[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16882546#comment-16882546
]
Nick Couchman commented on GUACAMOLE-547:
-
[~shishax]: My apologies, you are correct. The connection where I thought I
was using a saved username and password I was actually using a private key. I
removed the private key and tried the password, and it does prompt. So,
there's a regression, here, that needs to be addressed. I'll re-open your pull
request.
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Michael Jumper
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd-1.0.0.log, guacd-master.log, guacd_debug_fail.txt,
> openssh_verbose_successful connection.txt, sshd_config
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16881714#comment-16881714
]
Michael Jumper commented on GUACAMOLE-547:
--
{quote}
... loop with a _Handler not found for "nop"_ message.
{quote}
This is unrelated to SSH and isn't a loop nor a bug. The "nop" message is sent
by the client to the server as a sort of keep-alive ping. Since the "nop"
instruction doesn't do anything by definition, the server doesn't actually
implement a handler for it. Recent changes from GUACAMOLE-422 added a
debug-level message to let us know if an instruction is not handled because it
has no handler, as that may indicate an incompatibility between client and
server that's worth noting, but this in this case it's just benign noise.
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Michael Jumper
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd-1.0.0.log, guacd-master.log, guacd_debug_fail.txt,
> openssh_verbose_successful connection.txt, sshd_config
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16881187#comment-16881187
]
Federico Giuba commented on GUACAMOLE-547:
--
[~nick.couch...@yahoo.com], [~haukeness]: I perfectly understand that this
issue is about implementing the RPC4252 "None" authentication method. I'm
posting here just because the behavior I'm talking about has been introduced
with this feature. I give some more details about the scenario to reproduce the
issue.
I use guacd to connect to workstations running Ubuntu 18.04.02 with
OpenSSH_7.6p1 (OpenSSL 1.0.2n) with an almost default configuration file
(please see [^sshd_config]). I do not control these workstations so I cannot
change the sshd settings. As you can see from [^guacd-master.log], the device
does *not* support the "None" authentication method, but Guacamole, instead of
trying to connect with the specified username and password, just prompt for the
password and loop with a _Handler not found for "nop"_ message.
This are the log of the same connection handled with Guacamole Server 1.0.0:
[^guacd-1.0.0.log].
What's the expected behavior in this situation?
Thank you very much for your help.
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd-1.0.0.log, guacd-master.log, guacd_debug_fail.txt,
> openssh_verbose_successful connection.txt, sshd_config
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879422#comment-16879422
]
Nick Couchman commented on GUACAMOLE-547:
-
[~shishax]: I closed the PR that you opened after testing and confirming that
setting a password within a SSH connection works perfectly fine. As David
says, this particular issue was about supporting devices that implement the
NONE authentication method, which establishes the connection without the
password (and usually prompts for a password using its own mechanism).
It's worth noting that the issue you're seeing is definitely something that
could be happening, but isn't something that can really be resolved. That is:
- Device implements NONE authentication protocol
- You connect with Guacamole, specifying a username and password
- Device accepts your SSH connection with NONE, ignoring the password and then
prompting you
In this case, no matter what changes you make, you will *always* be prompted
for a password because the password prompt is happening during the terminal
session, outside of the SSH connection.
As far as I can tell, the Guacamole Server code works perfectly fine for
storing and using passwords when the remote server is using password
authentication.
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879408#comment-16879408
]
David Hauk commented on GUACAMOLE-547:
--
Federico, this issue isn't about not passing a password, its about using the
RPC4252 "None" authentication method, which embedded devices (like cisco
wireless lan controllers and other embedded linux hardware) use to indicate
that no authentication is taking place at all.
Commonly these devices just "accept" the SSH connection, map it to a low
privilege user, and capture it into a configuration script using inittab so
they don't get a login shell.
Simply not passing a password causes the connection from Guacamole to fail, as
the device is expecting "None", but it instead gets an empty username or
password.
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879406#comment-16879406
]
Federico Giuba commented on GUACAMOLE-547:
--
Maybe I'm missing something but, as it is, it's no more possible to specify a
password for a SSH connection as a connection parameter.
The 'password' parameter is always ignored and the terminal prompt for the
password request.
Am i wrong?
I sent a PR for fixing the issue:
[https://github.com/apache/guacamole-server/pull/226]
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879405#comment-16879405
]
Federico Giuba commented on GUACAMOLE-547:
--
Maybe I'm missing something but, as it is, it's no more possible to specify a
password for a SSH connection as a connection parameter.
The 'password' parameter is always ignored and the terminal prompt for the
password request.
Am i wrong?
I sent a PR for fixing the issue:
[https://github.com/apache/guacamole-server/pull/226]
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
