Re: LDAP AD - Group and Member Users
On Tue, Nov 30, 2021, 12:51 Milton Ferreira wrote: > Hi, > > Is there a query that links the "member users" of an ldap group? > > By using the parameters "ldap-group-base-dn" and > "ldap-group-search-filter" in "guacamole.properties" the group name is > obtained but members are not. > > In the "Groups" tab, selecting a group, in the "User Members" section, > appears the message "This group does not currently contain any users. > Expand this section to add users.". The "ldap-user-search-filter" parameter > returns users but does not link to groups. > There is such a query on login, yes - a user's LDAP group memberships are retrieved and take effect, inheriting any permissions granted to database groups having the same name. These memberships are just not exposed in the UI (the LDAP tab of the group states only that the group is read-only). The UI that you're seeing is the tab for the database side of that group and will show only database users/groups added as members. - Mike
Re: Block certain commands for SSH
A properly setup environment would address that (files with proper permission, one user per person, no root password handover, correctly written sudoers rules, etc). Regards, CI.- On Mon, Nov 29, 2021, 05:37 Yang Yang wrote: > Thank you very much for the information, Mike! > > Thanks, > Yang > > On Nov 26, 2021, at 18:05, Mike Jumper wrote: > > On Fri, Nov 26, 2021, 01:52 Yang Yang wrote: > >> Hello, >> >> Is it possible to set a list of commands that will be blocked when any >> user types in for SSH connection? This will be useful to protect the server >> from dangerous command such as “rm -rf /“. >> >> If the feature is not yet available, is it possible with guacamole? If I >> can get some time to have a try, should it be implemented with guacamole >> client or server (guacd)? >> > > No, this is not possible for any SSH client: > > Keep in mind that when you use SSH, you are not sending commands but > keystrokes. There is no way to know that a user's keystrokes are due to the > user running a command, typing documentation about that command, or > messaging their friend who happens to be named "rm -rf /". > > The only way to reliably block anything like this would be on the SSH > server, within the shell interpreting the command. Only the shell truly > knows that what you are doing is typing a command. > > - Mike > > >
LDAP AD - Group and Member Users
Hi, Is there a query that links the "member users" of an ldap group? By using the parameters "ldap-group-base-dn" and "ldap-group-search-filter" in "guacamole.properties" the group name is obtained but members are not. In the "Groups" tab, selecting a group, in the "User Members" section, appears the message "This group does not currently contain any users. Expand this section to add users.". The "ldap-user-search-filter" parameter returns users but does not link to groups. Apache Guacamole 1.3.0 Best regards Miudon
Re: [EXT] Re: Resizing Onscreen Keyboard
Alt+Space for spotlight on Mac, any of the button combinations that involve the windows key, Ctrl+Alt+Delete and Alt+Tab are a few that come to mind. From: Mike Jumper Sent: Tuesday, November 30, 2021 1:48 PM To: user@guacamole.apache.org Subject: [EXT] Re: Resizing Onscreen Keyboard On Tue, Nov 30, 2021 at 10:25 AM Cervi, Theo mailto:theo.ce...@unt.edu>> wrote: Hello, while using guac in a web browser I am unable to pass many keyboard shortcuts. Which keyboard shortcuts specifically are giving you trouble? - Mike
Re: Resizing Onscreen Keyboard
On Tue, Nov 30, 2021 at 10:25 AM Cervi, Theo wrote: > Hello, while using guac in a web browser I am unable to pass many keyboard > shortcuts. > Which keyboard shortcuts specifically are giving you trouble? - Mike
Re: [External] Re: Passing a token as a query parameter (REST API)
On Tue, Nov 30, 2021 at 11:35 AM Barak, Tal wrote: > Thank you for the fast answer! > > Regarding the other part of my question - if and when token are expired, > do you know the answer by any chance? > > Sorry about that, Tal. To answer your questions specifically and a bit more completely: 1. Is this the only way when calling REST APIs? Isn’t it possible to add it to the body of the message (instead of adding it to the URL)? Today it's the only way, but that will be fixed in the next version (is already fixed in the Git repo, actually). 1. Isn’t it a security risk? Anyone which will sniff the communication will able to get the token this way, no? Only from a "shoulder surfing" perspective - that is, if someone is viewing your screen, or you're sharing your screen with someone, they could potentially capture and use that token. It's one of the primary reasons we're moving it out of there. However, as long as your communication is properly secured (HTTPS), then there's no additional risk of it being intercepted. If the token itself is intercepted along the wire, then the entire session (images, keystrokes, mouse movements, and file transfers) could also be intercepted, which means your connection is fundamentally insecure. But this is true of any TCP-based communication - encryption is a must. 1. What is the life span of a token? It is expired at some point? Yes, they are limited to 60 minutes by default. This can be controlled via the api-session-timeout setting in guacamole.properties: http://guacamole.apache.org/doc/gug/configuring-guacamole.html#initial-setup 1. Does the product support one-use-only tokens? This is a bit of a complicated question, because having a single-use token, in the sense that you're asking it, wouldn't really make sense. The Guacamole Client web application makes a lot of different calls to the API for various things - authentication, retrieving connection information, managing connections and users, etc., so to have a token that was literally only good for a single API call would be pretty useless - you'd get to log in, maybe see your home screen, and then you'd be kicked out. However, what I think you're looking for is more of a token that expires as soon as the connection is established, and thus the user is logged out as soon as they finish that connection. I don't know of a way to do this in the "stock" Guacamole Client, but I'm sure an extension could be implemented that would accomplish this. -Nick
RE: [External] Re: Passing a token as a query parameter (REST API)
Thank you for the fast answer! Regarding the other part of my question - if and when token are expired, do you know the answer by any chance? Best regards, Tal Barak. -Original Message- From: Craig Sawyer Sent: Tuesday, November 30, 2021 6:05 PM To: user@guacamole.apache.org Subject: [External] Re: Passing a token as a query parameter (REST API) [You don't often get email from csaw...@yumaed.org. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.] CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Yes, it's not ideal, see: https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fbrowse%2FGUACAMOLE-956&data=04%7C01%7CTal.Barak%40honeywell.com%7C3c23b3a164c343ee797f08d9b41b5196%7C96ece5269c7d48b08daf8b93c90a5d18%7C0%7C0%7C637738853107699369%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=46TxvWVWzOgGjotpcqa21jaGEup%2FYFfQlNuyiZj1v7g%3D&reserved=0 On Tue, Nov 30, 2021 at 8:02 AM Barak, Tal wrote: > > Hello all, > > > > I understand that when using the REST API, after generating a token, I must > add it to any additional API call as query parameter. > > > > Is this the only way when calling REST APIs? Isn't it possible to add it to > the body of the message (instead of adding it to the URL)? > Isn't it a security risk? Anyone which will sniff the communication will able > to get the token this way, no? > What is the life span of a token? It is expired at some point? > Does the product support one-use-only tokens? > > > > Best regards, > > Tal Barak. > > > > > > - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Passing a token as a query parameter (REST API)
On Tue, Nov 30, 2021 at 11:06 AM Craig Sawyer wrote: > Yes, it's not ideal, see: > https://issues.apache.org/jira/browse/GUACAMOLE-956 > > ...which is slated to be fixed in the 1.4.0 release, expected around end of this year. -Nick
Re: Passing a token as a query parameter (REST API)
Yes, it's not ideal, see: https://issues.apache.org/jira/browse/GUACAMOLE-956 On Tue, Nov 30, 2021 at 8:02 AM Barak, Tal wrote: > > Hello all, > > > > I understand that when using the REST API, after generating a token, I must > add it to any additional API call as query parameter. > > > > Is this the only way when calling REST APIs? Isn’t it possible to add it to > the body of the message (instead of adding it to the URL)? > Isn’t it a security risk? Anyone which will sniff the communication will able > to get the token this way, no? > What is the life span of a token? It is expired at some point? > Does the product support one-use-only tokens? > > > > Best regards, > > Tal Barak. > > > > > > - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Can I make the web browser reload the home page?
Hi, I'm creating a custom authenticator that searches for existing VNC sessions and populates the user's home page with connections for them. They can also launch a new VNC session (which I've implemented with a special SSH session). However, once that completes (and disconnects), I want to send them back to their home page, *and make it reload* so that their new VNC session appears. Currently, I don't see anything in the apache or tomcat logs to suggest that the client web browser is requesting a page. All I see is 0.40.1.8 - - [30/Nov/2021:10:22:46 -0500] "POST /guacamole/api/tokens HTTP/1.1" 200 496 10.40.1.8 - - [30/Nov/2021:10:22:46 -0500] "GET /guacamole/api/session/data/create-vnc/activeConnections?token=XX HTTP/1.1" 200 333 so I guess my question is, can I, say, populate that menu with a button that will cause the browser to re-request the home page, or otherwise cause a home page update? Thanks, --dustin
Passing a token as a query parameter (REST API)
Hello all, I understand that when using the REST API, after generating a token, I must add it to any additional API call as query parameter. 1. Is this the only way when calling REST APIs? Isn't it possible to add it to the body of the message (instead of adding it to the URL)? 2. Isn't it a security risk? Anyone which will sniff the communication will able to get the token this way, no? 3. What is the life span of a token? It is expired at some point? 4. Does the product support one-use-only tokens? Best regards, Tal Barak.
Re: Syn Azure Ad and Guacamole
On Tue, Nov 30, 2021 at 2:21 AM Bryan Ohana wrote: > Ok i get it thanks Mike ! > Can I ask for an additional question. I would like to use guacamole to > assign dynamic VDI to users ( 1 VM always ready so if user A log into > guacamole and get the VM and user 2 comes in he should get the new VM > created that has another IP and host name) do you know how that is working ? > > Not at this point, no. I set out a year or so ago to try to create something like this - an extension that would manage VMs or compute instances, clone/create, start/stop, etc. But I haven't had time to work on it. Guacamole does support load balancing groups that allow you to put a bunch of systems behind a single connection group and have Guacamole take care of assigning users based on the thresholds you set (max users per connection, etc.), but it doesn't have any built-in support for managing those systems. I think there are some folks out there that have cooked up their own extensions that at least handle the start/stop of back-end machines to help with load and cost management, but nothing has made it into mainline code, yet. -Nick