Issues with VNC and SSH on 2 different connections

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Issues with VNC and SSH on 2 different connections

Devine, Harry (FAA)-2

I am having an issue with VNC connection on 1 server, and an SSH connection on another.  We have 2 other SSH connections that work fine.

 

For the VNC (which is running on RHEL 7 with TigerVNC), I see this in /var/log/messages:

 

Sep 10 10:08:00 ose-access guacd[21334]: Creating new client for protocol "vnc"

Sep 10 10:08:00 ose-access guacd[21334]: Connection ID is "$612676a8-2e21-48a0-89d2-66afdd3d5657"

Sep 10 10:08:00 ose-access guacd[22306]: Cursor rendering: local

Sep 10 10:08:00 ose-access guacd[22306]: User "@61860625-7c6a-4ae7-ab1c-11aed717a187" joined connection "$612676a8-2e21-48a0-89d2-66afdd3d5657" (1 users now present)

Sep 10 10:08:00 ose-access server: 10:08:00.891 [http-bio-8080-exec-13] INFO  o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "5".

Sep 10 10:08:00 ose-access server: 10:08:00.891 [http-bio-8080-exec-13] INFO  o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal.

Sep 10 10:08:00 ose-access guacd[22306]: VNC server supports protocol version 3.8 (viewer 3.8)

Sep 10 10:08:00 ose-access guacd[22306]: We have 2 security types to read

Sep 10 10:08:00 ose-access guacd[22306]: 0) Received security type 19

Sep 10 10:08:00 ose-access guacd[22306]: Selecting security type 19 (0/2 in the list)

Sep 10 10:08:00 ose-access guacd[22306]: 1) Received security type 2

Sep 10 10:08:00 ose-access guacd[22306]: Selected Security Scheme 19

Sep 10 10:08:00 ose-access guacd[22306]: Failed to initialized GnuTLS: Error in public key generation..

Sep 10 10:08:00 ose-access guacd[22306]: Unable to connect to VNC server.

Sep 10 10:08:00 ose-access guacd[22306]: User "@61860625-7c6a-4ae7-ab1c-11aed717a187" disconnected (0 users remain)

Sep 10 10:08:00 ose-access guacd[22306]: Last user of connection "$612676a8-2e21-48a0-89d2-66afdd3d5657" disconnected

 

For the SSH connection, I get prompted for the username and as soon as I enter it, I get the “Home/Reconnect” window and the log shows the following:

 

Sep 10 10:08:04 ose-access guacd[21334]: Creating new client for protocol "ssh"

Sep 10 10:08:04 ose-access guacd[21334]: Connection ID is "$a6f234a9-34e2-45bf-9ae8-5648e2012ffa"

Sep 10 10:08:04 ose-access guacd[22315]: User "@05503ef3-b943-4e58-b2bf-ae26c5256c41" joined connection "$a6f234a9-34e2-45bf-9ae8-5648e2012ffa" (1 users now present)

Sep 10 10:08:04 ose-access server: 10:08:04.193 [http-bio-8080-exec-6] INFO  o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "1".

Sep 10 10:08:04 ose-access server: 10:08:04.193 [http-bio-8080-exec-6] INFO  o.a.g.t.h.RestrictedGuacamoleHTTPTunnelServlet - Using HTTP tunnel (not WebSocket). Performance may be sub-optimal.

Sep 10 10:08:05 ose-access guacd[21334]: Connection "$612676a8-2e21-48a0-89d2-66afdd3d5657" removed.

Sep 10 10:08:06 ose-access guacd[22315]: SSH handshake failed.

Sep 10 10:08:06 ose-access guacd[22315]: User "@05503ef3-b943-4e58-b2bf-ae26c5256c41" disconnected (0 users remain)

Sep 10 10:08:06 ose-access guacd[22315]: Last user of connection "$a6f234a9-34e2-45bf-9ae8-5648e2012ffa" disconnected

Sep 10 10:08:11 ose-access guacd[21334]: Connection "$a6f234a9-34e2-45bf-9ae8-5648e2012ffa" removed.

Sep 10 10:08:15 ose-access server: 10:08:15.975 [http-bio-8080-exec-13] INFO  o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "5". Duration: 15084 milliseconds

Sep 10 10:08:15 ose-access server: 10:08:15.980 [http-bio-8080-exec-13] ERROR o.a.g.s.GuacamoleHTTPTunnelServlet - HTTP tunnel request failed: Connection to guacd timed out.

Sep 10 10:08:15 ose-access server: 10:08:15.980 [http-bio-8080-exec-12] INFO  o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "5". Duration: 15089 milliseconds

 

Any help would be appreciated.

Harry

 

Harry Devine

DOT/FAA/AJM-2431

Secure-OSE Administrator

Red Hat Certified System Administrator (RHCSA)

[hidden email]

(609)485-4218

Building 300, 3rd floor, Column L20 (3L20)

 

Reply | Threaded
Open this post in threaded view
|

Re: Issues with VNC and SSH on 2 different connections

ivanmarcus

Harry,

I'm a little unclear as to whether this is a single instance of Guacamole accessing different servers (with some access ok, others not), or several Guacamole instances, one each with the problem you describe?

In any event this link may be of some use (?), at least with the ssh issue:

http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/SSH-handshake-failed-only-RSA-keys-possible-td2248.html

I don't see too many results on the GnuTLS issue, but if it's a single Guacamole instance and you're having both this and the ssh issue at the same time then I wonder if there was an installation problem with one or more of the secure packages (libssh2/OpenSSL)?

On 11/09/2020 2:14 a.m., Devine, Harry (FAA) wrote:
SSH handshake failed

Reply | Threaded
Open this post in threaded view
|

RE: Issues with VNC and SSH on 2 different connections

Devine, Harry (FAA)-2

I apologize that this has taken me so long to answer.  Let me try and give an update.

 

Our Guacamole is installed on RHEL 7.8 and is the current 1.2.0 version.  If we set up an SSH connection to another RHEL 7 box, it works.  We have an SSH connection set up to go to a RHEL 8 box, and it does NOT work.  The guacamole log shows “SSH handshake failed”.

 

On the RHEL 8 target box, we see the following:

 

[root@tower1 ~]#tail -f /var/log/secure

Oct 13 14:19:09 tower1 sshd[3583210]: FIPS mode initialized

Oct 13 14:19:09 tower1 sshd[3583210]: Unable to negotiate with xxx.xxx.xxx.xxx port 34598: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

 

If we SSH from our guacamole server to that box directly (OS to OS), it works without incident.  So what could be going on in the Guacamole SSH library that could be causing this?


Thanks,

Harry

 

From: ivanmarcus <[hidden email]>
Sent: Thursday, September 10, 2020 3:45 PM
To: [hidden email]; Devine, Harry (FAA) <[hidden email]>
Subject: Re: Issues with VNC and SSH on 2 different connections

 

Harry,

I'm a little unclear as to whether this is a single instance of Guacamole accessing different servers (with some access ok, others not), or several Guacamole instances, one each with the problem you describe?

In any event this link may be of some use (?), at least with the ssh issue:

http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/SSH-handshake-failed-only-RSA-keys-possible-td2248.html

I don't see too many results on the GnuTLS issue, but if it's a single Guacamole instance and you're having both this and the ssh issue at the same time then I wonder if there was an installation problem with one or more of the secure packages (libssh2/OpenSSL)?

On 11/09/2020 2:14 a.m., Devine, Harry (FAA) wrote:

SSH handshake failed

 

Reply | Threaded
Open this post in threaded view
|

Re: Issues with VNC and SSH on 2 different connections

vnick
On Tue, Oct 13, 2020 at 2:28 PM Devine, Harry (FAA) <[hidden email]> wrote:

I apologize that this has taken me so long to answer.  Let me try and give an update.

 

Our Guacamole is installed on RHEL 7.8 and is the current 1.2.0 version.  If we set up an SSH connection to another RHEL 7 box, it works.  We have an SSH connection set up to go to a RHEL 8 box, and it does NOT work.  The guacamole log shows “SSH handshake failed”.

 

On the RHEL 8 target box, we see the following:

 

[root@tower1 ~]#tail -f /var/log/secure

Oct 13 14:19:09 tower1 sshd[3583210]: FIPS mode initialized

Oct 13 14:19:09 tower1 sshd[3583210]: Unable to negotiate with xxx.xxx.xxx.xxx port 34598: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]

 

If we SSH from our guacamole server to that box directly (OS to OS), it works without incident.  So what could be going on in the Guacamole SSH library that could be causing this?



Guacmaole uses libssh2, which does not have quite as broad support for all of the various key exchange algorithms and host keys that some of the larger libraries support.  This message indicates that the Guacamole client is attempting to get either a RSA or DSS host key from the RHEL8 server, but it appears that RHEL8 is using a different host key type? I've not played much with EL8, so I'm not entirely sure what RHEL8 is using that isn't supported, but it is a mis-match in host key support between libssh2 and OpenSSH on EL8.

-Nick