You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@guacamole.apache.org by "Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC]" <ke...@nasa.gov> on 2018/08/22 17:05:42 UTC
MySQL
Hi Nick, and ALL
Thanks for your previous help. I have a question about a few steps in my build/configuration.
In the process of creating the guacamole_user/admin for the guacamole_db, how does one go about doing so with a hash and perhaps salted password?
mysql> CREATE DATABASE guacamole_db;
Query OK, 1 row affected (0.00 sec)
>>mysql> CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'some_password';
Query OK, 0 rows affected (0.00 sec)
I would then need to print the hash and replace the plain text password in the guacamole.properties file
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
>>mysql-password: some_password
So far I have tried a number of things, including using SELECT MD5(‘somepassword’); to print a sum I replaced some_password with but that didn’t seem to work. I also added “mysql-encoding: md5” to guacamole.properties which didn’t break it, but that didn’t help either.
I did see in the Guacamole Documentation on the MySQL chapter some SET and INSERT syntax, but I don’t believe that would work either (this might be user error, but I did try that and kept getting an error stating I had not selected a database).
I am reading through some MySQL documentation, and have tried using CREATE USER ‘myuser’@’localhost’ IDENTIFIED WITH (a number of variations including mysql_native_pasword, sha256_password…) BY ‘some_password’;
All to no avail. However, in the process of writing this email I did just see this section on the MySQl doc.
* To avoid specifying the cleartext password if you know its hash value (the value that PASSWORD()<https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password> would return for the password), specify the hash value preceded by the keyword PASSWORD:
Press CTRL+C to copy
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';
The server assigns the given password to the account but no authentication plugin. Clients must provide the password when they connect.
While that might work, if you have any helpful thoughts on the subject, I would be grateful for your assistance.
Cheers,
-Kerman
From: Nick Couchman <vn...@apache.org>
Sent: Monday, July 30, 2018 4:13 PM
To: user@guacamole.apache.org
Subject: Re: Http Header Auth
On Mon, Jul 30, 2018 at 3:19 PM Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC] <ke...@nasa.gov>> wrote:
To whom it may concern,
Could you provide more information on configuring guacamole.properties for HTTP Header Authentication. The manual/documentation essentially just says to drop the jar file in GUAC_Home/extensions.
Yes, and reload Tomcat or the re-deploy the Guacamole WAR file. The only thing to configure within Guacamole is if you want to change the header that's used to something other than REMOTE_USER, you can set that, as well.
Other than that, you also have to set up your web server to provide that authentication - you can do this in Tomcat (or your Java Application Server - Jetty, JBOSS, etc.), or you can do it on an upstream reverse proxy server, like Nginx or Apache httpd. You can find examples of how to configure this for Nginx at the following page:
https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
I understand that this needs to be layered on top of a db like MySql (which I have setup), however it does’t provide more info that. For the lay person, i would like some sort of direction of how to configure that portion. Also, any info besides how to configure and more on what information I need to give guacamole.properties to make it http auth work would be great.
You'll basically want to take a look at the chapter on JDBC configuration and configure that. Layering the modules does not require anything special, per se - you install and configure each of the modules, and the "layering" happens automatically. It is done via username, so if the username of your user logged in via the HTTP header module matches one present in the JDBC module, the permissions in the JDBC module will be assigned to that user. You might find the following section helpful - it deals with LDAP + JDBC, but really applies anything, including Header auth, plus JDBC:
http://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database
Feel free to post back if you have additional questions!
-Nick
Re: MySQL
Posted by Mike Jumper <mi...@glyptodon.org>.
On Wed, Aug 22, 2018, 10:29 Nick Couchman <vn...@apache.org> wrote:
> On Wed, Aug 22, 2018 at 1:05 PM Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC] <
> kerman.k.bime@nasa.gov> wrote:
>
>> Hi Nick, and ALL
>>
>>
>>
>> Thanks for your previous help. I have a question about a few steps in my
>> build/configuration.
>>
>>
>>
>> In the process of creating the guacamole_user/admin for the guacamole_db,
>> how does one go about doing so with a hash and perhaps salted password?
>>
>
> You can't - this isn't implemented in the current version of the Guacamole
> JDBC extension. It has been requested a few times in the past, and there's
> been some discussion on it. I believe the general consensus is that this
> type of feature would offer very little in the way of real security.
>
This isn't entirely correct. The reason hashing isn't used for the MySQL
password in guacamole.properties is not because it offers no security; it's
because it's impossible.
The point of hashing a password is that the hash is one way. With the hash
in hand, you can use the hash only to validate that a password given to you
is correct. You cannot derive the password from the hash.
To connect to MySQL as the user with permissions to read the tables in the
guacamole database, Guacamole must authenticate with MySQL using a
password. It cannot authenticate with a password hash because (1) it cannot
produce the password from a password hash and (2) if the MySQL server
accepted the hash as if it were the password, then that would mean the hash
is equivalent to the password and the hashed aspect is useless (this would
be a vulnerability in MySQL).
The same goes for authenticating on your behalf with RDP and other systems.
If those systems need a password, then Guacamole will need to pass that
password through. Having a hash of that password will not work for the very
reason that passwords are hashed in the first place.
- Mike
RE: MySQL
Posted by "Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC]" <ke...@nasa.gov>.
Thanks Nick,
That answers all of my questions!
Cheers
-Kerman
From: Nick Couchman <vn...@apache.org>
Sent: Wednesday, August 22, 2018 1:29 PM
To: user@guacamole.apache.org
Subject: Re: MySQL
On Wed, Aug 22, 2018 at 1:05 PM Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC] <ke...@nasa.gov>> wrote:
Hi Nick, and ALL
Thanks for your previous help. I have a question about a few steps in my build/configuration.
In the process of creating the guacamole_user/admin for the guacamole_db, how does one go about doing so with a hash and perhaps salted password?
You can't - this isn't implemented in the current version of the Guacamole JDBC extension. It has been requested a few times in the past, and there's been some discussion on it. I believe the general consensus is that this type of feature would offer very little in the way of real security. If you're putting something into the /etc/guacamole.properties file as a way for Guacamole to connect to the database, then *whatever* you put in there, whether it is human-readable text, salted, hashed, etc., is going to allow anyone who can see that file to access your database under that account. So, while you may not have the actual password listed, you still have a credential listed that could still be used by someone to compromise your system. Why does it matter if it is hashed, salted, encrypted, summed, etc.?
There are some things that you can do to secure your installation, particularly with regard to the database:
- Don't use the root account in MySQL (you're not, this is good :-).
- Use a firewall to make sure only the hosts necessary have access to the database.
- As with your CREATE USER command below, make sure the user only has access from the host where the JDBC extension is running (@'localhost' - exactly what you've done).
- Make sure permissions on guacamole.properties are as tight as possible - only the user running guacd (if it's running on the same server) and the user running Tomcat will need read access. If that's the same user, chown it to that user and set 0400 permissions on it; if they are different users create a group with those users in it, chown it to one of those users and the group, and chmod to 0440.
- Make sure the password is different from other accounts on the system - for example, do not set the root password, MySQL root password, and guacamole_user password to the same thing.
mysql> CREATE DATABASE guacamole_db;
Query OK, 1 row affected (0.00 sec)
>>mysql> CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'some_password';
Query OK, 0 rows affected (0.00 sec)
I would then need to print the hash and replace the plain text password in the guacamole.properties file
# MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
>>mysql-password: some_password
So far I have tried a number of things, including using SELECT MD5(‘somepassword’); to print a sum I replaced some_password with but that didn’t seem to work. I also added “mysql-encoding: md5” to guacamole.properties which didn’t break it, but that didn’t help either.
This isn't a valid option for the JDBC extension - valid options are listed in the manual page:
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-mysql
I did see in the Guacamole Documentation on the MySQL chapter some SET and INSERT syntax, but I don’t believe that would work either (this might be user error, but I did try that and kept getting an error stating I had not selected a database).
I am reading through some MySQL documentation, and have tried using CREATE USER ‘myuser’@’localhost’ IDENTIFIED WITH (a number of variations including mysql_native_pasword, sha256_password…) BY ‘some_password’;
This controls how MySQL stores the password, not how the password is communicated between the client and the MySQL server, nor how applications might support transmitting credentials.
All to no avail. However, in the process of writing this email I did just see this section on the MySQl doc.
* To avoid specifying the cleartext password if you know its hash value (the value that PASSWORD()<https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password> would return for the password), specify the hash value preceded by the keyword PASSWORD:
Press CTRL+C to copy
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';
The server assigns the given password to the account but no authentication plugin. Clients must provide the password when they connect.
While avoiding a clear-text password here may make it *harder* for someone to determine the credentials, it doesn't make it impossible. I was able to determine, via about 2 minutes of Google search, that the hash value you pasted in there is "biscuit" (right?).
In the end, though, it doesn't really matter - at some point, you have to feed some credentials to the Guacamole JDBC extension that can be used to authenticate against MySQL. No matter how you specify these credentials - plaintext, encrypted, hashed, salted - if someone gets ahold of them, they will be able to access the database under that account. This makes the process of supporting other-than-plaintext credentials in Guacamole configurations of rather limited value.
-Nick
Re: MySQL
Posted by Nick Couchman <vn...@apache.org>.
On Wed, Aug 22, 2018 at 1:05 PM Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC] <
kerman.k.bime@nasa.gov> wrote:
> Hi Nick, and ALL
>
>
>
> Thanks for your previous help. I have a question about a few steps in my
> build/configuration.
>
>
>
> In the process of creating the guacamole_user/admin for the guacamole_db,
> how does one go about doing so with a hash and perhaps salted password?
>
You can't - this isn't implemented in the current version of the Guacamole
JDBC extension. It has been requested a few times in the past, and there's
been some discussion on it. I believe the general consensus is that this
type of feature would offer very little in the way of real security. If
you're putting something into the /etc/guacamole.properties file as a way
for Guacamole to connect to the database, then *whatever* you put in there,
whether it is human-readable text, salted, hashed, etc., is going to allow
anyone who can see that file to access your database under that account.
So, while you may not have the actual password listed, you still have a
credential listed that could still be used by someone to compromise your
system. Why does it matter if it is hashed, salted, encrypted, summed,
etc.?
There are some things that you can do to secure your installation,
particularly with regard to the database:
- Don't use the root account in MySQL (you're not, this is good :-).
- Use a firewall to make sure only the hosts necessary have access to the
database.
- As with your CREATE USER command below, make sure the user only has
access from the host where the JDBC extension is running (@'localhost' -
exactly what you've done).
- Make sure permissions on guacamole.properties are as tight as possible -
only the user running guacd (if it's running on the same server) and the
user running Tomcat will need read access. If that's the same user, chown
it to that user and set 0400 permissions on it; if they are different users
create a group with those users in it, chown it to one of those users and
the group, and chmod to 0440.
- Make sure the password is different from other accounts on the system -
for example, do not set the root password, MySQL root password, and
guacamole_user password to the same thing.
>
>
> mysql> *CREATE DATABASE guacamole_db;*
>
> Query OK, 1 row affected (0.00 sec)
>
>
>
> >>mysql> *CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY
> 'some_password';*
>
> Query OK, 0 rows affected (0.00 sec)
>
>
>
> I would then need to print the hash and replace the plain text password in
> the guacamole.properties file
>
>
>
> # MySQL properties
>
> mysql-hostname: localhost
>
> mysql-port: 3306
>
> mysql-database: *guacamole_db*
>
> mysql-username: *guacamole_user*
>
> >>mysql-password: *some_password *
>
>
>
> So far I have tried a number of things, including using SELECT
> MD5(‘somepassword’); to print a sum I replaced some_password with but that
> didn’t seem to work. I also added “mysql-encoding: md5” to
> guacamole.properties which didn’t break it, but that didn’t help either.
>
This isn't a valid option for the JDBC extension - valid options are listed
in the manual page:
http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-mysql
>
>
> I did see in the Guacamole Documentation on the MySQL chapter some SET and
> INSERT syntax, but I don’t believe that would work either (this might be
> user error, but I did try that and kept getting an error stating I had not
> selected a database).
>
>
>
> I am reading through some MySQL documentation, and have tried using CREATE
> USER ‘myuser’@’localhost’ IDENTIFIED WITH (a number of variations
> including mysql_native_pasword, sha256_password…) BY ‘some_password’;
>
This controls how MySQL stores the password, not how the password is
communicated between the client and the MySQL server, nor how applications
might support transmitting credentials.
>
>
> All to no avail. However, in the process of writing this email I did just
> see this section on the MySQl doc.
>
>
>
> - To avoid specifying the cleartext password if you know its hash
> value (the value that PASSWORD()
> <https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password>
> would return for the password), specify the hash value preceded by the
> keyword PASSWORD:
>
> Press CTRL+C to copy
>
> CREATE USER 'jeffrey'@'localhost'
>
> IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';
>
> The server assigns the given password to the account but no authentication
> plugin. Clients must provide the password when they connect.
>
While avoiding a clear-text password here may make it *harder* for someone
to determine the credentials, it doesn't make it impossible. I was able to
determine, via about 2 minutes of Google search, that the hash value you
pasted in there is "biscuit" (right?).
In the end, though, it doesn't really matter - at some point, you have to
feed some credentials to the Guacamole JDBC extension that can be used to
authenticate against MySQL. No matter how you specify these credentials -
plaintext, encrypted, hashed, salted - if someone gets ahold of them, they
will be able to access the database under that account. This makes the
process of supporting other-than-plaintext credentials in Guacamole
configurations of rather limited value.
-Nick
>