Guacamole / Ubuntu 20.04 x64 Questions

[Brad Turnbough <bt...@backlundinvestment.com>]

I have recently compiled and installed Guacamole 1.5.0 on Ubuntu 20.04.  Looks pretty impressive from using it just a couple of days.  A couple of questions:


1)      I understand that it is possible to utilize MySQL Authentication and also RADIUS authentication -separately.  Is it possible to use them BOTH (mysql for the groups / rights and permissions... aka.. the authorization) and the RADIUS for the authentication?  We have MFA set up and it is consumable via RADIUS.  Additionally, I'd like to set up groups and permissions for various RDP/SSH targets (mysql auth)

2)      I don't have "share" available ... I'm assuming a compile flag was missed to enable this feature?

3)      I don't' have "File transfer" feature available... Again, I'm assuming a compile flag was missed in order to enable this feature?

Here is the process I used to compile:

apt-get install build-essential libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev libvncserver-dev freerdp2-dev libssh2-1-dev libtelnet-dev libwebsockets-dev libpulse-dev libvorbis-dev libwebp-dev libssl-dev libpango1.0-dev libswscale-dev libavcodec-dev libavutil-dev libavformat-dev
cd /opt
mkdir guacamole-1.5.0
cd guacamole-1.5.0/
wget https://downloads.apache.org/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz
tar -xvzf guacamole-server-1.5.0.tar.gz
cd guacamole-server-1.5.0
./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots
make
make install



What did I miss?   Thank you!!!

Thank you,

Brad Turnbough
Senior Technology Analyst

[cid:Backlund-Investment-logo_20ce9d6e-04b9-4d73-9d17-cfc69decf4cc.gif]

P: 309.272.2739 F: 309.272.2839

www.betterbanks.com<http://www.betterbanks.com/>
www.statestreetbank.com<http://www.statestreetbank.com>

NOTICE: The information contained in this email and any document attached hereto is intended only for the named recipient(s). If you are not the intended recipient, nor the employee or agent responsible for delivering this message in confidence to the intended recipient(s), you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this transmittal or its attachments is strictly prohibited. If you have received this transmittal and/or attachments in error, please notify me immediately by reply e-mail and then delete this message, including any attachments.

Re: Guacamole / Ubuntu 20.04 x64 Questions

[Nick Couchman <vn...@apache.org>]

>
> 2)      I don’t have “share” available … I’m assuming a compile flag was missed to enable this feature?
>
>
>
> I'm not entirely sure what you mean by this - can you elaborate? There's no specific compilation flag required for session sharing - it's built into the client, and mainly the JDBC module.
>
>
>
> If I connect to a windows machine via RDP and then press ‘ctrl-alt-shift’ I am presented with the menu for that host.  In that menu, I am supposed to have the option to ‘share’ the session with another user.  There isn’t an option to ‘share’ the session for the RDP connection as several online resources point out.  Does it maybe have to do with something related to my instance of Guacamole not having MySQL auth enabled?  Seems rather odd I don’t have all of the features.
>

You'll need to make sure that you create a Sharing Profile for the
connection before this option shows up. You can create both read-write
and read-only Sharing Profiles.

>
>
> 3)      I don’t’ have “File transfer” feature available… Again, I’m assuming a compile flag was missed in order to enable this feature?
>
>
>
> Same, here - there's really nothing you need to do to enable this - it depends on what connection protocol you're using, but RDP has its own mechanism built-in, and RDP, SSH, and VNC also include SFTP support, assuming you have SSH support enabled. You'll need to be more specific about what you're "missing" when you're looking for this.
>
> The same as above, but instead of the ‘share’ feature, I expect to see ‘file transfer’ in the menu presented when I press ‘ctrl-alt-shift’
>

You need to configure either Folder Redirection or SFTP parameters in
the connection before this will show up.

-Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

RE: Guacamole / Ubuntu 20.04 x64 Questions

[Brad Turnbough <bt...@backlundinvestment.com>]

Thank you,

Brad Turnbough
Senior Technology Analyst

[cid:Backlund-Investment-logo_20ce9d6e-04b9-4d73-9d17-cfc69decf4cc.gif]

P: 309.272.2739 F: 309.272.2839

www.betterbanks.com<http://www.betterbanks.com/>
www.statestreetbank.com<http://www.statestreetbank.com>

NOTICE: The information contained in this email and any document attached hereto is intended only for the named recipient(s). If you are not the intended recipient, nor the employee or agent responsible for delivering this message in confidence to the intended recipient(s), you are hereby notified that you have received this transmittal in error, and any review, dissemination, distribution or copying of this transmittal or its attachments is strictly prohibited. If you have received this transmittal and/or attachments in error, please notify me immediately by reply e-mail and then delete this message, including any attachments.


From: Nick Couchman <vn...@apache.org>
Sent: Friday, February 24, 2023 12:00 PM
To: user@guacamole.apache.org
Subject: Re: Guacamole / Ubuntu 20.04 x64 Questions

External email. Please make sure you trust this source before clicking links or opening attachments.

On Fri, Feb 24, 2023 at 12:41 PM Brad Turnbough <bt...@backlundinvestment.com>> wrote:
I have recently compiled and installed Guacamole 1.5.0 on Ubuntu 20.04.  Looks pretty impressive from using it just a couple of days.  A couple of questions:


1)      I understand that it is possible to utilize MySQL Authentication and also RADIUS authentication –separately.  Is it possible to use them BOTH (mysql for the groups / rights and permissions… aka.. the authorization) and the RADIUS for the authentication?  We have MFA set up and it is consumable via RADIUS.  Additionally, I’d like to set up groups and permissions for various RDP/SSH targets (mysql auth)

Yes, this is definitely possible - Guacamole matches user and group names between authentication modules, so as long as your user is named the same in both the RADIUS and JDBC modules, you should be able to create the connections in the JDBC module and assign them to the user, but still log in via the RADIUS module. There are a couple of things to note, here:
* Currently, Guacamole's evaluation of user accounts is case-sensitive, while many authentication systems (LDAP/AD, RADIUS, etc.) tend to be case-insensitive. This means if you have a user in your JDBC module named john_smith, but your user logs in as John_Smith, Guacamole will not consider the users the same, and you may see situations where those permissions don't apply as you would expect because of that.
* If you're going to do this, I highly recommend that you make sure the user accounts in the JDBC module have random passwords that absolutely will not be the same as the ones from your RADIUS authentication module. When you create the users in the GUI, if you leave the password blank, a random one will be generated. Similarly, if you enable user auto-creation in the JDBC module, the accounts created will have random passwords.
* Finally, the RADIUS module currently has no way to pass group names on to Guacamole. I've thought about implementing it, but the current RADIUS system that I'm stuck with (Windows NPS) doesn't support dynamically sending group information back, so I've never pursued it much.
* The RADIUS module relies on some really old Java libraries, with no sign of them being updated anytime, soon. I'm not keen on writing my own RADIUS client, and I think SSO is going to largely supplant RADIUS in the AAA space, anyway, so there's not likely to be much effort put into improving that module going forward.

 Thank you for this information.  Exactly what I was looking for.  I might give it a try after I snapshot the machine in order to give me a way to roll back in case the configuration goes belly up.


2)      I don’t have “share” available … I’m assuming a compile flag was missed to enable this feature?

I'm not entirely sure what you mean by this - can you elaborate? There's no specific compilation flag required for session sharing - it's built into the client, and mainly the JDBC module.

If I connect to a windows machine via RDP and then press ‘ctrl-alt-shift’ I am presented with the menu for that host.  In that menu, I am supposed to have the option to ‘share’ the session with another user.  There isn’t an option to ‘share’ the session for the RDP connection as several online resources point out.  Does it maybe have to do with something related to my instance of Guacamole not having MySQL auth enabled?  Seems rather odd I don’t have all of the features.


3)      I don’t’ have “File transfer” feature available… Again, I’m assuming a compile flag was missed in order to enable this feature?

Same, here - there's really nothing you need to do to enable this - it depends on what connection protocol you're using, but RDP has its own mechanism built-in, and RDP, SSH, and VNC also include SFTP support, assuming you have SSH support enabled. You'll need to be more specific about what you're "missing" when you're looking for this.
The same as above, but instead of the ‘share’ feature, I expect to see ‘file transfer’ in the menu presented when I press ‘ctrl-alt-shift’


Here is the process I used to compile:

apt-get install build-essential libcairo2-dev libjpeg-turbo8-dev libpng-dev libtool-bin libossp-uuid-dev libvncserver-dev freerdp2-dev libssh2-1-dev libtelnet-dev libwebsockets-dev libpulse-dev libvorbis-dev libwebp-dev libssl-dev libpango1.0-dev libswscale-dev libavcodec-dev libavutil-dev libavformat-dev
cd /opt
mkdir guacamole-1.5.0
cd guacamole-1.5.0/
wget https://downloads.apache.org/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz
tar -xvzf guacamole-server-1.5.0.tar.gz
cd guacamole-server-1.5.0
./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots

This is a really bad idea, and I'm pretty sure there are banners that warn about this. Likely to cause you more headaches than not.

I apologize, but what do you mean it is a bad idea?  I don’t know what is wrong, or why it is wrong.  Can you elaborate a bit?  Make a suggestion as to what to do instead?  Thank you!!!


-Nick

Re: Guacamole / Ubuntu 20.04 x64 Questions

[Nick Couchman <vn...@apache.org>]

On Fri, Feb 24, 2023 at 12:41 PM Brad Turnbough <
bturnbough@backlundinvestment.com> wrote:

> I have recently compiled and installed Guacamole 1.5.0 on Ubuntu 20.04.
> Looks pretty impressive from using it just a couple of days.  A couple of
> questions:
>
>
>
> 1)      I understand that it is possible to utilize MySQL Authentication
> and also RADIUS authentication –separately.  Is it possible to use them
> BOTH (mysql for the groups / rights and permissions… aka.. the
> authorization) and the RADIUS for the authentication?  We have MFA set up
> and it is consumable via RADIUS.  Additionally, I’d like to set up groups
> and permissions for various RDP/SSH targets (mysql auth)
>

Yes, this is definitely possible - Guacamole matches user and group names
between authentication modules, so as long as your user is named the same
in both the RADIUS and JDBC modules, you should be able to create the
connections in the JDBC module and assign them to the user, but still log
in via the RADIUS module. There are a couple of things to note, here:
* Currently, Guacamole's evaluation of user accounts is case-sensitive,
while many authentication systems (LDAP/AD, RADIUS, etc.) tend to be
case-insensitive. This means if you have a user in your JDBC module named
john_smith, but your user logs in as John_Smith, Guacamole will not
consider the users the same, and you may see situations where those
permissions don't apply as you would expect because of that.
* If you're going to do this, I highly recommend that you make sure the
user accounts in the JDBC module have random passwords that absolutely will
not be the same as the ones from your RADIUS authentication module. When
you create the users in the GUI, if you leave the password blank, a random
one will be generated. Similarly, if you enable user auto-creation in the
JDBC module, the accounts created will have random passwords.
* Finally, the RADIUS module currently has no way to pass group names on to
Guacamole. I've thought about implementing it, but the current RADIUS
system that I'm stuck with (Windows NPS) doesn't support dynamically
sending group information back, so I've never pursued it much.
* The RADIUS module relies on some really old Java libraries, with no sign
of them being updated anytime, soon. I'm not keen on writing my own RADIUS
client, and I think SSO is going to largely supplant RADIUS in the AAA
space, anyway, so there's not likely to be much effort put into improving
that module going forward.



> 2)      I don’t have “share” available … I’m assuming a compile flag was
> missed to enable this feature?
>

I'm not entirely sure what you mean by this - can you elaborate? There's no
specific compilation flag required for session sharing - it's built into
the client, and mainly the JDBC module.


> 3)      I don’t’ have “File transfer” feature available… Again, I’m
> assuming a compile flag was missed in order to enable this feature?
>

Same, here - there's really nothing you need to do to enable this - it
depends on what connection protocol you're using, but RDP has its own
mechanism built-in, and RDP, SSH, and VNC also include SFTP support,
assuming you have SSH support enabled. You'll need to be more specific
about what you're "missing" when you're looking for this.


>
>
> Here is the process I used to compile:
>
>
>
> apt-get install build-essential libcairo2-dev libjpeg-turbo8-dev
> libpng-dev libtool-bin libossp-uuid-dev libvncserver-dev freerdp2-dev
> libssh2-1-dev libtelnet-dev libwebsockets-dev libpulse-dev libvorbis-dev
> libwebp-dev libssl-dev libpango1.0-dev libswscale-dev libavcodec-dev
> libavutil-dev libavformat-dev
>
> cd /opt
>
> mkdir guacamole-1.5.0
>
> cd guacamole-1.5.0/
>
> wget
> https://downloads.apache.org/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz
>
> tar -xvzf guacamole-server-1.5.0.tar.gz
>
> cd guacamole-server-1.5.0
>
> ./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots
>

This is a really bad idea, and I'm pretty sure there are banners that warn
about this. Likely to cause you more headaches than not.

-Nick

>