RE: SFTP problems

[Lars van Ruiten]

Yes, I am using Nginx to handle multiple HTTPS domains.

As seen here: 
https://stackoverflow.com/questions/28476643/default-nginx-client-max-body-size

I have set the limit to 20MB, which is more than enough for our use.

 

Thank you very much for the quick response!

 

Kind regards,

Lars van Ruiten

 

 

 

From: Mike Jumper [mailto:mike.jum...@guac-dev.org] 
Sent: Thursday, November 16, 2017 8:55 AM
To: user@guacamole.apache.org
Cc: u...@guacamole.incubator.apache.org
Subject: RE: SFTP problems

 

Do you have a reverse proxy in front of Guacamole, like Nginx?

 

The Guacamole webapp recently switched to using HTTP as the transport for file 
transfers, and a reverse proxy may be imposing default limits on the body size 
of each request.

 

- Mike

 

 

On Nov 15, 2017 23:44, "Lars van Ruiten" mailto:l.van.rui...@praxis-automation.nl> > wrote:

Sorry, I don’t want to spam the list, but I did not get an answer to my 
question,

And the logs are not giving any info either. Meanwhile all my users are unable 
to upload files that are of any useful size.

 

Kind regards

L van Ruiten

 

From: Lars van Ruiten [mailto:l.van.rui...@praxis-automation.nl 
 ] 
Sent: Monday, November 13, 2017 1:52 PM
To: 'u...@guacamole.incubator.apache.org 
 ' 
mailto:u...@guacamole.incubator.apache.org> >
Subject: SFTP problems

 

Hello all,

 

Since upgrading Guacamole to 0.9.12-incubating (from 0.9.8), users have 
reported issues uploading files over SFTP connections (Added to a VNC 
connection).

It appears that any file larger than ~1MB will not upload, but give a 
permission related error. (See screenshot)

Uploading the file to the SFTP server directly with Bitvise SFTP client works 
fine.

 

To me it sounds like if a file is larger than a certain size, guacd will buffer 
it on the disk on the server and it does not have the permission to do that. 
(The disk is not full)

It happens to all connections, and I am sure that with some connections it has 
worked before, and the only thing that changed is the newer version of 
guacamole.

 

If someone has any idea how I can fix this, please let me know. 
Uploading/downloading files is one of the most used features in our case.

 

Info:

Both the Webapp and the daemon are 0.9.12-incubating

The logs do not mention any errors while it happens

 

Kind regards

L van Ruiten

Send connection to someone as a link and removing guacamole login screen

[Masood]

HI,

I have made some remote connections with Guacamole client. I want to send
these connections as a URL to a user so he can click on it and the remote
machine opens in his browser. 

I want to know
How can I remove the guacamole login screen? The screen which asks for
guacamole username and password.

I think no-auth will disable the auth required to access the remote
computer, but still, maybe it will ask about guacamole own authentication.
So how can I remove it?

and How to send connection as a URL link, so the user does not need to
configure anything.

I do understand that no auth is a not a good way, but my requirement is to
have no auth at all. I am just sharing an application not the whole
computer. 



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: Send connection to someone as a link and removing guacamole login screen

[Masood Hussain]

I am using Guacamole 0.9.13 Version. In its release documents, no-auth is
available So I would assume its still supported

On Thu, Nov 16, 2017 at 10:51 AM, Masood  wrote:

> HI,
>
> I have made some remote connections with Guacamole client. I want to send
> these connections as a URL to a user so he can click on it and the remote
> machine opens in his browser.
>
> I want to know
> How can I remove the guacamole login screen? The screen which asks for
> guacamole username and password.
>
> I think no-auth will disable the auth required to access the remote
> computer, but still, maybe it will ask about guacamole own authentication.
> So how can I remove it?
>
> and How to send connection as a URL link, so the user does not need to
> configure anything.
>
> I do understand that no auth is a not a good way, but my requirement is to
> have no auth at all. I am just sharing an application not the whole
> computer.
>
>
>
> --
> Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/
>

Re: Problem on connect - > Invalid argument

[ebsouza]

Did you solve this problem?



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: How to create lot of computer connection

[cedrik]

Thank you for your reply . Indeed, I use LDAP for authentication on
guacamole.
I will try to make a script to insert the computer names in the database



--
Sent from: http://apache-guacamole-incubating-users.2363388.n4.nabble.com/

Re: Create SSH tunnel for RDP or VNC connection

[Paulo Gonçalves]

 

We have created a helpdesk application that works like this: 

The client has a Java application that unpacks a VNC server and runs it
on the localhost.
Then connects via SSH to the guacamole server and creates 2 tunnels, one
server to client for the VNC connection, and another one from client to
server for configuration.
The server has a guacamole extension that creates connections at
runtime. For that it listens on a fixed local port and the client
connects through the client->server SSH tunnel. The client then sends
the listening port of the server->client SSH tunnel and the VNC password
(randomly generated) to the extension, and the extension creates the
connection.
On the guacamole web application you just need to refresh the page and
the connection appears.
If the client closes the application, the guacamole extension detects
that the socket is closed and removes the connection. 

It works very well and the only port publicly exposed by the guacamole
server is the SSH port. 
---

Paulo Alexandre Figueiredo Gonçalves

Departamento de Tecnologias de Informação e Comunicação (DTIC)

Email: pafgoncal...@ipc.pt / Voip: 301103

 Serviços da Presidência

Av. Dr. Marnoco e Sousa, nº 30, 3000-271 Coimbra

Tel.: +351 239 791 250

Site:www.ipc.pt [1] | E-mail:i...@ipc.pt

Em 2017-11-15 20:32, Aaron Newsome escreveu: 

> Hello all. 
> 
> I'd like to create an RDP connection for a remote network but I first need to 
> create an ssh tunnel to the remote network. I'm able to create the ssh tunnel 
> manually from the Guacamole server but I'm looking for a way to automate 
> this. Otherwise I need to ssh to the Guacamole server first, create the 
> tunnel and then connect via RDP. 
> 
> Has anyone been able to automate this? Any advice on how to do this? 
> 
> Thanks, Aaron
 

Links:
--
[1] http://www.ipc.pt

Re: Configuring LDAP

[harry.devine]

Nothing at all. And the Guacamole screen never changes, as if the Login button 
doesn't work or is somehow dead.


Thanks,

Harry


From: Nick Couchman 
Sent: Wednesday, November 15, 2017 7:59:36 PM
To: u...@guacamole.incubator.apache.org
Subject: Re: Configuring LDAP


On Wed, Nov 15, 2017 at 15:35 
mailto:harry.dev...@faa.gov>> wrote:
Here’s the /var/log/messages data from right after I restarted Tomcat and 
Guacamole:  https://pastebin.com/YSwepbgk.  This server is running RHEL 7.4.

So, on line 94 the LDAP extension appears to be getting loaded, so that part is 
fine.  Seems like it might be a configuration issue - what shows up in that log 
file when you try to authenticate?

- Nick

Re: Send connection to someone as a link and removing guacamole login screen

[Nick Couchman]

On Thu, Nov 16, 2017 at 5:27 AM, Masood Hussain 
wrote:

> I am using Guacamole 0.9.13 Version. In its release documents, no-auth is
> available So I would assume its still supported
>
>
The no-auth extension has been marked as deprecated and will be removed
from a future version of Guacamole.  You can still use it for the time
being, but it is not actively developed or updated, and will not be
continued.  You should find some other way to accomplish what you're trying
to accomplish.  Here are some ideas:
- Use one of the SSO modules (CAS, OpenID) and integrate it with that
- Use the header authentication module and pass through the username in the
expected header to the application
- Write your own extension that authenticates based on whatever criteria
you'd like to use in order to bypass the login screen.
- Write your own web application based on the Guacamole API that behaves
the way you want it to, without the rest of the Guacamole client.

Regards,
Nick

Re: Create SSH tunnel for RDP or VNC connection

[Nick Couchman]

On Wed, Nov 15, 2017 at 3:32 PM, Aaron Newsome 
wrote:

> Hello all.
>
> I'd like to create an RDP connection for a remote network but I first need
> to create an ssh tunnel to the remote network. I'm able to create the ssh
> tunnel manually from the Guacamole server but I'm looking for a way to
> automate this. Otherwise I need to ssh to the Guacamole server first,
> create the tunnel and then connect via RDP.
>
> Has anyone been able to automate this? Any advice on how to do this?
>
>
As Paulo mentioned, there are probably some ways to accomplish this on the
Guacamole server at a network level, outside of the Guacamole application.

There's also a JIRA issue that deals with this:

https://issues.apache.org/jira/browse/GUACAMOLE-312

So, nothing within Guacamole, today, that would automate this, but perhaps
in the future.

-Nick

Re: Send connection to someone as a link and removing guacamole login screen

[Masood Hussain]

The thing is that I am a student and doing a student project. so it will be 
enough if I can just skip login without using some special stuff. I know the 
feature is deprecated but I can use it in 0.9.13

 I want to remove the first login we get on opening the guacamole: where we put 
Guacamole username and password. I want to send the link of the connection I 
make in configure connection to some user so he can use the remote app only by 
link.

Is this possible with  no-auth extension to remove the first initial login? Or 
it removes remote machine login? Or does it remove all logins 

I installed the whole guacamole using a script.

Regards 
Masood 
 

> On Thu, Nov 16, 2017 at 5:21 PM, Nick Couchman  wrote:
> 
> 
>> On Thu, Nov 16, 2017 at 5:27 AM, Masood Hussain  
>> wrote:
>> I am using Guacamole 0.9.13 Version. In its release documents, no-auth is 
>> available So I would assume its still supported
> 
> The no-auth extension has been marked as deprecated and will be removed from 
> a future version of Guacamole.  You can still use it for the time being, but 
> it is not actively developed or updated, and will not be continued.  You 
> should find some other way to accomplish what you're trying to accomplish.  
> Here are some ideas:
> - Use one of the SSO modules (CAS, OpenID) and integrate it with that
> - Use the header authentication module and pass through the username in the 
> expected header to the application
> - Write your own extension that authenticates based on whatever criteria 
> you'd like to use in order to bypass the login screen.
> - Write your own web application based on the Guacamole API that behaves the 
> way you want it to, without the rest of the Guacamole client.
> 
> Regards,
> Nick

Re: Send connection to someone as a link and removing guacamole login screen

[Nick Couchman]

On Thu, Nov 16, 2017 at 12:10 PM, Masood Hussain 
wrote:

> The thing is that I am a student and doing a student project. so it will
> be enough if I can just skip login without using some special stuff. I know
> the feature is deprecated but I can use it in 0.9.13
>
>  I want to remove the first login we get on opening the guacamole: where
> we put Guacamole username and password. I want to send the link of the
> connection I make in configure connection to some user so he can use the
> remote app only by link.
>
> Is this possible with  no-auth extension to remove the first initial
> login? Or it removes remote machine login? Or does it remove all logins
>

The noauth extension removes the Guacamole login requirement, essentially
bypassing the entire authentication process.  It does not remove remote
machine logins - you still have to configure the connection in the noauth
extension, and you still have to authenticate to the remote machine.  You
could embed the authentication information in the Guacamole configuration,
but the security implications of this are fairly serious - you're already
bypassing Guacamole authentication, so if you also configure the
credentials for the remote connection you will essentially allow someone to
log into your server with no authentication at all.  I cannot imagine that
this would be a good idea.

-Nick

Re: Create SSH tunnel for RDP or VNC connection

[Aaron Newsome]

This sounds interesting Paulo. Is this extension something that you
developed internally or is this an extension that is publicly available?

Thanks, Aaron

On Thu, Nov 16, 2017 at 6:30 AM, Paulo Gonçalves 
wrote:

> We have created a helpdesk application that works like this:
>
> The client has a Java application that unpacks a VNC server and runs it on
> the localhost.
> Then connects via SSH to the guacamole server and creates 2 tunnels, one
> server to client for the VNC connection, and another one from client to
> server for configuration.
> The server has a guacamole extension that creates connections at runtime.
> For that it listens on a fixed local port and the client connects through
> the client->server SSH tunnel. The client then sends the listening port of
> the server->client SSH tunnel and the VNC password (randomly generated) to
> the extension, and the extension creates the connection.
> On the guacamole web application you just need to refresh the page and the
> connection appears.
> If the client closes the application, the guacamole extension detects that
> the socket is closed and removes the connection.
>
> It works very well and the only port publicly exposed by the guacamole
> server is the SSH port.
> ---
> Paulo Alexandre Figueiredo Gonçalves
> Departamento de Tecnologias de Informação e Comunicação (DTIC)
>
> Email: pafgoncal...@ipc.pt / Voip: 301103
>
> [image: Logo_IPC]  Serviços da Presidência
> Av. Dr. Marnoco e Sousa, nº 30, 3000-271 Coimbra
> Tel.: +351 239 791 250 <+351%20239%20791%20250>
> Site:www.ipc.pt | E-mail:i...@ipc.pt
>
> Em 2017-11-15 20:32, Aaron Newsome escreveu:
>
> Hello all.
>
> I'd like to create an RDP connection for a remote network but I first need
> to create an ssh tunnel to the remote network. I'm able to create the ssh
> tunnel manually from the Guacamole server but I'm looking for a way to
> automate this. Otherwise I need to ssh to the Guacamole server first,
> create the tunnel and then connect via RDP.
>
> Has anyone been able to automate this? Any advice on how to do this?
>
> Thanks, Aaron
>
>

Interesting combination of Guacamole and ZeroTier

[Chris Stave]

I've been running a combination of Guacamole and ZeroTier and it has been
fantastic for remote access.

You already know Guacamole -- it's fantastic and you know you like it.

ZeroTier is a secure flat network SDN solution -- it puts devices on a
second private network no matter where they are -- on a phone, in another
office, at home -- wherever.

If you put ZeroTier on your Guacamole server, it will get an additional
address that is reachable from other ZeroTier clients.

Contractor needs remote access?  Have them install zerotier and then they
can get to the Guacamole server and then out to everything.

The bonus is that you don't need to open anything up to the
wild-wild-internet world, it all stays believably-crytographically-safe on
the ZeroTier network.

(and it lets me SSH into network switches from my phone from anywhere,
which is fantastic)

I'm not associated with ZeroTier, but I'm happy to pass on the idea of this
great combination!

-- 
Chris Stave | Network Engineer
(973)545-1628
85 Broad St., 15th floor | New York, NY 10004
  
  
  
  
 
Vox Media is The Verge , Vox ,
SB Nation ,
Polygon , Eater , Racked
, Curbed , and Recode
.


Vox Creative introduces The Explainer Studio. Read more from the Wall
Street Journal .

Re: Create SSH tunnel for RDP or VNC connection

[Paulo Gonçalves]

 

Yes, it's internal development, but i think i can explain all the
details in terms of communication flow of the implementation (as i
already did in the previous email). 

The system is really simple, just don't know if it is what you need.
In our implementation is the client (where the VNC/RDP server runs) that
makes the connection to the guacamole server, so you must have some
software running there. From your first email seems that you want the
other way around (SSH from the guacamole server to the RDP machine). If
it's like that you need a SSH server running on the RDP machine. Do you
have that? 
---

Paulo Alexandre Figueiredo Gonçalves

Departamento de Tecnologias de Informação e Comunicação (DTIC)

Email: pafgoncal...@ipc.pt / Voip: 301103

 Serviços da Presidência

Av. Dr. Marnoco e Sousa, nº 30, 3000-271 Coimbra

Tel.: +351 239 791 250

Site:www.ipc.pt [2] | E-mail:i...@ipc.pt

Em 2017-11-16 17:49, Aaron Newsome escreveu: 

> This sounds interesting Paulo. Is this extension something that you developed 
> internally or is this an extension that is publicly available? 
> 
> Thanks, Aaron 
> 
> On Thu, Nov 16, 2017 at 6:30 AM, Paulo Gonçalves  wrote:
> 
> We have created a helpdesk application that works like this: 
> 
> The client has a Java application that unpacks a VNC server and runs it on 
> the localhost.
> Then connects via SSH to the guacamole server and creates 2 tunnels, one 
> server to client for the VNC connection, and another one from client to 
> server for configuration.
> The server has a guacamole extension that creates connections at runtime. For 
> that it listens on a fixed local port and the client connects through the 
> client->server SSH tunnel. The client then sends the listening port of the 
> server->client SSH tunnel and the VNC password (randomly generated) to the 
> extension, and the extension creates the connection.
> On the guacamole web application you just need to refresh the page and the 
> connection appears.
> If the client closes the application, the guacamole extension detects that 
> the socket is closed and removes the connection. 
> 
> It works very well and the only port publicly exposed by the guacamole server 
> is the SSH port. 
> ---
> 
> Paulo Alexandre Figueiredo Gonçalves
> 
> Departamento de Tecnologias de Informação e Comunicação (DTIC)
> 
> Email: pafgoncal...@ipc.pt / Voip: 301103
> 
> Serviços da Presidência
> 
> Av. Dr. Marnoco e Sousa, nº 30, 3000-271 Coimbra
> 
> Tel.: +351 239 791 250 [1]
> 
> Site:www.ipc.pt [2] | E-mail:i...@ipc.pt
> 
> Em 2017-11-15 20:32, Aaron Newsome escreveu: 
> Hello all. 
> 
> I'd like to create an RDP connection for a remote network but I first need to 
> create an ssh tunnel to the remote network. I'm able to create the ssh tunnel 
> manually from the Guacamole server but I'm looking for a way to automate 
> this. Otherwise I need to ssh to the Guacamole server first, create the 
> tunnel and then connect via RDP. 
> 
> Has anyone been able to automate this? Any advice on how to do this? 
> 
> Thanks, Aaron
 

Links:
--
[1] tel:+351%20239%20791%20250
[2] http://www.ipc.pt

Kill session button in UI?

[dan]

Is there a way to enable a 'kill session' button on the home screen?
Sometimes a VNC or RDP session will hang up and need killed and it's not
great to dive into settings to do that.  Or maybe a killall sessions button?

Re: Send connection to someone as a link and removing guacamole login screen

[Masood Hussain]

I was able to successfully run the application using noauth.

However, as you suggested to use HTTP so I am trying to use HTTP auth
header, but I am unable to configure it.
I copied the required jar to extensions folder restarted it but still,
guacamole is asking for the password.
I am using Tomcat server and I don't understand how to configure the Tomcat
server for http header.
Do I need to install a 3rd party software for http header?

regards,
Masood

On Thu, Nov 16, 2017 at 6:15 PM, Nick Couchman  wrote:

> On Thu, Nov 16, 2017 at 12:10 PM, Masood Hussain <
> masoodhussai...@gmail.com> wrote:
>
>> The thing is that I am a student and doing a student project. so it will
>> be enough if I can just skip login without using some special stuff. I know
>> the feature is deprecated but I can use it in 0.9.13
>>
>>  I want to remove the first login we get on opening the guacamole: where
>> we put Guacamole username and password. I want to send the link of the
>> connection I make in configure connection to some user so he can use the
>> remote app only by link.
>>
>> Is this possible with  no-auth extension to remove the first initial
>> login? Or it removes remote machine login? Or does it remove all logins
>>
>
> The noauth extension removes the Guacamole login requirement, essentially
> bypassing the entire authentication process.  It does not remove remote
> machine logins - you still have to configure the connection in the noauth
> extension, and you still have to authenticate to the remote machine.  You
> could embed the authentication information in the Guacamole configuration,
> but the security implications of this are fairly serious - you're already
> bypassing Guacamole authentication, so if you also configure the
> credentials for the remote connection you will essentially allow someone to
> log into your server with no authentication at all.  I cannot imagine that
> this would be a good idea.
>
> -Nick
>

Re: Interesting combination of Guacamole and ZeroTier

[Aaron Newsome]

Thanks for the heads up on this one Chris. I was unfamiliar with ZeroTier
before this email. It's very curious technology. Interesting to say the
least.

A quick sign up and test confirms that this indeed could be a good
replacement for the ssh tunnels I'm manually creating today.

I'm going to do a bit of testing with it and see if it really is a good
solution for what I'm doing.

Thanks, Aaron

On Thu, Nov 16, 2017 at 10:31 AM, Chris Stave 
wrote:

> I've been running a combination of Guacamole and ZeroTier and it has been
> fantastic for remote access.
>
> You already know Guacamole -- it's fantastic and you know you like it.
>
> ZeroTier is a secure flat network SDN solution -- it puts devices on a
> second private network no matter where they are -- on a phone, in another
> office, at home -- wherever.
>
> If you put ZeroTier on your Guacamole server, it will get an additional
> address that is reachable from other ZeroTier clients.
>
> Contractor needs remote access?  Have them install zerotier and then they
> can get to the Guacamole server and then out to everything.
>
> The bonus is that you don't need to open anything up to the
> wild-wild-internet world, it all stays believably-crytographically-safe
> on the ZeroTier network.
>
> (and it lets me SSH into network switches from my phone from anywhere,
> which is fantastic)
>
> I'm not associated with ZeroTier, but I'm happy to pass on the idea of
> this great combination!
>
> --
> Chris Stave | Network Engineer
> (973)545-1628 <(973)%20545-1628>
> 85 Broad St., 15th floor | New York, NY 10004
> 
>   
>   
>   
>   
>  
> Vox Media is The Verge , Vox
> , SB Nation ,
> Polygon , Eater , Racked
> , Curbed , and Recode
> .
>
>
> Vox Creative introduces The Explainer Studio. Read more from the Wall
> Street Journal .
>

Re: Kill session button in UI?

[Mike Jumper]

On Thu, Nov 16, 2017 at 2:52 PM, dan  wrote:

> Is there a way to enable a 'kill session' button on the home screen?
>

You could write an extension to add such a button, but I'm not sure exactly
why this would be necessary (more on this below).


> Sometimes a VNC or RDP session will hang up and need killed ...
>

VNC/RDP sessions should not be hanging as a matter of course. Once the user
leaves their session, it should automatically get closed within around 15
seconds.

... and it's not great to dive into settings to do that.
>

Can you elaborate on why going to the settings area is not a good solution?
It seems to me to be exactly where such administrative actions should live.

Thanks,

- Mike

Re: Kill session button in UI?

[dan]

Thanks for the reply Mike.

VNC especially isn't disconnecting for instance when a remote machine is
rebooted, or the connection is disrupted.  I can connect with realvnc, but
guac's VNC will just sit there showing the last image indefinitely.  This
is happening on a few remote hosts, running tightvnc (on windows) and
realvnc (bundled with raspberry pi).  Maybe something in the connection
monitoring on VNC isn't working properly?

Going to settings to kill a session is a number of clicks to do something
that you are only wanting to do because of a stuck session.  Lets say I
have a VNC session in recent connections that is hung.  I have to do
menu>settings>select sission> kill sessions>menu>home>select connection.
That's a little annoying as an admin, but when I try to get a user to do
this they get lost quickly.  It would be a vast improvement to simply have
the session thumbnail have an x or disconnect icon.



On Thu, Nov 16, 2017 at 8:33 PM, Mike Jumper 
wrote:

> On Thu, Nov 16, 2017 at 2:52 PM, dan  wrote:
>
>> Is there a way to enable a 'kill session' button on the home screen?
>>
>
> You could write an extension to add such a button, but I'm not sure
> exactly why this would be necessary (more on this below).
>
>
>> Sometimes a VNC or RDP session will hang up and need killed ...
>>
>
> VNC/RDP sessions should not be hanging as a matter of course. Once the
> user leaves their session, it should automatically get closed within around
> 15 seconds.
>
> ... and it's not great to dive into settings to do that.
>>
>
> Can you elaborate on why going to the settings area is not a good
> solution? It seems to me to be exactly where such administrative actions
> should live.
>
> Thanks,
>
> - Mike
>
>