You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by brian mullan <bm...@gmail.com> on 2019/02/02 00:15:35 UTC
Are there or could there be more Parameter Tokens than are in the Documentation?
In Chapter 5 are listed 6 Parameter Tokens.
By chance are there more?
If not could there be?
The reason I am asking is that I found a very useful Guacamole Auth
Extension
for Linux PAM:
https://github.com/voegelas/guacamole-auth-pam
But to utilize this his GitHub README describes creating a
/etc/guacamole/unix-user-mapping.xml file:
<?xml version="1.0" encoding="UTF-8"?>
<unix-user-mapping serviceName="guacamole">
<config name="RDP Connection" protocol="rdp">
<param name="hostname" value="client.example.com" />
<param name="username" value="${GUAC_USERNAME}" />
<param name="password" value="${GUAC_PASSWORD}" />
<param name="domain" value="EXAMPLE" />
<param name="security" value="nla" />
<param name="server-layout" value="en-us-qwerty" />
</config>
<config name="VNC Connection" protocol="vnc">
<param name="hostname" value="localhost" />
<param name="port" value="5901" />
<param name="password" value="secret" />
</config>
<user name="andreas">
<config-ref name="RDP Connection" />
<config-ref name="VNC Connection" />
</user>
<group name="users">
<config-ref name="RDP Connection" />
</group>
</unix-user-mapping>
Note this /etc/guacamole/unix-user-mapping.xml make use of two
of the existing Parameter Tokens:
>
> ${GUAC_USERNAME}
> ${GUAC_PASSWORD}
If there existed PARAMETER TOKENS for:
hostname "value"
security "value"
connection "protocol"
etc
then you could configure Guacamole Connections have 1 *generic*
*/etc/guacamole/unix-user-mapping.xml* file where all connections are
processed and users validated against the linux PAM to authenticate the
Guacamole Users for an automatic login?
This would seem to work especially well if you combined it with the Google
Authenticator TOTP on the front-end of Guacamole login?
example:
<?xml version="1.0" encoding="UTF-8"?>
<unix-user-mapping serviceName="guacamole">
<config name="RDP Connection" protocol="${GUAC_PROTOCOL}">
<param name="hostname" value="${GUAC_CONNECTION_NAME}" />
<param name="username" value="${GUAC_USERNAME}" />
<param name="password" value="${GUAC_PASSWORD}" />
<param name="domain" value="$GUAC_DOMAIN}" />
<param name="security" value="$GUAC_RDP_SECURITY}" />
<param name="server-layout" value="$GUAC_SERVER_LAYOUT}" />
</config>
<config name="VNC Connection" protocol="${GUAC_PROTOCOL}">
<param name="hostname" value="$GUAC_CONNECITON_NAME}" />
<param name="port" value="5901" />
<param name="password" value="${GUAC_VNC_SECRET}" />
</config>
<user name="andreas">
<config-ref name="RDP Connection" />
<config-ref name="VNC Connection" />
</user>
<group name="users">
<config-ref name="RDP Connection" />
</group>
</unix-user-mapping>
Re: Are there or could there be more Parameter Tokens than are in the Documentation?
Posted by brian mullan <bm...@gmail.com>.
If he's not monitoring the alias I'll let him know that some collaboration
might be beneficial.m
Brian
On Fri, Feb 1, 2019, 8:34 PM Nick Couchman <vnick@apache.org wrote:
> On Fri, Feb 1, 2019 at 8:07 PM brian mullan <bm...@gmail.com>
> wrote:
>
>> Thanks Nick
>>
>> In regards to pam & using the guac parameters... I'd never actually
>> looked into /etc/pam.d before a couple days ago.
>>
>> There are alot of app entries there.
>>
>> For instance... XRDP ?
>>
>
> Yes, if you have XRDP installed, it would be an app in there. To be clear,
> though, in the case where you're using PAM to authenticate Guacamole,
> Guacamole would also be an app in there - that is, the authentication
> module is going to go look for the /etc/pam.d/guacamole entry and step
> through the various PAM modules specified in that file to determine
> authentication. If it succeeds, the items that constitute a successful
> authentication - username and password, for example - would then be
> available as parameter tokens. It may also be possible to read back
> information into tokens that PAM makes available to the authentication
> extension. Looking at the libpam4j library, the UnixUser object has
> methods that return the following information:
> - Home Directory
> - Gecos
> - GID
> - Groups
> - Shell
> - UID
> - Username
>
> Beyond that, I'm not sure what you'd be able to retrieve from PAM to use
> as a token in the Guacamole configuration.
>
>
>>
>> But you are right that maybe asking someone smart on pam intent would be
>> a good idea.
>>
>> I'm basically a Luddite in that area.
>>
>> Overall tho I thought the general idea was simple and to me simpker is
>> good 😊
>>
>>
> Yes, I think it's great - would be really cool if the author would submit
> a PR to have it added to the main code in the project, but that's
> completely up to them. PAM is very powerful, to be sure.
>
> -Nick
>
Re: Are there or could there be more Parameter Tokens than are in the Documentation?
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Feb 1, 2019 at 8:07 PM brian mullan <bm...@gmail.com> wrote:
> Thanks Nick
>
> In regards to pam & using the guac parameters... I'd never actually
> looked into /etc/pam.d before a couple days ago.
>
> There are alot of app entries there.
>
> For instance... XRDP ?
>
Yes, if you have XRDP installed, it would be an app in there. To be clear,
though, in the case where you're using PAM to authenticate Guacamole,
Guacamole would also be an app in there - that is, the authentication
module is going to go look for the /etc/pam.d/guacamole entry and step
through the various PAM modules specified in that file to determine
authentication. If it succeeds, the items that constitute a successful
authentication - username and password, for example - would then be
available as parameter tokens. It may also be possible to read back
information into tokens that PAM makes available to the authentication
extension. Looking at the libpam4j library, the UnixUser object has
methods that return the following information:
- Home Directory
- Gecos
- GID
- Groups
- Shell
- UID
- Username
Beyond that, I'm not sure what you'd be able to retrieve from PAM to use as
a token in the Guacamole configuration.
>
> But you are right that maybe asking someone smart on pam intent would be a
> good idea.
>
> I'm basically a Luddite in that area.
>
> Overall tho I thought the general idea was simple and to me simpker is
> good 😊
>
>
Yes, I think it's great - would be really cool if the author would submit a
PR to have it added to the main code in the project, but that's completely
up to them. PAM is very powerful, to be sure.
-Nick
Re: Are there or could there be more Parameter Tokens than are in the Documentation?
Posted by brian mullan <bm...@gmail.com>.
Thanks Nick
In regards to pam & using the guac parameters... I'd never actually looked
into /etc/pam.d before a couple days ago.
There are alot of app entries there.
For instance... XRDP ?
But you are right that maybe asking someone smart on pam intent would be a
good idea.
I'm basically a Luddite in that area.
Overall tho I thought the general idea was simple and to me simpker is good
😊
On Fri, Feb 1, 2019, 7:26 PM Nick Couchman <vnick@apache.org wrote:
>
>
> On Fri, Feb 1, 2019 at 7:16 PM brian mullan <bm...@gmail.com>
> wrote:
>
>> In Chapter 5 are listed 6 Parameter Tokens.
>>
>> By chance are there more?
>>
>
> The ones listed there are the only ones that exist by default. However...
>
>
>>
>> If not could there be?
>>
>
> ...changes have been introduced in the master branch of the git repo that
> allow LDAP attributes to be used. This is also being extended to the CAS
> module, which can pull in various attributes. The changes in GUACAMOLE-524
> made it reasonably easy for this to be extended to whatever module one
> wants:
> https://issues.apache.org/jira/browse/GUACAMOLE-524
> https://issues.apache.org/jira/browse/GUACAMOLE-579
>
>
>>
>> The reason I am asking is that I found a very useful Guacamole Auth
>> Extension
>> for Linux PAM:
>>
>> https://github.com/voegelas/guacamole-auth-pam
>>
>>
> Interesting - I was just wondering about that the other day! Very cool
> that someone has already done it.
>
>
>> But to utilize this his GitHub README describes creating a
>> /etc/guacamole/unix-user-mapping.xml file:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <unix-user-mapping serviceName="guacamole">
>> <config name="RDP Connection" protocol="rdp">
>> <param name="hostname" value="client.example.com" />
>> <param name="username" value="${GUAC_USERNAME}" />
>> <param name="password" value="${GUAC_PASSWORD}" />
>> <param name="domain" value="EXAMPLE" />
>> <param name="security" value="nla" />
>> <param name="server-layout" value="en-us-qwerty" />
>> </config>
>>
>> <config name="VNC Connection" protocol="vnc">
>> <param name="hostname" value="localhost" />
>> <param name="port" value="5901" />
>> <param name="password" value="secret" />
>> </config>
>>
>> <user name="andreas">
>> <config-ref name="RDP Connection" />
>> <config-ref name="VNC Connection" />
>> </user>
>>
>> <group name="users">
>> <config-ref name="RDP Connection" />
>> </group>
>> </unix-user-mapping>
>>
>> Note this /etc/guacamole/unix-user-mapping.xml make use of two
>> of the existing Parameter Tokens:
>>
>>>
>>> ${GUAC_USERNAME}
>>> ${GUAC_PASSWORD}
>>
>>
>> If there existed PARAMETER TOKENS for:
>> hostname "value"
>> security "value"
>> connection "protocol"
>> etc
>>
>> then you could configure Guacamole Connections have 1 *generic*
>> */etc/guacamole/unix-user-mapping.xml* file where all connections are
>> processed and users validated against the linux PAM to authenticate the
>> Guacamole Users for an automatic login?
>>
>> This would seem to work especially well if you combined it with the
>> Google Authenticator TOTP on the front-end of Guacamole login?
>>
>> example:
>>
>> <?xml version="1.0" encoding="UTF-8"?>
>> <unix-user-mapping serviceName="guacamole">
>> <config name="RDP Connection" protocol="${GUAC_PROTOCOL}">
>> <param name="hostname" value="${GUAC_CONNECTION_NAME}" />
>> <param name="username" value="${GUAC_USERNAME}" />
>> <param name="password" value="${GUAC_PASSWORD}" />
>> <param name="domain" value="$GUAC_DOMAIN}" />
>> <param name="security" value="$GUAC_RDP_SECURITY}" />
>> <param name="server-layout" value="$GUAC_SERVER_LAYOUT}" />
>> </config>
>>
>> <config name="VNC Connection" protocol="${GUAC_PROTOCOL}">
>> <param name="hostname" value="$GUAC_CONNECITON_NAME}" />
>> <param name="port" value="5901" />
>> <param name="password" value="${GUAC_VNC_SECRET}" />
>> </config>
>>
>> <user name="andreas">
>> <config-ref name="RDP Connection" />
>> <config-ref name="VNC Connection" />
>> </user>
>>
>> <group name="users">
>> <config-ref name="RDP Connection" />
>> </group>
>> </unix-user-mapping>
>>
>>
> So, you could do this, yes; however, if you're going to go this route, it
> might actually be better to modify that PAM authentication module to
> somehow provide a connection directory. I'm not entirely sure how this
> would work without thinking about it, some, but if you're already going to
> be deriving a bunch of that information, then why not just extend the
> module out a bit more rather than trying to use parameters to retrofit it?
>
> Also, another question around this becomes whether there are security
> implications to allowing all of those parameters to be passed in? If it
> comes from PAM, it might be okay, but if the user has control over it, can
> the user somehow enter or manipulate these tokens in such a way as to do
> something unauthorized on the remote system? Maybe the answer is no, just
> something to think about.
>
> -Nick
>
Re: Are there or could there be more Parameter Tokens than are in the Documentation?
Posted by Nick Couchman <vn...@apache.org>.
On Fri, Feb 1, 2019 at 7:16 PM brian mullan <bm...@gmail.com> wrote:
> In Chapter 5 are listed 6 Parameter Tokens.
>
> By chance are there more?
>
The ones listed there are the only ones that exist by default. However...
>
> If not could there be?
>
...changes have been introduced in the master branch of the git repo that
allow LDAP attributes to be used. This is also being extended to the CAS
module, which can pull in various attributes. The changes in GUACAMOLE-524
made it reasonably easy for this to be extended to whatever module one
wants:
https://issues.apache.org/jira/browse/GUACAMOLE-524
https://issues.apache.org/jira/browse/GUACAMOLE-579
>
> The reason I am asking is that I found a very useful Guacamole Auth
> Extension
> for Linux PAM:
>
> https://github.com/voegelas/guacamole-auth-pam
>
>
Interesting - I was just wondering about that the other day! Very cool
that someone has already done it.
> But to utilize this his GitHub README describes creating a
> /etc/guacamole/unix-user-mapping.xml file:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <unix-user-mapping serviceName="guacamole">
> <config name="RDP Connection" protocol="rdp">
> <param name="hostname" value="client.example.com" />
> <param name="username" value="${GUAC_USERNAME}" />
> <param name="password" value="${GUAC_PASSWORD}" />
> <param name="domain" value="EXAMPLE" />
> <param name="security" value="nla" />
> <param name="server-layout" value="en-us-qwerty" />
> </config>
>
> <config name="VNC Connection" protocol="vnc">
> <param name="hostname" value="localhost" />
> <param name="port" value="5901" />
> <param name="password" value="secret" />
> </config>
>
> <user name="andreas">
> <config-ref name="RDP Connection" />
> <config-ref name="VNC Connection" />
> </user>
>
> <group name="users">
> <config-ref name="RDP Connection" />
> </group>
> </unix-user-mapping>
>
> Note this /etc/guacamole/unix-user-mapping.xml make use of two
> of the existing Parameter Tokens:
>
>>
>> ${GUAC_USERNAME}
>> ${GUAC_PASSWORD}
>
>
> If there existed PARAMETER TOKENS for:
> hostname "value"
> security "value"
> connection "protocol"
> etc
>
> then you could configure Guacamole Connections have 1 *generic*
> */etc/guacamole/unix-user-mapping.xml* file where all connections are
> processed and users validated against the linux PAM to authenticate the
> Guacamole Users for an automatic login?
>
> This would seem to work especially well if you combined it with the Google
> Authenticator TOTP on the front-end of Guacamole login?
>
> example:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <unix-user-mapping serviceName="guacamole">
> <config name="RDP Connection" protocol="${GUAC_PROTOCOL}">
> <param name="hostname" value="${GUAC_CONNECTION_NAME}" />
> <param name="username" value="${GUAC_USERNAME}" />
> <param name="password" value="${GUAC_PASSWORD}" />
> <param name="domain" value="$GUAC_DOMAIN}" />
> <param name="security" value="$GUAC_RDP_SECURITY}" />
> <param name="server-layout" value="$GUAC_SERVER_LAYOUT}" />
> </config>
>
> <config name="VNC Connection" protocol="${GUAC_PROTOCOL}">
> <param name="hostname" value="$GUAC_CONNECITON_NAME}" />
> <param name="port" value="5901" />
> <param name="password" value="${GUAC_VNC_SECRET}" />
> </config>
>
> <user name="andreas">
> <config-ref name="RDP Connection" />
> <config-ref name="VNC Connection" />
> </user>
>
> <group name="users">
> <config-ref name="RDP Connection" />
> </group>
> </unix-user-mapping>
>
>
So, you could do this, yes; however, if you're going to go this route, it
might actually be better to modify that PAM authentication module to
somehow provide a connection directory. I'm not entirely sure how this
would work without thinking about it, some, but if you're already going to
be deriving a bunch of that information, then why not just extend the
module out a bit more rather than trying to use parameters to retrofit it?
Also, another question around this becomes whether there are security
implications to allowing all of those parameters to be passed in? If it
comes from PAM, it might be okay, but if the user has control over it, can
the user somehow enter or manipulate these tokens in such a way as to do
something unauthorized on the remote system? Maybe the answer is no, just
something to think about.
-Nick