You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by YT <ya...@gmail.com> on 2018/04/14 21:58:05 UTC
guacamole-auth-json Questions
Hello Everyone,
First of all, Great respect for Mike Jumper and for all of those who are
behind this amazing software particularly when you think of the complexity
of this project: from guacd service, guacamole web app and several
authentication extensions.
Second, I just read that version 1.x.x is going to be released and look
forward to it.
Now, to my trivial questions:
I have installed the guacamole-auth-json authentication extension. I have
tested it and gotten the right output as indicated in the README.md file of
the source code of this extension as shown below. The message is dencrypted
and verified and hence the authToken is generated and returned.
{ "username" : "USER200",
"expires" : "1524000000000",
"connections" : {
}
}
json-secret-key: c2094ccb11ef2c5cbdc148979f5551cd
curl --data-urlencode
"data=Y1BsShW4AoCzKet6BFf8hMrNl2Wnx9BTuFtRDePiTFY+uzNZ6a/bCRB6gkE/jfuKst7ucqgaRIOeVuq/q3xxmOaYC71cPc4ab1YGqdOEsR/MoZl6TR9nYqlsriDlm50s/zWGGNg2ZlXuxlvrLQpVFPrQQbNrPgJ2o9GK2rigaiGYpFiF6mHSATeaSmC3o3RW"
http://localhost:8080/guacamole/api/tokens
{"authToken":"F27DC43AF0F16CD89365E70270256F525A7FE7D0619AEE650D444C00A169C0FB","username":"USER200","dataSource":"json","availableDataSources":["mysql","mysql-shared","json"]}
1 --- How do I use the above token to login automatically similar to the
normal way of specifying the username and password as shown below to
login automatically?
http://localhost:8080/guacamole/#/?username=USER200&password=MYPASS200
2 --- Also, It seems that whenever I add/specify a password using
"password" name parameter in the JSON data, guacamole does not return a
valid token(tried this several times). So why is that? And actually in the
README.md example, the password keyword is not used which I believe is
essential for automatic login mechanism mentioned above.
3 ---- How should I configure guacamole to accept ONLY JSON encrypted and
hashed messages for login mechanism and reject login messages that are not
encrypted and hashed? Because I can still login normally even after
configuring guacamole to use JSON Secret Key(json-secret-key:
4c0b569e4c96df157eee1b65dd0e4d41).
I am assuming the following order of operation; it would be great if someone
can confirm/correct since this is crucial to understand the whole process.
Message is received ---> Message is dencrypted and hash is verified
---->JSON data is parsed/extracted -----> username and password is passed to
the authentication provider extension and is compared against
database/user-mapping.xml/others ----> once authenticated,
guacamole-auth-json extension will generate token and forward it back to the
user/client
Thank you all
YT
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: guacamole-auth-json Questions
Posted by YT <ya...@gmail.com>.
Thank you Mike for your to the point answers and explanations.
I will test them again and post any questions I have. Keep up the great
work.
Thank you again
YT
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: guacamole-auth-json Questions
Posted by sciUser <sh...@securitycentric.net>.
There are a few ways of handling this;
Down and dirty way is to install netstat-nat run a script does the
following.
1. Cron job it on the Guacamole system
2. detect new connections
3. set script to write to a file that is timestamped
- Have IP address and host information in this file
4. when time has been reached you can close the connection gracefully or
just kill it.
The script would use IF ELSE statements with AWK SED arguments.
Second method is to run the connection though an API token using JSON or
PYTHON - each connection will have is on thread and you can set a timer in
the API.
Example :
{
username = ""
Password = ""
Token = ""
Timer = HttpContext.Current.Server.ScriptTimeout = 3000;
}
Hope this gives some insight.
Thank you
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: guacamole-auth-json Questions
Posted by Mike Jumper <mi...@guac-dev.org>.
On Mon, Apr 16, 2018 at 11:29 AM, YT <ya...@gmail.com> wrote:
> ... Particularly I want the users session/usage to expire after the
> specified timer has expired which I was thinking that the expiration timer
> in the json data accomplishes this.
>
>
The documentation will definitely be your friend here. If a particular
property/parameter is not documented as providing the semantics you're
looking for, and you try using the parameter that way anyway and it
stubbornly only behaves as documented, then it's safe to assume that really
is not the purpose of that parameter.
I would recommend looking for a property/parameter (or combination of such
parameters) that is explicitly documented as providing what you're looking
for. If it turns out that nothing provides the behavior that you need for
your specific use case, you're not necessarily out of luck, but you might
need to write your own extension which does provide that behavior.
However, now I realized that the session token does not carry the
> expiration time parameter in it.
The amount of time that a token remains valid despite inactivity is a
setting provided by Guacamole itself (outside of any extension) and is set
via the "api-session-timeout" property:
http://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup
Beware that simply being connected to a remote desktop is considered
activity from Guacamole's perspective. If you are trying to limit the
amount of time each desktop session can last, you will need to configure
this within the remote desktop. Windows RDP provides group policy settings
for this, for example.
- Mike
Re: guacamole-auth-json Questions
Posted by YT <ya...@gmail.com>.
Mike,
Please be patient with me, I am not a developer and I am trying to use this
application for a certain scenario. Particularly I want the users
session/usage to expire after the specified timer has expired which I was
thinking that the expiration timer in the json data accomplishes this.
However, now I realized that the session token does not carry the expiration
time parameter in it. So my question is what would be the best way to
configure such scenario if even it is possible to do so? For example, if it
is possible to specify the session expiration timer in the json data and
later applied to the session token?
Thank you,
YT
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: guacamole-auth-json Questions
Posted by Mike Jumper <mi...@guac-dev.org>.
On Mon, Apr 16, 2018, 10:07 YT <ya...@gmail.com> wrote:
> Follow up Question:
>
> I am able to login to guacamole-client by specifying the token in the URL
> as
> in the following example, however, it does not log me out after the time
> has
> expired.
The expiration timestamp has no bearing on session duration. It affects
only whether the JSON itself is accepted. From the README [1]:
"expires - The absolute time after which the JSON should no longer be
accepted, even if the signature is valid, as a standard UNIX epoch
timestamp with millisecond resolution (the number of milliseconds since
midnight of January 1, 1970 UTC)."
- Mike
[1] https://github.com/glyptodon/guacamole-auth-json/blob/master/README.md
Re: guacamole-auth-json Questions
Posted by YT <ya...@gmail.com>.
Follow up Question:
I am able to login to guacamole-client by specifying the token in the URL as
in the following example, however, it does not log me out after the time has
expired.
http://localhost:8080/guacamole/#/?token=F49C8084410E78DBBFBAF5B1E18D186872DA3978550C536FAA12E447454BCF39
The curl command returns permission denied message as in the following
output which is expected/correct.
>curl --data-urlencode "data=4tHe0Sbn9p4OnqQ/2WLD4iU4QKcx7VFgxSo7
1yTcV6cd0RsmbA6mEHVCztXKl22u8noSnDJDT+rz4SozFIMnKvot6PBK87DT6iXwH
+fflOhB9U7yjEsvSbPoO67uZ7iU53CxjGGgD+iheHFnn1jFiFY3MrP+CGl3V+OzOi
2V7vm+ARqV3MPKmOk4JkpqwKO1" http://localhost:8080/guacamole/api/t
okens
{"message":"Permission denied.","translatableMessage":{"key":"Per
mission denied.","variables":null},"statusCode":null,"expected":[
],"type":"INVALID_CREDENTIALS"}>
But when I restart the tomcat8 server and try to login using the same URL,
it rejects it.
So what am I missing here to get the login expiration from the web browser
as well?
Thank you in advance.
YT
--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/
Re: guacamole-auth-json Questions
Posted by Mike Jumper <mi...@guac-dev.org>.
On Sat, Apr 14, 2018 at 2:58 PM, YT <ya...@gmail.com> wrote:
> ...
>
> 1 --- How do I use the above token to login automatically similar to the
> normal way of specifying the username and password as shown below to
> login automatically?
>
> http://localhost:8080/guacamole/#/?username=USER200&password=MYPASS200
>
>
Include it in the URL as the value of the "token" parameter.
> 2 --- Also, It seems that whenever I add/specify a password using
> "password" name parameter in the JSON data, guacamole does not return a
> valid token(tried this several times). So why is that? And actually in the
> README.md example, the password keyword is not used which I believe is
> essential for automatic login mechanism mentioned above.
>
>
If you mean you are providing JSON like:
{
'username' : 'foo',
'password' : 'bar
}
this is not working because it is invalid. There is no password property:
https://github.com/glyptodon/guacamole-auth-json#json-format
The guacamole-auth-json extension authenticates users by verifying the
signature of the received encrypted data.
> 3 ---- How should I configure guacamole to accept ONLY JSON encrypted and
> hashed messages for login mechanism and reject login messages that are not
> encrypted and hashed?
Remove all extensions except guacamole-auth-json.
...
>
> I am assuming the following order of operation; it would be great if
> someone
> can confirm/correct since this is crucial to understand the whole process.
>
> Message is received ---> Message is dencrypted and hash is verified
> ---->JSON data is parsed/extracted -----> username and password is passed
> to
> the authentication provider extension and is compared against
> database/user-mapping.xml/others ----> once authenticated,
> guacamole-auth-json extension will generate token and forward it back to
> the
> user/client
>
>
No, this is not what happens. Authentication providers do not forward the
user's identity by passing a username/password around, assuming a
username/password is involved at all.
When a user has authenticated, the authentication provider that
authenticated that user returns an "authenticated user" object which
represents the user's identity internally. It is the extension's way of
stating, for the benefit of itself and any other extensions, "I have
authenticated this user and they are user X". It is then up to the other
extensions to provide data for this user, now that their identity is known.
This is done not by testing some username/password forwarded along by the
original authentication provider, but by trusting the result of that
authentication provider as it stands.
For example, let's say you're using both LDAP and MySQL, and the LDAP
directory has a user X that can authenticate with Guacamole. This same user
X exists within MySQL, but cannot login purely via MySQL as no password has
been set. The following happens when the user logs in with their LDAP
credentials:
1) The LDAP authentication provider requests a username/password
2) The user submits their username/password.
3) The LDAP authentication provider tests the received username/password
and identifies the user as user X.
4) The fact that the user has successfully authenticated as user X is
passed along to all other extensions, including MySQL.
5) The MySQL extension trusts the authentication result of the LDAP
extension, and provides the data associated with user X. No password
involved - just a statement of identity from one extension, and acceptance
of that identity from others.
The same would work with guacamole-auth-json if you had JSON like:
{ 'username' : 'X' }
The fact that the JSON is properly signed is enough to prove to the
extension that the user is authorized, and the username within the JSON is
enough to define the user's identity. That identity is then passed on to
all other extensions.
Alternatively, you could include all the data that should be exposed to the
user within the JSON, and rely purely on guacamole-auth-json.
- Mike