Multiple SSH client support for Guacamole

[Chetan Rao <ra...@gmail.com>]

Hello,

I am a Senior Software Engineer working for Logicmonitor India. We use guacamole to support remote ssh, RDP and telnet functionalities.

One of the limitations that we have come across is that guacamole only supports ssh through libssh2 library. We are currently looking for ways to implement other libraries like SSHJ/JSch in guacamole. It will allow us to support updated Key-Exchange algorithms and Cipher suites that are unavailable in libssh2.

I am going through the guacamole code repo but I want clarity from you guys on whether it is feasible or even possible to implement SSHJ or any other third part ssh library in guacamole. The reason is that libssh2 is quite old and doesn’t support most of the latest Ciphers.

Please provide your thoughts/suggestions on this.

Thank you
L S Chetan Rao
Senior Software Engineer
Logicmonitor India

Re: Multiple SSH client support for Guacamole

[Nick Couchman <vn...@apache.org>]

On Thu, Jul 7, 2022 at 2:58 PM Chetan Rao <ra...@gmail.com> wrote:

> Hello Nick,
>
> Thank you for the above suggestions. I am now able to build the guacamole
> image with the latest libssh2 version.
> I have one more query though.
>       If I want libssh ( instead of libssh2 ). What should I do? My
> understanding is that I have to install libssh-dev instead of libssh2-1-dev
> and make some changes in the configure script.
> Can you please suggest the changes I need to make in configure script or
> anywhere else to support ssh via libssh ( instead of libssh2 )? If you can
> explain how libssh2 is even linked/configured with the guacamole
> protocol that would be great as well.
>
>
This is quite a bit more complicated than just changing the configure
script and installing another package. While those steps certainly are
required, you would also need to go through all of the SSH code
(src/protocols/ssh and the common-ssh code) and handle the differences
between the APIs - libssh and libssh2 are not API or ABI compatible, which
means that you'd need to (re)write the C code to handle the calls to the
libssh functions. Without going into too much detail, this would likely
require some #if/#else/#endif blocks that would be able to swap between the
libraries based on what the configure script finds, and/or possibly an
abstraction layer between the Guacamole SSH code and the underlying
libraries. It's a fair bit of work.

As far as how it is linked, now, you can take a look at the source code, in
the src/protocols/ssh and src/common-ssh directories and look for the calls
to various libssh2_ functions.

-Nick

Re: Multiple SSH client support for Guacamole

[Chetan Rao <ra...@gmail.com>]

Hello Nick,

Thank you for the above suggestions. I am now able to build the guacamole
image with the latest libssh2 version.
I have one more query though.
      If I want libssh ( instead of libssh2 ). What should I do? My
understanding is that I have to install libssh-dev instead of libssh2-1-dev
and make some changes in the configure script.
Can you please suggest the changes I need to make in configure script or
anywhere else to support ssh via libssh ( instead of libssh2 )? If you can
explain how libssh2 is even linked/configured with the guacamole
protocol that would be great as well.

Thank you in advance
L S Chetan Rao


On Sat, Jul 2, 2022 at 11:13 PM Nick Couchman <vn...@apache.org> wrote:

> On Thu, Jun 30, 2022 at 10:08 AM Chetan Rao <ra...@gmail.com>
> wrote:
>
> >
> >
> > > On 30-Jun-2022, at 6:20 PM, Chetan Rao <ra...@gmail.com>
> wrote:
> > >
> > > Hello Nick,
> > > Thank you for sharing your thoughts.
> > >
> > > One follow-up question :
> > >      1. I want to compile the latest libssh2 version 1.10.0 with
> > guacamole. Currently, I have 1.10.0 installed in /usr/local/lib using the
> > configure and make install for libssh2. But I also have libssh2-1.4.0 in
> > /usr/lib64/ (using centos to build guacamole server). Now when I run
> > configure and make install for guacamole-server, it is getting installed
> > but I am not sure which libssh2 version it is taking for compiling. I am
> > guessing it is still taking the 1.4.0 present in /usr/lib64/. I am unable
> > to uninstall this 1.4.0 version as well. So I am not sure how to point
> > guacamole to use libssh2-1.10.0 version available and installed in
> > /usr/local/lib.
>
>
> You may need to specify some build flags to help with this - something
> like:
> env CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure
>
> You also might want to try uninstalling the libssh2-dev or libssh2-devel
> package, depending on your Linux distribution, to make sure that it doesn't
> get picked up.
>
> -Nick
>

Re: Multiple SSH client support for Guacamole

[Nick Couchman <vn...@apache.org>]

On Thu, Jun 30, 2022 at 10:08 AM Chetan Rao <ra...@gmail.com>
wrote:

>
>
> > On 30-Jun-2022, at 6:20 PM, Chetan Rao <ra...@gmail.com> wrote:
> >
> > Hello Nick,
> > Thank you for sharing your thoughts.
> >
> > One follow-up question :
> >      1. I want to compile the latest libssh2 version 1.10.0 with
> guacamole. Currently, I have 1.10.0 installed in /usr/local/lib using the
> configure and make install for libssh2. But I also have libssh2-1.4.0 in
> /usr/lib64/ (using centos to build guacamole server). Now when I run
> configure and make install for guacamole-server, it is getting installed
> but I am not sure which libssh2 version it is taking for compiling. I am
> guessing it is still taking the 1.4.0 present in /usr/lib64/. I am unable
> to uninstall this 1.4.0 version as well. So I am not sure how to point
> guacamole to use libssh2-1.10.0 version available and installed in
> /usr/local/lib.


You may need to specify some build flags to help with this - something like:
env CPPFLAGS="-I/usr/local/include" LDFLAGS="-L/usr/local/lib" ./configure

You also might want to try uninstalling the libssh2-dev or libssh2-devel
package, depending on your Linux distribution, to make sure that it doesn't
get picked up.

-Nick

Re: Multiple SSH client support for Guacamole

[Chetan Rao <ra...@gmail.com>]

> On 30-Jun-2022, at 6:20 PM, Chetan Rao <ra...@gmail.com> wrote:
> 
> Hello Nick,
> Thank you for sharing your thoughts.
> 
> One follow-up question :
>      1. I want to compile the latest libssh2 version 1.10.0 with guacamole. Currently, I have 1.10.0 installed in /usr/local/lib using the configure and make install for libssh2. But I also have libssh2-1.4.0 in /usr/lib64/ (using centos to build guacamole server). Now when I run configure and make install for guacamole-server, it is getting installed but I am not sure which libssh2 version it is taking for compiling. I am guessing it is still taking the 1.4.0 present in /usr/lib64/. I am unable to uninstall this 1.4.0 version as well. So I am not sure how to point guacamole to use libssh2-1.10.0 version available and installed in /usr/local/lib. 
> 
> Please advise. 
> 
> Thank you in advance
> L S Chetan Rao
> 
> On Tue, Jun 28, 2022 at 7:08 PM Nick Couchman <vnick@apache.org <ma...@apache.org>> wrote:
> On Tue, Jun 28, 2022 at 9:10 AM Chetan Rao <rao.chetan1995@gmail.com <ma...@gmail.com>> wrote:
> 
> > Hello,
> >
> > I am a Senior Software Engineer working for Logicmonitor India. We use
> > guacamole to support remote ssh, RDP and telnet functionalities.
> >
> > One of the limitations that we have come across is that guacamole only
> > supports ssh through libssh2 library. We are currently looking for ways to
> > implement other libraries like SSHJ/JSch in guacamole. It will allow us to
> > support updated Key-Exchange algorithms and Cipher suites that are
> > unavailable in libssh2.
> >
> > I am going through the guacamole code repo but I want clarity from you
> > guys on whether it is feasible or even possible to implement SSHJ or any
> > other third part ssh library in guacamole. The reason is that libssh2 is
> > quite old and doesn’t support most of the latest Ciphers.
> >
> >
> A couple of thoughts for you on this:
> * There have been discussions about using different SSH libraries for
> Guacamole, but no efforts yet to actually add other libraries. The most
> common one that is asked about is libssh (vs. libssh2).
> * SSHJ and Jsch won't work, because those are Java libraries, not C
> libraries. The code that actually translates the Guacamole protocol to/from
> SSH is written in C, so you'll need a C (or possibly C++) SSH library.
> * Saying "libssh2 is quite old" is not quite accurate. libssh2 gets pretty
> routine updates, and supports a lot of newer cipher algorithms (latest
> official release is August 2021). The version of libssh2 that is bundled
> and included with many Linux distributions - especially ones that focus on
> stability and minimize changes (e.g. RHEL/CentOS/Rocky) - may be older or
> out-of-date. That said, it's reasonably easy to download and compile the
> latest libssh2, and then build Guacamole against that version, to make sure
> you get the latest cipher and key exchange support.
> 
> -Nick

Re: Multiple SSH client support for Guacamole

[Chetan Rao <ra...@gmail.com>]

Hello Nick,
Thank you for sharing your thoughts.

One follow-up question :
     1. I want to compile the latest libssh2 version 1.10.0 with guacamole.
Currently, I have 1.10.0 installed in /usr/local/lib using the configure
and make install for libssh2. But I also have libssh2-1.4.0 in /usr/lib64/
(using centos to build guacamole server). Now when I run configure and make
install for guacamole-server, it is getting installed but I am not sure
which libssh2 version it is taking for compiling. I am guessing it is still
taking the 1.4.0 present in /usr/lib64/. I am unable to install this 1.4.0
version as well. So I am not sure how to point guacamole to use
libssh2-1.10.0 version available and installed in /usr/local/lib.

Please advise.

Thank you in advance
L S Chetan Rao

On Tue, Jun 28, 2022 at 7:08 PM Nick Couchman <vn...@apache.org> wrote:

> On Tue, Jun 28, 2022 at 9:10 AM Chetan Rao <ra...@gmail.com>
> wrote:
>
> > Hello,
> >
> > I am a Senior Software Engineer working for Logicmonitor India. We use
> > guacamole to support remote ssh, RDP and telnet functionalities.
> >
> > One of the limitations that we have come across is that guacamole only
> > supports ssh through libssh2 library. We are currently looking for ways
> to
> > implement other libraries like SSHJ/JSch in guacamole. It will allow us
> to
> > support updated Key-Exchange algorithms and Cipher suites that are
> > unavailable in libssh2.
> >
> > I am going through the guacamole code repo but I want clarity from you
> > guys on whether it is feasible or even possible to implement SSHJ or any
> > other third part ssh library in guacamole. The reason is that libssh2 is
> > quite old and doesn’t support most of the latest Ciphers.
> >
> >
> A couple of thoughts for you on this:
> * There have been discussions about using different SSH libraries for
> Guacamole, but no efforts yet to actually add other libraries. The most
> common one that is asked about is libssh (vs. libssh2).
> * SSHJ and Jsch won't work, because those are Java libraries, not C
> libraries. The code that actually translates the Guacamole protocol to/from
> SSH is written in C, so you'll need a C (or possibly C++) SSH library.
> * Saying "libssh2 is quite old" is not quite accurate. libssh2 gets pretty
> routine updates, and supports a lot of newer cipher algorithms (latest
> official release is August 2021). The version of libssh2 that is bundled
> and included with many Linux distributions - especially ones that focus on
> stability and minimize changes (e.g. RHEL/CentOS/Rocky) - may be older or
> out-of-date. That said, it's reasonably easy to download and compile the
> latest libssh2, and then build Guacamole against that version, to make sure
> you get the latest cipher and key exchange support.
>
> -Nick
>

Re: Multiple SSH client support for Guacamole

[Nick Couchman <vn...@apache.org>]

On Tue, Jun 28, 2022 at 9:10 AM Chetan Rao <ra...@gmail.com> wrote:

> Hello,
>
> I am a Senior Software Engineer working for Logicmonitor India. We use
> guacamole to support remote ssh, RDP and telnet functionalities.
>
> One of the limitations that we have come across is that guacamole only
> supports ssh through libssh2 library. We are currently looking for ways to
> implement other libraries like SSHJ/JSch in guacamole. It will allow us to
> support updated Key-Exchange algorithms and Cipher suites that are
> unavailable in libssh2.
>
> I am going through the guacamole code repo but I want clarity from you
> guys on whether it is feasible or even possible to implement SSHJ or any
> other third part ssh library in guacamole. The reason is that libssh2 is
> quite old and doesn’t support most of the latest Ciphers.
>
>
A couple of thoughts for you on this:
* There have been discussions about using different SSH libraries for
Guacamole, but no efforts yet to actually add other libraries. The most
common one that is asked about is libssh (vs. libssh2).
* SSHJ and Jsch won't work, because those are Java libraries, not C
libraries. The code that actually translates the Guacamole protocol to/from
SSH is written in C, so you'll need a C (or possibly C++) SSH library.
* Saying "libssh2 is quite old" is not quite accurate. libssh2 gets pretty
routine updates, and supports a lot of newer cipher algorithms (latest
official release is August 2021). The version of libssh2 that is bundled
and included with many Linux distributions - especially ones that focus on
stability and minimize changes (e.g. RHEL/CentOS/Rocky) - may be older or
out-of-date. That said, it's reasonably easy to download and compile the
latest libssh2, and then build Guacamole against that version, to make sure
you get the latest cipher and key exchange support.

-Nick