[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16570718#comment-16570718
]
David Hauk commented on GUACAMOLE-547:
--------------------------------------
Wow, i'm way late to the party on this one. For some reason i never got
notified that you replied!
I'll have to look into this. i know the "none" authentication method is valid,
and its what Cisco is using. Looking at their open source disclosures it looks
like they are even using OpenSSH. I don't see an obvious way to configure sshd
to publish the 'none' method, and nopasswd doesn't seem to be the same as none.
This definitely seems to be an edge case, but a valid one for use cases where
the embedded device authenticates all users, and then runs an internal script
instead of /bin/bash or a login session. I"m thinking serial console servers,
Cisco WLC, etc...
I'll see what research i can do, and i'll post back results here. Sorry for
the ridiculous delay.
> Add support for the "none" SSH authentication method
> ----------------------------------------------------
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
> Reporter: David Hauk
> Priority: Minor
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
