You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by Asmodean Thor <as...@gmail.com> on 2021/08/11 02:46:26 UTC
Guacamole asking for passphrase and the usage of TOTP
Hello, thanks for looking into this, here are my two questions:
1. SSHing into a remote server with key authentication only. Provided
unencrypted ed_25519 `cat` output of the private key content. Upon singing
in it asks for a passphrase even though there is none. Any idea for a fix?
2. Can I have a user that does not have admin privs to not have to use two
step auth? In other words exclude a user from needing two step auth.
Re: Guacamole asking for passphrase and the usage of TOTP
Posted by Mike Jumper <mi...@glyptodon.com>.
On Wed, Aug 11, 2021 at 10:45 AM Asmodean Thor <as...@gmail.com>
wrote:
> Hey Mike,
>
> > IIRC, the support for SSH has to manually parse these keys, and has not
> yet been updated to support the newer OpenSSH format (as of OpenSSH 7.8):
>
> So I was also onto this and found out that libssh added support for
> ed25519 keys a few years back.
>
> When you say I have to manually parse these keys, does that mean I have to
> log in once first with plain text authentication? And then add key,
> restrict to key only after the first log in being password authenticated?
> I just don't know how to make this work, it would be nice if you can
> elaborate on "manually parse these keys"
>
What I mean is that the code that handles these keys within Guacamole had
to be manually written (it's not part of libssh2), so it doesn't
automatically inherit libssh2's support for Ed25519 nor support for the
newer OpenSSH key format. It currently looks for PEM key headers,
specifically the headers that mention DSA or RSA keys, and will not
recognize the newer OpenSSH format required for Ed25519.
That code within Guacamole will need to be updated for both the newer
OpenSSH key format and Ed25519 before the key you're trying to use can work.
If you instead generate and authorize an RSA key in standard PEM format
(the format with a header like "-----BEGIN RSA PRIVATE KEY-----"), that
should work with things as they stand.
- Mike
Re: Guacamole asking for passphrase and the usage of TOTP
Posted by Asmodean Thor <as...@gmail.com>.
Hey Mike,
> IIRC, the support for SSH has to manually parse these keys, and has not
yet been updated to support the newer OpenSSH format (as of OpenSSH 7.8):
So I was also onto this and found out that libssh added support for ed25519
keys a few years back.
When you say I have to manually parse these keys, does that mean I have to
log in once first with plain text authentication? And then add key,
restrict to key only after the first log in being password authenticated?
I just don't know how to make this work, it would be nice if you can
elaborate on "manually parse these keys"
> No, not at present: https://issues.apache.org/jira/browse/GUACAMOLE-1219
Seems like the dev held off on updating the pull request, sadly I don't
know of the programming language guacamole is coded in therefore can't make
a meaningful contribution to that pull request.
On Wed, Aug 11, 2021 at 3:24 AM Mike Jumper <mi...@glyptodon.com>
wrote:
> On Tue, Aug 10, 2021 at 7:46 PM Asmodean Thor <as...@gmail.com>
> wrote:
>
>> Hello, thanks for looking into this, here are my two questions:
>>
>> 1. SSHing into a remote server with key authentication only. Provided
>> unencrypted ed_25519 `cat` output of the private key content. Upon singing
>> in ...
>>
>
> Laaaaa... ♫
>
> ... it asks for a passphrase even though there is none. Any idea for a fix?
>>
>
> IIRC, the support for SSH has to manually parse these keys, and has not
> yet been updated to support the newer OpenSSH format (as of OpenSSH 7.8):
>
> https://issues.apache.org/jira/browse/GUACAMOLE-746 (Support for Ed25519)
> https://issues.apache.org/jira/browse/GUACAMOLE-745 (Support for the new
> OpenSSH key format)
>
> It was historically the case that the underlying libssh2 library did not
> support Ed25519, but it does support this now.
>
> 2. Can I have a user that does not have admin privs to not have to use two
>> step auth? In other words exclude a user from needing two step auth.
>>
>
> No, not at present: https://issues.apache.org/jira/browse/GUACAMOLE-1219
>
> There is some work contributed on the above, with feedback suggesting a
> different approach: https://github.com/apache/guacamole-client/pull/577
>
> - Mike
>
>
Re: Guacamole asking for passphrase and the usage of TOTP
Posted by Mike Jumper <mi...@glyptodon.com>.
On Tue, Aug 10, 2021 at 7:46 PM Asmodean Thor <as...@gmail.com>
wrote:
> Hello, thanks for looking into this, here are my two questions:
>
> 1. SSHing into a remote server with key authentication only. Provided
> unencrypted ed_25519 `cat` output of the private key content. Upon singing
> in ...
>
Laaaaa... ♫
... it asks for a passphrase even though there is none. Any idea for a fix?
>
IIRC, the support for SSH has to manually parse these keys, and has not yet
been updated to support the newer OpenSSH format (as of OpenSSH 7.8):
https://issues.apache.org/jira/browse/GUACAMOLE-746 (Support for Ed25519)
https://issues.apache.org/jira/browse/GUACAMOLE-745 (Support for the new
OpenSSH key format)
It was historically the case that the underlying libssh2 library did not
support Ed25519, but it does support this now.
2. Can I have a user that does not have admin privs to not have to use two
> step auth? In other words exclude a user from needing two step auth.
>
No, not at present: https://issues.apache.org/jira/browse/GUACAMOLE-1219
There is some work contributed on the above, with feedback suggesting a
different approach: https://github.com/apache/guacamole-client/pull/577
- Mike