Running guacamole inside of a secured environment

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

Running guacamole inside of a secured environment

Howard Lander
Hi all

We are running guacamole inside of a secured environment. By this I mean that by the time the user can access our Guacamole server they have already authenticated. So we really don't want them to have to authenticate again.  I see that there was a noauth extension, but it doesn't seem to be supported in either version 1.0 or 1.1.  I found the docs that describe how to write a custom authentication module, but I'm not sure I want to go down that path. What, if anything, is the currently approved method of providing access without authentication? Did I just miss the noauth support in later versions? If it matters. the service we are allowing the users to connect to is VNC.

Thanks much
Howard
--
[hidden email]
Senior Research Software Developer
Renaissance Computing Institute (RENCI)
The University of North Carolina at Chapel Hill
100 Europa Drive
Suite 540
Chapel Hill, NC 27517
919-445-9651
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

vnick
On Thu, Apr 9, 2020 at 10:37 AM Howard Lander <[hidden email]> wrote:
Hi all

We are running guacamole inside of a secured environment. By this I mean that by the time the user can access our Guacamole server they have already authenticated. So we really don't want them to have to authenticate again.  I see that there was a noauth extension, but it doesn't seem to be supported in either version 1.0 or 1.1.  I found the docs that describe how to write a custom authentication module, but I'm not sure I want to go down that path. What, if anything, is the currently approved method of providing access without authentication? Did I just miss the noauth support in later versions? If it matters. the service we are allowing the users to connect to is VNC.

First, regarding the noauth module, no, you are not missing it in the current versions.  It was deprecated in version 0.9.13 or 0.9.14, and completely removed from version 1.0.0 and later.

Regarding working in a trusted environment, first, please read the following:


Beyond this, there are a couple of ways you can work through the authentication mechanism to make the experience more seamless for users.  The most common is to use a SSO extension of some sort to authenticate through an existing SSO provider.  Guacamole currently supports CAS and OpenID providers, and also has a Header authentication module that can be used to authenticate users through HTTP headers in trusted environments.


Depending on your environment, another option is to use the parameter tokens as pass through authentication from Guacamole to your destination systems.  This works particularly well in environments where you have AD authentication and use that with the LDAP extension, and then pass through the LDAP username and password to the RDP hosts that use the same AD domain.


-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

Howard Lander
Hi Nick

Thanks for the reply.  I've been playing around with the header-auth module and I can login to guacamole using the REMOTE_USER header. So that part is working great. But I use a user-mapping.xml file that looks like this:

<user-mapping>

    <!-- Example user configurations are given below. For more information,
         see the user-mapping.xml section of the Guacamole configuration
         documentation: http://guac-dev.org/Configuring%20Guacamole -->

    <!-- Per-user authentication and config information -->
    <authorize username="fakename" password="fakepassword">
        <protocol>vnc</protocol>
        <param name="hostname">localhost</param>
        <param name="port">5901</param>
        <param name="password">fakepassword</param>
    </authorize>
</user-mapping>

and the upshot of this is when the user logged in, they were taken immediately to the VNC service. That's not happening any more.  Instead I get a screen like the following. I couldn't find anything about this in the header-auth documentation. Any suggestions or ideas?

Here's the screen shot:


Thanks much
Howard



From: Nick Couchman <[hidden email]>
Sent: Thursday, April 9, 2020 5:11 PM
To: [hidden email] <[hidden email]>
Subject: Re: Running guacamole inside of a secured environment
 
On Thu, Apr 9, 2020 at 10:37 AM Howard Lander <[hidden email]> wrote:
Hi all

We are running guacamole inside of a secured environment. By this I mean that by the time the user can access our Guacamole server they have already authenticated. So we really don't want them to have to authenticate again.  I see that there was a noauth extension, but it doesn't seem to be supported in either version 1.0 or 1.1.  I found the docs that describe how to write a custom authentication module, but I'm not sure I want to go down that path. What, if anything, is the currently approved method of providing access without authentication? Did I just miss the noauth support in later versions? If it matters. the service we are allowing the users to connect to is VNC.

First, regarding the noauth module, no, you are not missing it in the current versions.  It was deprecated in version 0.9.13 or 0.9.14, and completely removed from version 1.0.0 and later.

Regarding working in a trusted environment, first, please read the following:


Beyond this, there are a couple of ways you can work through the authentication mechanism to make the experience more seamless for users.  The most common is to use a SSO extension of some sort to authenticate through an existing SSO provider.  Guacamole currently supports CAS and OpenID providers, and also has a Header authentication module that can be used to authenticate users through HTTP headers in trusted environments.


Depending on your environment, another option is to use the parameter tokens as pass through authentication from Guacamole to your destination systems.  This works particularly well in environments where you have AD authentication and use that with the LDAP extension, and then pass through the LDAP username and password to the RDP hosts that use the same AD domain.


-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

vnick
On Thu, May 7, 2020 at 4:11 PM Lander, Howard Michael <[hidden email]> wrote:
Hi Nick

Thanks for the reply.  I've been playing around with the header-auth module and I can login to guacamole using the REMOTE_USER header. So that part is working great. But I use a user-mapping.xml file that looks like this:

<user-mapping>

    <!-- Example user configurations are given below. For more information,
         see the user-mapping.xml section of the Guacamole configuration
         documentation: http://guac-dev.org/Configuring%20Guacamole -->

    <!-- Per-user authentication and config information -->
    <authorize username="fakename" password="fakepassword">
        <protocol>vnc</protocol>
        <param name="hostname">localhost</param>
        <param name="port">5901</param>
        <param name="password">fakepassword</param>
    </authorize>
</user-mapping>

and the upshot of this is when the user logged in, they were taken immediately to the VNC service. That's not happening any more.  Instead I get a screen like the following. I couldn't find anything about this in the header-auth documentation. Any suggestions or ideas?


Yes, the basic user-mapping.xml authentication extension does not usually work with the other authentication extensions.  It's intended to be a very basic extension for testing your installation.  It *might* work, but at least one of the isues is that, in your user-mapping.xml file above you have a "password" specified for the "fakename" user - and the Header authentication extension will never pass through this password (or any password, for that matter), so the user won't be authenticated to the user-mapping.xml extension.  If you put an entry in with no password then you lack any security on that connection.

You probably want to consider setting up the JDBC module to store your connections...

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

Howard Lander
Hi Nick

Thanks so much for the quick reply.

Funny thing is that I tried deleting the password attribute from the user_mapping file but that didn't work either.. Oh well. I could actually live with no security on the connection, since this is running within a secure environment. If I store the connections in the JDBC module, would I still use the header-auth module? It turns out that this would be pretty convenient for us since the authentication system we are using already can easily send the REMOTE_USER header. At first glance I don't quite see how to use the JDBC module, but I will look into it some more.

Thanks again
Howard

On 5/7/20 4:39 PM, Nick Couchman wrote:
On Thu, May 7, 2020 at 4:11 PM Lander, Howard Michael <[hidden email]> wrote:
Hi Nick

Thanks for the reply.  I've been playing around with the header-auth module and I can login to guacamole using the REMOTE_USER header. So that part is working great. But I use a user-mapping.xml file that looks like this:

<user-mapping>

    <!-- Example user configurations are given below. For more information,
         see the user-mapping.xml section of the Guacamole configuration
         documentation: http://guac-dev.org/Configuring%20Guacamole -->

    <!-- Per-user authentication and config information -->
    <authorize username="fakename" password="fakepassword">
        <protocol>vnc</protocol>
        <param name="hostname">localhost</param>
        <param name="port">5901</param>
        <param name="password">fakepassword</param>
    </authorize>
</user-mapping>

and the upshot of this is when the user logged in, they were taken immediately to the VNC service. That's not happening any more.  Instead I get a screen like the following. I couldn't find anything about this in the header-auth documentation. Any suggestions or ideas?


Yes, the basic user-mapping.xml authentication extension does not usually work with the other authentication extensions.  It's intended to be a very basic extension for testing your installation.  It *might* work, but at least one of the isues is that, in your user-mapping.xml file above you have a "password" specified for the "fakename" user - and the Header authentication extension will never pass through this password (or any password, for that matter), so the user won't be authenticated to the user-mapping.xml extension.  If you put an entry in with no password then you lack any security on that connection.

You probably want to consider setting up the JDBC module to store your connections...

-Nick

--
[hidden email]
Senior Research Software Developer
Renaissance Computing Institute (RENCI)
The University of North Carolina at Chapel Hill
100 Europa Drive
Suite 540
Chapel Hill, NC 27517
919-445-9651
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

vnick
On Thu, May 7, 2020 at 4:55 PM Howard Lander <[hidden email]> wrote:
Hi Nick

Thanks so much for the quick reply.

Funny thing is that I tried deleting the password attribute from the user_mapping file but that didn't work either.. Oh well. I could actually live with no security on the connection, since this is running within a secure environment. If I store the connections in the JDBC module, would I still use the header-auth module? It turns out that this would be pretty convenient for us since the authentication system we are using already can easily send the REMOTE_USER header. At first glance I don't quite see how to use the JDBC module, but I will look into it some more.


Yes, if you store connections in the JDBC module you can still use the Header module for authentication.  The authentication system "layers" the users such that, if username matches, it will apply permissions across the modules.



That second one covers using LDAP and JDBC, but the concept is the same for any of the modules + JDBC.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

Howard Lander
Hi Nick

I'm finally getting back to this.  auth_header is working fine and I have
installed postgres and the needed plugin. I think all the connections are
set up properly because I have the guacadmin user in the entity table and in
the user table. In my guacamole.properties file I have set

 postgresql-auto-create-accounts: true

I had expected that when I logged as a user, with the REMOTE_USER header,
that I would see an entry for the user in the entity and user tables. Is
that incorrect?  I am using version 1.0.  Maybe I need to upgrade?

Past that, I see in the documentation how I should add a connection, but I
am missing how to link between the user and the connection.  Any advice?

Howard



--
Sent from: http://apache-guacamole-general-user-mailing-list.2363388.n4.nabble.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

vnick
On Wed, Sep 9, 2020 at 4:25 PM Howard Lander <[hidden email]> wrote:
Hi Nick

I'm finally getting back to this.  auth_header is working fine and I have
installed postgres and the needed plugin. I think all the connections are
set up properly because I have the guacadmin user in the entity table and in
the user table. In my guacamole.properties file I have set

 postgresql-auto-create-accounts: true

I had expected that when I logged as a user, with the REMOTE_USER header,
that I would see an entry for the user in the entity and user tables. Is
that incorrect?  I am using version 1.0.  Maybe I need to upgrade?


Yes, the account auto-creation feature was introduced in version 1.2.0, so you'll need to bump up to that version to get that feature.
 
Past that, I see in the documentation how I should add a connection, but I
am missing how to link between the user and the connection.  Any advice?


Links between connection and user are done by assigning a user (or group) permissions to a particular connection.  This is done in the web UI.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

Howard Lander
Thanks for such a quick response.

I am updating to 1.2.0 now.

Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.

Howard


From: Nick Couchman <[hidden email]>
Sent: Wednesday, September 9, 2020 4:28 PM
To: [hidden email] <[hidden email]>
Subject: Re: Running guacamole inside of a secured environment
 
On Wed, Sep 9, 2020 at 4:25 PM Howard Lander <[hidden email]> wrote:
Hi Nick

I'm finally getting back to this.  auth_header is working fine and I have
installed postgres and the needed plugin. I think all the connections are
set up properly because I have the guacadmin user in the entity table and in
the user table. In my guacamole.properties file I have set

 postgresql-auto-create-accounts: true

I had expected that when I logged as a user, with the REMOTE_USER header,
that I would see an entry for the user in the entity and user tables. Is
that incorrect?  I am using version 1.0.  Maybe I need to upgrade?


Yes, the account auto-creation feature was introduced in version 1.2.0, so you'll need to bump up to that version to get that feature.
 
Past that, I see in the documentation how I should add a connection, but I
am missing how to link between the user and the connection.  Any advice?


Links between connection and user are done by assigning a user (or group) permissions to a particular connection.  This is done in the web UI.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

vnick
On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael <[hidden email]> wrote:
Thanks for such a quick response.

I am updating to 1.2.0 now.

Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.


Oh, it is definitely possible - that's all the WebUI does.  Basically what you'll need to do is:
- Grab the entity_id of the user or group you want to associate
- Grab the connection_id of the connection you want to associate
- Add an entry to the <guacamole_connection_permission> table with the entity id, the connection id, and "READ" permission.

You can do this with SQL on the database itself, or you can automate via Guacamole's REST API. Unfortunately right now documentation for the REST API is lacking, so if you go that route you'll have to figure out the calls to make by looking at the network traffic on the web interface and duplicating that.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

Howard Lander
No, I think using the SQL will be the way to go! I'm really not in the mood for packet sniffing!

Will let you know if I get stuck, and will post the results once I get it going.

Thanks again for all the help!
Howard

From: Nick Couchman <[hidden email]>
Sent: Wednesday, September 9, 2020 4:36 PM
To: [hidden email] <[hidden email]>
Subject: Re: Running guacamole inside of a secured environment
 
On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael <[hidden email]> wrote:
Thanks for such a quick response.

I am updating to 1.2.0 now.

Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.


Oh, it is definitely possible - that's all the WebUI does.  Basically what you'll need to do is:
- Grab the entity_id of the user or group you want to associate
- Grab the connection_id of the connection you want to associate
- Add an entry to the <guacamole_connection_permission> table with the entity id, the connection id, and "READ" permission.

You can do this with SQL on the database itself, or you can automate via Guacamole's REST API. Unfortunately right now documentation for the REST API is lacking, so if you go that route you'll have to figure out the calls to make by looking at the network traffic on the web interface and duplicating that.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

Howard Lander
In reply to this post by vnick
Hi Nick

I've just about got this working, but there is one sticking point:  I realized that I need to create the user myself rather than depending on the mechanism enabled by postgresql-auto-create-accounts,  The documentation is pretty clear on how to do this in mysql, but much less forthcoming on how to do this in postgresql.  A few minutes of Google searching didn't seem to find a simple recipe.  Can you offer any advice on this?  I have considered switching to mysql, since I really don't care much which database is running. 

Thanks
Howard


From: Nick Couchman <[hidden email]>
Sent: Wednesday, September 9, 2020 4:36 PM
To: [hidden email] <[hidden email]>
Subject: Re: Running guacamole inside of a secured environment
 
On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael <[hidden email]> wrote:
Thanks for such a quick response.

I am updating to 1.2.0 now.

Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.


Oh, it is definitely possible - that's all the WebUI does.  Basically what you'll need to do is:
- Grab the entity_id of the user or group you want to associate
- Grab the connection_id of the connection you want to associate
- Add an entry to the <guacamole_connection_permission> table with the entity id, the connection id, and "READ" permission.

You can do this with SQL on the database itself, or you can automate via Guacamole's REST API. Unfortunately right now documentation for the REST API is lacking, so if you go that route you'll have to figure out the calls to make by looking at the network traffic on the web interface and duplicating that.

-Nick
Reply | Threaded
Open this post in threaded view
|

Re: Running guacamole inside of a secured environment

Stefan Bogdan Cimpeanu
Hi,
If you’re more familiar with MySQL, stick with that, it’ll be easier for you in the long run.
Unless you’re running some super duper distributed active-active DB cluster, you shouldn’t find any issues (performance wise) with MySQL as a db provider.

Bogdan

On 10 Sep 2020, at 21:10, Lander, Howard Michael <[hidden email]> wrote:

Hi Nick

I've just about got this working, but there is one sticking point:  I realized that I need to create the user myself rather than depending on the mechanism enabled by postgresql-auto-create-accounts,  The documentation is pretty clear on how to do this in mysql, but much less forthcoming on how to do this in postgresql.  A few minutes of Google searching didn't seem to find a simple recipe.  Can you offer any advice on this?  I have considered switching to mysql, since I really don't care much which database is running. 

Thanks
Howard


From: Nick Couchman <[hidden email]>
Sent: Wednesday, September 9, 2020 4:36 PM
To: [hidden email] <[hidden email]>
Subject: Re: Running guacamole inside of a secured environment
 
On Wed, Sep 9, 2020 at 4:33 PM Lander, Howard Michael <[hidden email]> wrote:
Thanks for such a quick response.

I am updating to 1.2.0 now.

Is it not possible to do the mapping between users and connections using psql? Sort of looks like it is in the docs... I am doing an automated deployment and can't really use the GUI.


Oh, it is definitely possible - that's all the WebUI does.  Basically what you'll need to do is:
- Grab the entity_id of the user or group you want to associate
- Grab the connection_id of the connection you want to associate
- Add an entry to the <guacamole_connection_permission> table with the entity id, the connection id, and "READ" permission.

You can do this with SQL on the database itself, or you can automate via Guacamole's REST API. Unfortunately right now documentation for the REST API is lacking, so if you go that route you'll have to figure out the calls to make by looking at the network traffic on the web interface and duplicating that.

-Nick