necouchman commented on a change in pull request #576: URL: https://github.com/apache/guacamole-client/pull/576#discussion_r533849918
########## File path: extensions/guacamole-auth-json/README.md ########## @@ -0,0 +1,189 @@ +guacamole-auth-json +=================== + +guacamole-auth-json is an authentication extension for [Apache +Guacamole](http://guacamole.apache.org/) which authenticates users using JSON +which has been signed using **HMAC/SHA-256** and encrypted with **128-bit AES +in CBC mode**. This JSON contains all information describing the user being +authenticated, as well as any connections they have access to. + +Configuring Guacamole to accept encrypted JSON +---------------------------------------------- + +To verify and decrypt the received signed and encrypted JSON, a secret key must +be generated which will be shared by both the Guacamole server and systems that +will generate the JSON data. As guacamole-auth-json uses 128-bit AES, this key +must be 128 bits. + +An easy way of generating such a key is to echo a passphrase through the +"md5sum" utility. This is the technique OpenSSL itself uses to generate 128-bit +keys from passphrases. For example: + + $ echo -n "ThisIsATest" | md5sum + 4c0b569e4c96df157eee1b65dd0e4d41 - + +The generated key must then be saved within `guacamole.properties` as the full +32-digit hex value using the `json-secret-key` property: + + json-secret-key: 4c0b569e4c96df157eee1b65dd0e4d41 + +JSON format +----------- + +The general format of the JSON (prior to being encrypted, signed, and sent to +Guacamole), is as follows: + + { + + "username" : "arbitraryUsername", + "expires" : TIMESTAMP, + "connections" : { + + "Connection Name" : { + "protocol" : "PROTOCOL", + "parameters" : { + "name1" : "value1", + "name2" : "value2", + ... + } + }, + + ... + + } + + } + +where `TIMESTAMP` is a standard UNIX epoch timestamp with millisecond +resolution (the number of milliseconds since midnight of January 1, 1970 UTC) +and `PROTOCOL` is the internal name of any of Guacamole's supported protocols, +such as `vnc`, `rdp`, or `ssh`. + +The JSON will cease to be accepted as valid after the server time passes the +timestamp. If no timestamp is specified, the data will not expire. + +The top-level JSON object which must be submitted to Guacamole has the +following properties: + +Property name | Type | Description +--------------|----------|------------ +`username` | `string` | The unique username of the user authenticated by the JSON. If the user is anonymous, this should be the empty string (`""`). +`expires` | `number` | The absolute time after which the JSON should no longer be accepted, even if the signature is valid, as a standard UNIX epoch timestamp with millisecond resolution (the number of milliseconds since midnight of January 1, 1970 UTC). +`connections` | `object` | The set of connections which should be exposed to the user by their corresponding, unique names. If no connections will be exposed to the user, this can simply be an empty object (`{}`). + +Each normal connection defined within each submitted JSON object has the +following properties: + +Property name | Type | Description +--------------|----------|------------ +`id` | `string` | An optional opaque value which uniquely identifies this connection across all other connections which may be active at any given time. This property is only required if you wish to allow the connection to be shared or shadowed. +`protocol` | `string` | The internal name of a supported protocol, such as `vnc`, `rdp`, or `ssh`. +`parameters` | `object` | An object representing the connection parameter name/value pairs to apply to the connection, as documented in the [Guacamole manual](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#connection-configuration). + +Connections which share or shadow other connections use a `join` property +instead of a `protocol` property, where `join` contains the value of the `id` +property of the connection being joined: + +Property name | Type | Description +--------------|----------|------------ +`id` | `string` | An optional opaque value which uniquely identifies this connection across all other connections which may be active at any given time. This property is only required if you wish to allow the connection to be shared or shadowed. (Yes, a connection which shadows another connection may itself be shadowed.) +`join` | `string` | The opaque ID given within the `id` property of the connection being joined (shared / shadowed). +`parameters` | `object` | An object representing the connection parameter name/value pairs to apply to the connection, as documented in the [Guacamole manual](https://guacamole.apache.org/doc/gug/configuring-guacamole.html#connection-configuration). Most of the connection configuration is inherited from the connection being joined. In general, the only property relevant to joining connections is `read-only`. + +If a connection is configured to join another connection, that connection will +only be usable if the connection being joined is currently active. If two +connections are established having the same `id` value, only the last +connection will be joinable using the given `id`. + +Generating encrypted JSON +------------------------- + +To authenticate a user with the above JSON format, the JSON must be both signed +and encrypted using the same 128-bit secret key specified with the +`json-secret-key` within `guacamole.properties`: + +1. Generate JSON in the format described above +2. Sign the JSON using the secret key (the same 128-bit key stored within + `guacamole.properties` with the `json-secret-key` property) with + **HMAC/SHA-256**. Prepend the binary result of the signing process to the + plaintext JSON that was signed. +3. Encrypt the result of (2) above using **AES in CBC mode**, with the initial + vector (IV) set to all zero bytes. +4. Encode the encrypted result using base64. +5. POST the encrypted result to the `/api/tokens` REST endpoint as the value of + an HTTP parameter named `data` (or include it in the URL of any Guacamole + page as a query parameter named `data`). Review comment: Nah, let's just keep the README for now and we can address it if someone stumbles across it, and/or in the documentation. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
