On Mon, Oct 14, 2024, 10:14 Nick Couchman <vn...@apache.org> wrote: > On Sun, Oct 13, 2024 at 12:50 PM Cyrus <cyru...@gmail.com> wrote: > >> El dom, 13 oct 2024 a las 9:52, Nick Couchman (<vn...@apache.org>) >> escribió: >> > >> > On Sun, Oct 13, 2024 at 3:56 AM Cyrus <cyru...@gmail.com> wrote: >> >> >> >> Hi!, >> >> >> >> I've setup an environment with 1.5.5 where I'm required to >> >> authenticate via openID. Not having LDAP means I cannot reuse the user >> >> credentials for SSH and RDP+SFTP. >> >> >> >> Reading around, I found that there should be some kind of "credentials >> >> prompting" facility since 1.3.0,but if I leave credentials blank the >> >> users are not prompted for them. >> >> >> >> Is that supposed to be a web pop-up for the user to input the >> >> credentials?, or it should just be the destination host regular RDP >> >> credentials form?. >> >> >> >> Am I missing something? >> >> >> > >> > Yes, credential prompting works in many situations, but how it is >> triggered depends upon you what protocol you're using and how your remote >> server is configured: >> > * For RDP, the prompt will be web-based, and will trigger if the remote >> server requires credentials in order to complete the connection. This is >> most common when connecting to Windows servers that have NLA enabled, since >> the credentials themselves are part of the connection process. You might >> want to try forcing the security mode to a certain type if you're having >> issues getting this to work. >> > * For SFTP connections with RDP, unfortunately I do not believe we have >> that prompt enabled, so that likely will not work without pre-populating >> the credentials, and the failure of the SFTP connection will also cause a >> failure of the entire RDP connection. >> > For the time being, I'll provide another SSH+SFTP session that the user would need to start in parallel to RDP to pass files
> * For VNC, the prompt will also be web-based, but depends upon what >> credentials the VNC server asks for (password, username + password). >> > * For SSH, if the credentials are not pre-filled, Guacamole will start >> the terminal and the prompt will be shown in the terminal. Please note that >> SSH currently only supports a single factor (username + password), so if >> you have a SSH server with a multi-factor prompt or something similar, it >> will likely fail. >> > >> > If you have a server that you think should be working, feel free to >> share more details about that configuration (platform, connection >> configuration, guacd logs, etc.) and we can try to help you determine why >> you're not seeing the prompt(s) you expect. >> > >> > -Nick >> Good afternoon, >> >> * Current situation regarding authentication protocols: >> >> Meatware --hands--> workstation-unrelated-to-my-domain --HTTP--> >> Guacamole 1.5.5 --OIDC--> Keycloak --SAML2(or was it OIDC?)--> AzureAD >> (user db1) >> guacd --RDP--> xrdp/Ubuntu 24.04 --LDAP/KRB--> FreeIPA --LDAP/KRB--> >> Samba4 (user db2) >> >> The same person has user XXX in user db1, and user XXY in user db2. >> Situation is not ideal, but that is what I have to deal with. >> * OIDC authentication works, can't find a way to return custome >> metadata to guacamole defining the actual user for RDP/SSH. Nice to >> have since sometimes conventions are wacky and end user only knows the >> first user. Workaround: be clear on the actual two users they have to >> use. >> * I understood that setting it as NLA forced for the prompt, not that >> it was negotiated between guacd & xrdp (or real RDP service from MS). >> Will look into it (maybe xrdp config missing). >> > > A couple of things, here: > * In general, the server should negotiate the correct protocol without > having to set a specific mode. I was simply suggesting it as a way of > troubleshooting the issues to see if that would force the web prompt. > * That said, since you're using xrdp, I do not believe that NLA is > supported. There seems to be some conflicting information about this, so I > could be wrong. I did find one set of instructions for enabling NLA with > xrdp, but haven't tried it, yet, and the feature request for it is still > open on the xrdp Github site. Unless NLA is supported you're not going to > get the web-based prompt for username and password. In the RDP protocol, > those prompts will only be displayed if the server requires them for > establishing the connection, which is only true in the case of NLA. For > other security protocols with RDP (RDP and TLS), the connection can be > established without the credentials, so you should be able to successfully > establish the connection and then get the xrdp login prompt. > Will work with TLS for the time being and users with password-manager-super-complex-passwords would have to deal with key mapping mismatches. Pending to validate if XRDP has any support on the server side (my search outcome was not conclusive). Will report back. > >> * If I reach the point of Guacamole prompting for credentials in a web >> pop-up, does it generate tokens/variables I could reuse for the SFTP >> part? >> > > Currently, no. I had started working on a way of temporarily storing > credentials in-memory, but haven't made it far enough into that. > Would be nice that if user ever has the opportunity to input the password, we could reuse it for the parallel SFTP session. > >> * Regarding SSH I can work with the user typing the credentials. It's >> tested and fully functional. >> * Related question, I cannot find a way for a user to provide his/her >> private SSH key, is that supported?. It could be useful to provide the >> key and just ask for the key password once, with Guacamole running an >> SSH authentication agent maybe?. >> >> > Not fully, no. There are a couple of ways to do this, but they don't > really accomplish what you're getting at: > * Save the private key as part of the connection, but then you have to set > up a connection for each user, rather than being able to share among users. > So this is not ideal. > I agree. * Use a credential vault (Keeper Security Manager is the only one currently > supported) to store/retrieve user credentials. This obviously requires the > purchase of a KSM subscription, so it isn't really an "out of the box" > solution. > > -Nick > I feel that an SSH agent would be the correct way to deal with public/private keys. The only missing part is the recipe to shoehorn it in a HTTP world 😅 Conceptual options I can think of: - Actual SSH Agent per user running on the server side, with private keys in Guacamole domain. User is requested for the key password after connecting, key gets used for each new connection by that user (agent stop, tear down, clean-out required). - SSH Agent on the client side with a JavaScript SSH Agent proxy running in browser (not any standard I know about). Communication killed with the browser tab. ref: https://smallstep.com/blog/ssh-agent-explained/ Regards, CI. >
