Query for beginner user how to use Guacamole

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Query for beginner user how to use Guacamole

Abdul Qadir (aqadir)

Hi,

I am beginner to Guacamole and installed following component.

·         Guacamole server

·         Guacd proxy

·         Servelet container (Guacamole client) running under Apache Tomcat

 

This is the url access of Guacamole access http://10.9.xx.xx:8080/guacamole/#/

 

From browser above given link was opened but facing issue in login.

 

From where I can collect the log and information for review?

 

Also, we want to integrate Guacamole capabilities in our solution for RDP of windows servers.

We want to know how can we form the http url so that  it will automatically login into the Guacamole server and the machine for which we want to RDP wit credential and other parameters.

Any example or documentation?

 

Regard,

Abdul Qadir

Reply | Threaded
Open this post in threaded view
|

Re: Query for beginner user how to use Guacamole

Mike Jumper-3
On Thu, Jun 18, 2020 at 1:00 AM Abdul Qadir (aqadir) <[hidden email]> wrote:

... 

From browser above given link was opened but facing issue in login.

 

From where I can collect the log and information for review?


The Guacamole logs will be the Tomcat logs. Where these logs are specifically will depend on how Tomcat was installed. On CentOS / RHEL, for example, the provided "tomcat" package logs things to the systemd journal. On other distributions, the log may be /var/log/tomcat/catalina.out or /var/log/tomcat8/catalina.out or similar. If Tomcat was installed manually, there should be some sort of log directory that was created as part of that installation process, and the Tomcat logs will be in there.

Also, we want to integrate Guacamole capabilities in our solution for RDP of windows servers.

We want to know how can we form the http url so that  it will automatically login into the Guacamole server and the machine for which we want to RDP wit credential and other parameters.

Any example or documentation?


You should definitely not use the approach you describe above. Embedding credentials or connection details within the URL would expose sensitive information and allow users to manipulate their connection details beyond what the administrator dictates. A key design aspect of Guacamole is that users of the system should not be able to connect to any machine that the administrator has not explicitly granted them access. If you are integrating Guacamole within another application, then it should be the application which grants this access, but users should still not be able to manipulate this.

Your main options here are:

1) Use features of Guacamole provided out-of-the-box, like Active Directory integration (via LDAP) and credential passthrough. Depending on what you're trying to achieve, this may already be what you're looking for.

2) Leverage an extension which allows an external application to provide authentication and authorization details via the URL, but does so in such a way that user manipulation is not possible. I wrote such an extension some time ago for my day job, and there may be other similar extensions elsewhere: https://github.com/glyptodon/guacamole-auth-json

3) Write your own extension which directly integrates whichever authentication and authorization system your application provides. The Guacamole extension API (http://guacamole.apache.org/doc/gug/guacamole-ext.html) is quite flexible, and allows you to derive connection information however you see fit. There are basic examples on writing an extension within the manual and within the guacamole-client source.

- Mike

Reply | Threaded
Open this post in threaded view
|

RE: Query for beginner user how to use Guacamole

Abdul Qadir (aqadir)

Hi Mike,

Thanks for the heads-up. We have successfully installed the application and now it’s working fine.

 

 

You should definitely not use the approach you describe above. Embedding credentials or connection details within the URL would expose sensitive information and allow users to manipulate their connection details beyond what the administrator dictates. A key design aspect of Guacamole is that users of the system should not be able to connect to any machine that the administrator has not explicitly granted them access. If you are integrating Guacamole within another application, then it should be the application which grants this access, but users should still not be able to manipulate this.

 

I understand your concern, but these url’s are not going to be exposed to the customer or anyone else. URL will be formed in the application and internal to our application and anyhow once the url is hit it will change in the encrypted form, as we can see in the guacamole as well.

 

Earlier we were using stoneware’s HTML5 web RDP gateway for the same purpose but as it is End Of Life, we are evaluating other options and guacamole seems to be one of the best of option for us.

We just wanted to know if Guacamole provides that capability to use HTTP url and if yes then how to form the url ?

We don’t want any input from the user, just click and user landed in the machine!

 

 

Regards,

Abdul Qadir

From: Mike Jumper [mailto:[hidden email]]
Sent: Thursday, June 18, 2020 2:22 PM
To: [hidden email]
Subject: Re: Query for beginner user how to use Guacamole

 

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

 

On Thu, Jun 18, 2020 at 1:00 AM Abdul Qadir (aqadir) <[hidden email]> wrote:

... 

From browser above given link was opened but facing issue in login.

 

From where I can collect the log and information for review?

 

The Guacamole logs will be the Tomcat logs. Where these logs are specifically will depend on how Tomcat was installed. On CentOS / RHEL, for example, the provided "tomcat" package logs things to the systemd journal. On other distributions, the log may be /var/log/tomcat/catalina.out or /var/log/tomcat8/catalina.out or similar. If Tomcat was installed manually, there should be some sort of log directory that was created as part of that installation process, and the Tomcat logs will be in there.

 

Also, we want to integrate Guacamole capabilities in our solution for RDP of windows servers.

We want to know how can we form the http url so that  it will automatically login into the Guacamole server and the machine for which we want to RDP wit credential and other parameters.

Any example or documentation?

 

You should definitely not use the approach you describe above. Embedding credentials or connection details within the URL would expose sensitive information and allow users to manipulate their connection details beyond what the administrator dictates. A key design aspect of Guacamole is that users of the system should not be able to connect to any machine that the administrator has not explicitly granted them access. If you are integrating Guacamole within another application, then it should be the application which grants this access, but users should still not be able to manipulate this.

 

Your main options here are:

 

1) Use features of Guacamole provided out-of-the-box, like Active Directory integration (via LDAP) and credential passthrough. Depending on what you're trying to achieve, this may already be what you're looking for.

 

2) Leverage an extension which allows an external application to provide authentication and authorization details via the URL, but does so in such a way that user manipulation is not possible. I wrote such an extension some time ago for my day job, and there may be other similar extensions elsewhere: https://github.com/glyptodon/guacamole-auth-json

 

3) Write your own extension which directly integrates whichever authentication and authorization system your application provides. The Guacamole extension API (http://guacamole.apache.org/doc/gug/guacamole-ext.html) is quite flexible, and allows you to derive connection information however you see fit. There are basic examples on writing an extension within the manual and within the guacamole-client source.

 

- Mike

 

Reply | Threaded
Open this post in threaded view
|

RE: Query for beginner user how to use Guacamole

Abdul Qadir (aqadir)

So precisely instead of getting connection details from the user-mapping.xml how can we embed the same into the URL at run time.

 

Regards,

Abdul Qadir

 

From: Abdul Qadir (aqadir)
Sent: Thursday, June 18, 2020 7:34 PM
To: [hidden email]
Subject: RE: Query for beginner user how to use Guacamole

 

Hi Mike,

Thanks for the heads-up. We have successfully installed the application and now it’s working fine.

 

 

You should definitely not use the approach you describe above. Embedding credentials or connection details within the URL would expose sensitive information and allow users to manipulate their connection details beyond what the administrator dictates. A key design aspect of Guacamole is that users of the system should not be able to connect to any machine that the administrator has not explicitly granted them access. If you are integrating Guacamole within another application, then it should be the application which grants this access, but users should still not be able to manipulate this.

 

I understand your concern, but these url’s are not going to be exposed to the customer or anyone else. URL will be formed in the application and internal to our application and anyhow once the url is hit it will change in the encrypted form, as we can see in the guacamole as well.

 

Earlier we were using stoneware’s HTML5 web RDP gateway for the same purpose but as it is End Of Life, we are evaluating other options and guacamole seems to be one of the best of option for us.

We just wanted to know if Guacamole provides that capability to use HTTP url and if yes then how to form the url ?

We don’t want any input from the user, just click and user landed in the machine!

 

 

Regards,

Abdul Qadir

From: Mike Jumper [[hidden email]]
Sent: Thursday, June 18, 2020 2:22 PM
To:
[hidden email]
Subject: Re: Query for beginner user how to use Guacamole

 

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

 

On Thu, Jun 18, 2020 at 1:00 AM Abdul Qadir (aqadir) <[hidden email]> wrote:

... 

From browser above given link was opened but facing issue in login.

 

From where I can collect the log and information for review?

 

The Guacamole logs will be the Tomcat logs. Where these logs are specifically will depend on how Tomcat was installed. On CentOS / RHEL, for example, the provided "tomcat" package logs things to the systemd journal. On other distributions, the log may be /var/log/tomcat/catalina.out or /var/log/tomcat8/catalina.out or similar. If Tomcat was installed manually, there should be some sort of log directory that was created as part of that installation process, and the Tomcat logs will be in there.

 

Also, we want to integrate Guacamole capabilities in our solution for RDP of windows servers.

We want to know how can we form the http url so that  it will automatically login into the Guacamole server and the machine for which we want to RDP wit credential and other parameters.

Any example or documentation?

 

You should definitely not use the approach you describe above. Embedding credentials or connection details within the URL would expose sensitive information and allow users to manipulate their connection details beyond what the administrator dictates. A key design aspect of Guacamole is that users of the system should not be able to connect to any machine that the administrator has not explicitly granted them access. If you are integrating Guacamole within another application, then it should be the application which grants this access, but users should still not be able to manipulate this.

 

Your main options here are:

 

1) Use features of Guacamole provided out-of-the-box, like Active Directory integration (via LDAP) and credential passthrough. Depending on what you're trying to achieve, this may already be what you're looking for.

 

2) Leverage an extension which allows an external application to provide authentication and authorization details via the URL, but does so in such a way that user manipulation is not possible. I wrote such an extension some time ago for my day job, and there may be other similar extensions elsewhere: https://github.com/glyptodon/guacamole-auth-json

 

3) Write your own extension which directly integrates whichever authentication and authorization system your application provides. The Guacamole extension API (http://guacamole.apache.org/doc/gug/guacamole-ext.html) is quite flexible, and allows you to derive connection information however you see fit. There are basic examples on writing an extension within the manual and within the guacamole-client source.

 

- Mike

 

Reply | Threaded
Open this post in threaded view
|

Re: Query for beginner user how to use Guacamole

Mike Jumper-3
In reply to this post by Abdul Qadir (aqadir)
On Thu, Jun 18, 2020, 07:04 Abdul Qadir (aqadir) <[hidden email]> wrote:

...

I understand your concern, but these url’s are not going to be exposed to the customer or anyone else. URL will be formed in the application and internal to our application and anyhow once the url is hit it will change in the encrypted form, as we can see in the guacamole as well.


You really, really shouldn't do this. It is insecure. You will be opening up your application to exploitation if you implement things in a way that users might manipulate.

If you want to send users to particular connections dynamically, the way to do this is with an extension. The specifics of each connection can then be kept secure, controlled purely on the server side.

If you cannot write an extension specific to your application, the extension I linked to earlier implements essentially what you need but securely (by accepting connection details that have been encrypted and signed with a secret, shared key).

- Mike

Reply | Threaded
Open this post in threaded view
|

RE: Query for beginner user how to use Guacamole

Abdul Qadir (aqadir)
In reply to this post by Mike Jumper-3

I have C# code and not sure how to use the extension mentioned in the email. Any example?

 

2) Leverage an extension which allows an external application to provide authentication and authorization details via the URL, but does so in such a way that user manipulation is not possible. I wrote such an extension some time ago for my day job, and there may be other similar extensions elsewhere: https://github.com/glyptodon/guacamole-auth-json

 

 

From: Mike Jumper [mailto:[hidden email]]
Sent: Thursday, June 18, 2020 2:22 PM
To: [hidden email]
Subject: Re: Query for beginner user how to use Guacamole

 

CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.

 

On Thu, Jun 18, 2020 at 1:00 AM Abdul Qadir (aqadir) <[hidden email]> wrote:

... 

From browser above given link was opened but facing issue in login.

 

From where I can collect the log and information for review?

 

The Guacamole logs will be the Tomcat logs. Where these logs are specifically will depend on how Tomcat was installed. On CentOS / RHEL, for example, the provided "tomcat" package logs things to the systemd journal. On other distributions, the log may be /var/log/tomcat/catalina.out or /var/log/tomcat8/catalina.out or similar. If Tomcat was installed manually, there should be some sort of log directory that was created as part of that installation process, and the Tomcat logs will be in there.

 

Also, we want to integrate Guacamole capabilities in our solution for RDP of windows servers.

We want to know how can we form the http url so that  it will automatically login into the Guacamole server and the machine for which we want to RDP wit credential and other parameters.

Any example or documentation?

 

You should definitely not use the approach you describe above. Embedding credentials or connection details within the URL would expose sensitive information and allow users to manipulate their connection details beyond what the administrator dictates. A key design aspect of Guacamole is that users of the system should not be able to connect to any machine that the administrator has not explicitly granted them access. If you are integrating Guacamole within another application, then it should be the application which grants this access, but users should still not be able to manipulate this.

 

Your main options here are:

 

1) Use features of Guacamole provided out-of-the-box, like Active Directory integration (via LDAP) and credential passthrough. Depending on what you're trying to achieve, this may already be what you're looking for.

 

2) Leverage an extension which allows an external application to provide authentication and authorization details via the URL, but does so in such a way that user manipulation is not possible. I wrote such an extension some time ago for my day job, and there may be other similar extensions elsewhere: https://github.com/glyptodon/guacamole-auth-json

 

3) Write your own extension which directly integrates whichever authentication and authorization system your application provides. The Guacamole extension API (http://guacamole.apache.org/doc/gug/guacamole-ext.html) is quite flexible, and allows you to derive connection information however you see fit. There are basic examples on writing an extension within the manual and within the guacamole-client source.

 

- Mike

 

Reply | Threaded
Open this post in threaded view
|

Re: Query for beginner user how to use Guacamole

vnick
On Mon, Jun 22, 2020 at 5:15 AM Abdul Qadir (aqadir) <[hidden email]> wrote:

I have C# code and not sure how to use the extension mentioned in the email. Any example?


Have you read the instructions on the page that Mike linked?  It is pretty thoroughly documented, giving examples of how to generate the data that the extension expects to to receive.

You would need to:
- Download and compile the extension mentioned, and add it to your Guacamole Client installation.
- Configure the json-secret-key in guacamole.properties.
- Reload Guacamole Client to get new extension and settings to take effect.
- Write some C# code that generates the JSON using the schema documented on the page, and also encrypts and signs the data using the secret key.
- Somehow POST that data to the /api/tokens endpoint of your Guacamole Client install.

The page documents the requirements pretty thoroughly in a language-agnostic way, so all you need to do is translate those instructions on the page into actual C# code.

-Nick