day and age its almost more difficult to get around it or turn it off.
>
> Regarding the API, I thought that it wasnt external? We were looking for
> some way to make RESTful API calls to manage most of this, when we first
> took on the project.
>
>
The REST API used by the Guacamole web application is not external,
correct. What I refer to here is the core API which drives Guacamole. It's
not REST, but client-side JavaScript and server-side Java. The core API
(guacamole-common and guacamole-common-js) implements the means of
communicating with guacd via tunnels, the means of displaying the remote
desktop session within the browser, as well as convenient handling for
keyboard/mouse/touch events.
The authentication subsystem (and extension subsystem) are specific to the
Guacamole web application. If you write your own web application using the
same core, you can dictate how connections are established, how
authentication works, and if authentication is even present.
- Mike
Re: Connection errors on no-auth unless logout first.
Posted by tek0011 <th...@gmail.com>.
Mike Jumper wrote
> The MySQL and PostgreSQL authentication extensions identify connections
> using their integer IDs from the connection_id column in the
> guacamole_connection table. They don't use the connection_name column to
> identify connections
Correct. That was the issue! I encoded the connections via base64
({$fqdn}\0c\0mysql) and then redirected to the encoded string. Its working
just great. Even hitting back, and attempting the next connection (original
issue of this ticket) also works.
Mike Jumper wrote
> For the sake of anyone happening across this email while searching for
> similar things: beware that this is not a recommended approach. Embedding
> credentials within a URL not good practice.
While true, I am so happy I found the ability to do that after 100's of
links opened in google. Our internal lab houses a good 10,000 servers and
there is no access to the outside world, so we really hate security. In
this day and age its almost more difficult to get around it or turn it off.
Regarding the API, I thought that it wasnt external? We were looking for
some way to make RESTful API calls to manage most of this, when we first
took on the project.
Thank you again for your assistance on this, and your past ticket responses
that helped come up with a working integration for us.
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connection-errors-on-no-auth-unless-logout-first-tp93p623.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
Re: Connection errors on no-auth unless logout first.
Posted by Mike Jumper <mi...@guac-dev.org>.
On Tue, Mar 21, 2017 at 10:50 AM, tek0011 <th...@gmail.com> wrote:
> So I moved everything over to mysql, with the same exact issue.
>
> ...
>
> We then redirect the user to
> http://guac_url.com/guacamole/#/client/ppt-tomcattest.
> deploy.lab.beer.town/?username=guacadmin&password=somepassword
>
> and still get:
>
>
The MySQL and PostgreSQL authentication extensions identify connections
using their integer IDs from the connection_id column in the
guacamole_connection table. They don't use the connection_name column to
identify connections - that's there purely to provide a human-readable
description. The URL should be something like:
http://guac_url.com/guacamole/#/client/123/?username=guacadmin&password=somepassword
Though NoAuth and the built-in XML auth happen to use the name as the
connection identifier, the two properties are distinct at the API level.
For the sake of anyone happening across this email while searching for
similar things: beware that this is not a recommended approach. Embedding
credentials within a URL not good practice. This will work in the short
term, but things really should be replaced with a purpose-built extension
that actually integrates with the external system (or integrate the
Guacamole API directly within that external system).
- Mike
Re: Connection errors on no-auth unless logout first.
Posted by tek0011 <th...@gmail.com>.
So I moved everything over to mysql, with the same exact issue.
I create the following table entries:
$fqdn is the hostname (in this case its ppt-tomcattest.deploy.lab.beer.town,
as shown in the attached image)
$protocol is the procotol derived from type of OS
Add data to tables:
Here is an image showing the database tables. You can see that all the
expected db information exists. I added some manually, to compare to the
data I am adding and I dont see any differences.
We then redirect the user to
http://guac_url.com/guacamole/#/client/ppt-tomcattest.deploy.lab.beer.town/?username=guacadmin&password=somepassword
and still get:
and the output from when you just go back to "home" and then click on it
from there:
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connection-errors-on-no-auth-unless-logout-first-tp93p621.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
Re: Connection errors on no-auth unless logout first.
Posted by Mike Jumper <mi...@guac-dev.org>.
On Mon, Mar 20, 2017 at 12:12 PM, tek0011 <th...@gmail.com> wrote:
> ...
> I think ultimately what I will end up doing is using the mysql auth, and
> just having the php script add and remove the individual db entries. Then
> we'll have a much easier manageable source of data, and shared/concurrent
> connections benefit as well! If doing that, can we then avoid the
> no-auth/user-mapping 'caching'?
>
Yes, that should work, however the client interface will still be caching
the results of most REST calls, so the user interface may not realize that
the data has changed, even though attempts to access that data or the
connections will succeed. If all you're doing is generating URLs on a
per-connection basis and sending users directly to those URLs, then this
will work as a stop-gap measure.
It's still a hack, but not as bad a hack.
- Mike
Re: Connection errors on no-auth unless logout first.
Posted by tek0011 <th...@gmail.com>.
Thanks Mike. Really good info.
Perhaps you are right, and we should forego removing authentication. The
trick with writing an extension to manage auth, is how we are implementing
it. We have various needs to pass data back and forth between many systems.
Some of those have poor communication. Thus the php script is handling some
of that (mostly getting hostnames, doing DNS lookups, protocol types, fqdns)
and then passing all those into Guacamole to create the correct connection
type.
I think ultimately what I will end up doing is using the mysql auth, and
just having the php script add and remove the individual db entries. Then
we'll have a much easier manageable source of data, and shared/concurrent
connections benefit as well! If doing that, can we then avoid the
no-auth/user-mapping 'caching'?
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connection-errors-on-no-auth-unless-logout-first-tp93p618.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
Re: Connection errors on no-auth unless logout first.
Posted by Mike Jumper <mi...@guac-dev.org>.
On Mon, Mar 20, 2017 at 10:59 AM, tek0011 <th...@gmail.com> wrote:
> Still working on this. Another person is trying to fork our own no-auth
> extension, that will be a true no-auth.
I strongly recommend against any approach centered around the idea of
disabling authentication.
The idea when integrating Guacamole with an external authentication system
should be to (1) verify the authentication result with that system and (2)
pull/generate the connection data required for each user based on that
result. If the connection data is generated dynamically, you will need to
look into both getUserContext() (which is called to generate the data
available for the user upon login) and updateUserContext() (which is called
for every request for users who are already logged in) for the
AuthenticationProvider interface:
http://guacamole.incubator.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#getUserContext-org.apache.guacamole.net.auth.AuthenticatedUser-
http://guacamole.incubator.apache.org/doc/guacamole-ext/org/apache/guacamole/net/auth/AuthenticationProvider.html#updateUserContext-org.apache.guacamole.net.auth.UserContext-org.apache.guacamole.net.auth.AuthenticatedUser-org.apache.guacamole.net.auth.Credentials-
In the meantime, we may have found
> another possible way, but I also don't understand why this isn't working.
>
> We moved from no-auth to user-mapping but we run into the exact same issue.
> PHP script runs, checks for the existence of <hostname> in
> user-mapping.xml.
> If it doesn't exist, it add's it, then redirects the user to it.
>
>
Both NoAuth and the default XML-driver authentication (user-mapping.xml)
will cache the data available to a user upon login. In the case of NoAuth,
users are logged in to a placeholder account without checking credentials
of any kind, but they are still logged in. Because the data is cached until
the user logs out, external changes to configuration will not take effect
as you expect.
It is possible to write an extension which does not cache configuration
(see updateUserContext() mentioned above), but there is still a client-side
cache of REST responses, including the response which contains all
connections available to a particular user. This will not affect the
ability to connect to a particular connection if you happen to know its
URL, but it will affect the contents of the home screen renders.
Ultimately, relying on a script to update XML configuration will always be
a hack. The proper approach is to write an authentication extension which
directly integrates things the way you need. If that still doesn't fit the
way you're intending to embed Guacamole, then it sounds like you should be
looking toward using the Guacamole API itself:
http://guacamole.incubator.apache.org/doc/gug/writing-you-own-guacamole-app.html
The web application is kept separate from the APIs which drive it for
exactly this sort of scenario. The expectation is that either Guacamole
will work as needed out-of-the-box, an authentication extension can be
written to integrate Guacamole with an external auth sytem (and then
otherwise function normally), or a different web application can be written
based on the same core (the Guacamole API).
- Mike
RE: Connection errors on no-auth unless logout first.
Posted by tek0011 <th...@gmail.com>.
Still working on this. Another person is trying to fork our own no-auth
extension, that will be a true no-auth. In the meantime, we may have found
another possible way, but I also don't understand why this isn't working.
We moved from no-auth to user-mapping but we run into the exact same issue.
PHP script runs, checks for the existence of <hostname> in user-mapping.xml.
If it doesn't exist, it add's it, then redirects the user to it.
Example:
All of those were added, via sed, to user-mapping.xml. We then redirect to
this url in attempt to access the host.
*http://someserver.com:9000/guacamole/#/client/dsmdctest1.deploy.lab.beer.town/?username=some_user&password=some_password*.
This again works great, until we attempt to make another connection.
Disconnect or hit back, then attempt the next host. Same process, it gets
added to user-mapping.xml, however right back to square one:
Yet, we can literally see it sitting right there in user-mapping.xml.
Any idea what is going on here? Does there need to be some cache or logout
happening for this to work? How come it doesn't think that
deldnstest.deploy.lab.beer.town exists for some_user?
Thanks.
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connection-errors-on-no-auth-unless-logout-first-tp93p616.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
RE: Connection errors on no-auth unless logout first.
Posted by Mike Jumper <mi...@guac-dev.org>.
Part of the problem with NoAuth is that the configuration is cached. This
combined with the fact that the webapp inherently expects a user account
(and NoAuth provides a placeholder user) means the backend essentially lies
to the frontend about the semantics of the situation.
With recent changes to the extension API, there is now a concept of an
anonymous user, which lacks the same caching and allows the interface to
adjust itself for the semantics of anonymity.
The true correct way to approach Guacamole integration is to write an
extension which does so, and NoAuth doesn't really fill that space well as
a general case solution.
IMHO - it's probably time to euthanize NoAuth, reinvestigate/define the
high-level need that it's meant to fill, and search for a better approach.
- Mike
On Mar 16, 2017 12:53, "tek0011" <th...@gmail.com> wrote:
> But when you click back, its the exact same thing:
>
> ctrl-alt-shift -> disconnect:
>
>
>
> clicking back:
>
>
>
> Identical calls.
>
> Seems like something isnt working correctly. I can also reproduce this by
> actually doing ctl-alt-shift > disconnect. Then attempt a brand new
> connection. Same issue.
>
> I don't get why a second connection fails unless I log out first. Which
> makes no sense since its no auth and there shouldnt be a need to log out.
>
> Anyhow, thanks for confirming.
>
>
>
>
> --
> View this message in context: http://apache-guacamole-
> incubating-users.2363388.n4.nabble.com/Connection-errors-
> on-no-auth-unless-logout-first-tp93p578.html
> Sent from the Apache Guacamole (incubating) - Users mailing list archive
> at Nabble.com.
>
RE: Connection errors on no-auth unless logout first.
Posted by tek0011 <th...@gmail.com>.
But when you click back, its the exact same thing:
ctrl-alt-shift -> disconnect:
clicking back:
Identical calls.
Seems like something isnt working correctly. I can also reproduce this by
actually doing ctl-alt-shift > disconnect. Then attempt a brand new
connection. Same issue.
I don't get why a second connection fails unless I log out first. Which
makes no sense since its no auth and there shouldnt be a need to log out.
Anyhow, thanks for confirming.
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connection-errors-on-no-auth-unless-logout-first-tp93p578.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
RE: Connection errors on no-auth unless logout first.
Posted by "Hawkins, Richard" <ri...@medctrbarbour.org>.
I'm surprised it works at all..
Normally a user will ctl-alt-shift. Then go home and then click another
connection..
Hitting the back button would be a crapshoot..
r
-----Original Message-----
From: tek0011 [mailto:thecptsparrow@gmail.com]
Sent: Thursday, March 16, 2017 2:07 PM
To: user@guacamole.incubator.apache.org
Subject: Re: Connection errors on no-auth unless logout first.
I am back to working on this. Using the legacy url, and then removing
the
reauth does help a bit. However, I still run into an issue of
connections being "not authorized".
This is an attempt at connecting to a host, then clicking back on the
browser, then attempting to connect to a different host. You can see
the first try works, but the second try fails with
There has got to be a way to automate all this with no auth. We just
want to let people get into whatever session they want, at any time,
from any
machine on the network. No authentication should mean *NO
AUTHENTICATION*.
--
View this message in context:
http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connectio
n-errors-on-no-auth-unless-logout-first-tp93p569.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive
at Nabble.com.
Re: Connection errors on no-auth unless logout first.
Posted by tek0011 <th...@gmail.com>.
I am back to working on this. Using the legacy url, and then removing the
reauth does help a bit. However, I still run into an issue of connections
being "not authorized".
This is an attempt at connecting to a host, then clicking back on the
browser, then attempting to connect to a different host. You can see the
first try works, but the second try fails with
There has got to be a way to automate all this with no auth. We just want
to let people get into whatever session they want, at any time, from any
machine on the network. No authentication should mean *NO AUTHENTICATION*.
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connection-errors-on-no-auth-unless-logout-first-tp93p569.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.
Re: Connection errors on no-auth unless logout first.
Posted by maxkc2 <mg...@ioprojects.ru>.
I came across the same error in my logs of 0.9.11
Connection "HOST_FQDN" does not exist for user "USER_NAME"
no matter using mysql auth backend
with legacy urls extension.
While investigating I found followng explantion of Michael Jumper
https://sourceforge.net/p/guacamole/discussion/1110834/thread/d24c506e/
"
Here - give this a shot:
https://github.com/mike-jumper/guacamole-legacy-urls
That extension will add support for the old-style URLs, resolving the
multi-extension ambiguity by assuming the connection (or connection group)
is coming from the backend which authenticated the current user.
Just build the above, plop it in your GUACAMOLE_HOME/extensions, restart
Tomcat, and you should be all set. The old .../client/c/IDENTIFIER style
should work."
I thought that IDENTIFIER is the server FQDN so as you, but it is not.
I found what the IDENTIFIER is when I looked into MYSQL database, table
guacamole_connection.
There is a column named connection_id.
So i tried:
https://example.com/guacamole/#/client/c/5
instead of
https://example.com/guacamole/#/client/c/10.3.5.129
where 5 is actually the connection_id column value from the host entry in
guacamole_connection table.
and it worked!
As I'm not a programmer I can not explain whether it is a bug or feature of
legacy urls extension but it seems that it is a bug, because you have no way
to get that connection Id other way than make sql query.
Hope Mr. Jumper will read this and explain the correct workflow.
--
View this message in context: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Connection-errors-on-no-auth-unless-logout-first-tp93p500.html
Sent from the Apache Guacamole (incubating) - Users mailing list archive at Nabble.com.