On Mon, Jul 31, 2023 at 3:53 AM Robert Dinse <[email protected]> wrote: > > > Sorry, lost original message I was replying to. This regarding > guacamole_noauth. > > > Ok, try to clarify, if my users could use same login and passwords > as they do for the hosts, email, ftp, basically everything else, that > would make it easier for them and me, I don't want to try to keep two > separate user databases in sync, and I especially can't see making that > script work for 500 users.
Yep, this makes perfect sense. > > In theory I could do this with one of the mod external modules for > apache except there is a weird conflict with mod_suphp and mod_su_cgi > which I use to cause php and cgi code to be run with the user ID of the > owner of said code rather than a generic httpd or apache2 or www-data or > some such. The reason for this is that it takes away the need for > publicly writable directories for upload, and if one users code has a > flaw that allows an attacker to gain a shell, that shell has the > permissions of that user and thus can't trash everyone else's website. > > I do not know why but if I compile those in with > mod_auth_external, which I use with a little short program to > authenticate against the system authentication system (pam). This used > to work in the old days and I used it to wrap php_mysqladmin because > it's got some exploits, but in recent days the modules will compile in > but the server won't start with them both in. > It's been a long time since I've messed with Apache httpd authentication modules outside of the ones that are built/included with the Linux distros I run, so I'm afraid I won't be of much help, here. > But I could work around this by compiling a separate instance and > just have it listen to a different port just for running guac. > > However trying to understand how the header auth extension works > so far I have not gotten it to function just sending static usernames to > the header to test so not sure how to make this work. I saw that you mentioned this in a previous e-mail, as well - when you say it isn't functioning, what behavior are you seeing? For example, you get a login screen when you'd expect it to go through to the Guacamole Home screen, or you get a blank home screen when you expect to see connections, or you get an error message, or...? > > I am unfortunately not very fluent in many interpretive languages, > I know C, some assembly languages, a smigin of Javascript, and that's > about it, python, perl, java, all languages I do not grock well. About > the only interpretive language I knew well was actionscript and adobe > stabbed me in the back there. > > The other advantage to having the web server handle authentication > as opposed to guacamole, is that I can log auth failures with IP's and > have fail2ban lock them out when they're being used to brute force > password attack. Guacamole only has the IP of the web server so not > very useful in that regard. MITM proxy, (man in the middle?), not > familiar with how that works. This is likely a configuration issue between Apache httpd and Tomcat - the following manual page has some hints on configuring the Remote IP Valve in Tomcat in such a way that the information will be correct and available: https://guacamole.apache.org/doc/gug/reverse-proxy.html#setting-up-the-remote-ip-valve -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
