Re: Can't get SSH key to work
On Fri, Mar 1, 2019 at 4:18 PM Julien Nicoulaud wrote: > I did some more digging and I found that: > >- RSA keys are only supported in PEM format. But since OpenSSH 7.8 >(2018), ssh-keygen changed its default format. I opened >https://issues.apache.org/jira/browse/GUACAMOLE-745 >- ED25519 keys are definitely not supported, the key loading code >explicitly looks for hardcoded RSA or DSA headers here: > > https://github.com/apache/guacamole-server/blob/master/src/common-ssh/key.c#L40 >I opened a feature request: >https://issues.apache.org/jira/browse/GUACAMOLE-746 > > But both need to wait for a new libssh2 release including this commit: > https://github.com/libssh2/libssh2/commit/03092292597ac601c3f9f0c267ecb145dda75e4e > Thanks for the research, Julien! -Nick >
Re: Can't get SSH key to work
I did some more digging and I found that: - RSA keys are only supported in PEM format. But since OpenSSH 7.8 (2018), ssh-keygen changed its default format. I opened https://issues.apache.org/jira/browse/GUACAMOLE-745 - ED25519 keys are definitely not supported, the key loading code explicitly looks for hardcoded RSA or DSA headers here: https://github.com/apache/guacamole-server/blob/master/src/common-ssh/key.c#L40 I opened a feature request: https://issues.apache.org/jira/browse/GUACAMOLE-746 But both need to wait for a new libssh2 release including this commit: https://github.com/libssh2/libssh2/commit/03092292597ac601c3f9f0c267ecb145dda75e4e I guess error messages could be improved in the meanwhile though, as I will probably not be the last one to hit these issues... Le ven. 1 mars 2019 à 17:17, Nick Couchman a écrit : > On Tue, Feb 26, 2019 at 2:57 PM Julien Nicoulaud < > julien.nicoul...@gmail.com> wrote: > >> No useful info in debug mode (see my first message, it has a log with >> guacd debug logging) >> > > Hmmm...not really sure what's going on, here. I'm able to successfully > use it with the following steps: > - Guacamole from git master, with JDBC module > - On the destination system, under the account I want to log in under > (testuser), do "ssh-keygen -t rsa -b 1024" and don't set a passphrase > - Add the public key to the authorized_keys file (actually, there were no > other authorized_keys entries, so just copied .ssh/id_rsa.pub to > .ssh/authorized_keys > - Configure Guacamole SSH connection to the host, with a fixed username, > and pasting in the private key with header and footer > - Start the connection > > It connects fine - no issues, here. > > -Nick > >>
Re: Can't get SSH key to work
On Tue, Feb 26, 2019 at 2:57 PM Julien Nicoulaud wrote: > No useful info in debug mode (see my first message, it has a log with > guacd debug logging) > Hmmm...not really sure what's going on, here. I'm able to successfully use it with the following steps: - Guacamole from git master, with JDBC module - On the destination system, under the account I want to log in under (testuser), do "ssh-keygen -t rsa -b 1024" and don't set a passphrase - Add the public key to the authorized_keys file (actually, there were no other authorized_keys entries, so just copied .ssh/id_rsa.pub to .ssh/authorized_keys - Configure Guacamole SSH connection to the host, with a fixed username, and pasting in the private key with header and footer - Start the connection It connects fine - no issues, here. -Nick >
Re: Can't get SSH key to work
No useful info in debug mode (see my first message, it has a log with guacd debug logging) Le mar. 26 févr. 2019 à 18:48, Nick Couchman a écrit : > > > On Tue, Feb 26, 2019 at 12:37 PM Julien Nicoulaud < > julien.nicoul...@gmail.com> wrote: > >> Actually this is not due to ED25519, I can't get any SSH key to work, >> guacd always fails with "Auth key import failed: (null)". >> >> Tried ED25519 keys, RSA 1024b, and RSA 4096b keys. >> Tried keys with and without passphrase. >> Tried setting the passphrase in the web UI or at the connection prompt. >> Tried changing db from postgres to mysql. >> Tried removing new lines from key / adding blank line before header or >> after footer / converting between unix and windows new lines. >> >> Running out of ideas... >> >> > Can you put guacd into debug logging (GUACD_LOG_LEVEL=debug) and get the > logs and see if anything more useful is returned? > > -Nick >
Re: Can't get SSH key to work
On Tue, Feb 26, 2019 at 12:37 PM Julien Nicoulaud < julien.nicoul...@gmail.com> wrote: > Actually this is not due to ED25519, I can't get any SSH key to work, > guacd always fails with "Auth key import failed: (null)". > > Tried ED25519 keys, RSA 1024b, and RSA 4096b keys. > Tried keys with and without passphrase. > Tried setting the passphrase in the web UI or at the connection prompt. > Tried changing db from postgres to mysql. > Tried removing new lines from key / adding blank line before header or > after footer / converting between unix and windows new lines. > > Running out of ideas... > > Can you put guacd into debug logging (GUACD_LOG_LEVEL=debug) and get the logs and see if anything more useful is returned? -Nick
Re: Can't get SSH key to work
Actually this is not due to ED25519, I can't get any SSH key to work, guacd always fails with "Auth key import failed: (null)". Tried ED25519 keys, RSA 1024b, and RSA 4096b keys. Tried keys with and without passphrase. Tried setting the passphrase in the web UI or at the connection prompt. Tried changing db from postgres to mysql. Tried removing new lines from key / adding blank line before header or after footer / converting between unix and windows new lines. Running out of ideas... Here is the docker-compose file I use, in case that rings a bell: version: '2.2' networks: traefik: external: true guacamole: external: true services: guacamole: container_name: guacamole image: guacamole/guacamole restart: always cpu_percent: 80 mem_limit: 1G depends_on: - guacd - database labels: - traefik.enable=true - traefik.docker.network=traefik - traefik.frontend.rule=Host:guacamole.XXX;AddPrefix:/guacamole - traefik.frontend.auth.forward.address=https://XX - traefik.port=8080 environment: - GUACD_HOSTNAME=guacd - GUACAMOLE_HOME=/etc/guacamole-home - MYSQL_HOSTNAME=database - MYSQL_DATABASE=guacamole - MYSQL_USER=guacamole - MYSQL_PASSWORD=XXX volumes: - ./home:/etc/guacamole-home:ro - /etc/localtime:/etc/localtime:ro networks: - guacamole - traefik guacd: container_name: guacamole_guacd image: guacamole/guacd restart: always environment: - GUACD_LOG_LEVEL=warning volumes: - /var/lib/guacamole/drive:/drive:rw - /var/lib/guacamole/record:/record:rw - /etc/localtime:/etc/localtime:ro networks: - guacamole database: container_name: guacamole_database image: mariadb restart: always cpu_percent: 80 mem_limit: 128M environment: - MYSQL_DATABASE=guacamole - MYSQL_USER=guacamole - MYSQL_PASSWORD=XXX - MYSQL_ROOT_PASSWORD=XXX volumes: - ./init:/docker-entrypoint-initdb.d:ro - /var/lib/guacamole/database:/var/lib/mysql - /etc/localtime:/etc/localtime:ro networks: - guacamole Le mar. 29 janv. 2019 à 16:13, Nick Couchman a écrit : > On Tue, Jan 29, 2019 at 9:58 AM Julien Nicoulaud < > julien.nicoul...@gmail.com> wrote: > >> Hi, >> >> Does Guacamole support Ed25519 SSH keys ? >> > > This would more depend on whether or not libssh2 supports it, and in what > version of libssh2 it exists. guacd leverages libssh2 for the underlying > SSH functionality, so most of the issues that occur like this are due to > (lack of) support in the underlying library. > > According to https://libssh2.org/ ssh-rsa and ssh-dss are supported. > > -Nick >
Re: Can't get SSH key to work
On Tue, Jan 29, 2019 at 9:58 AM Julien Nicoulaud wrote: > Hi, > > Does Guacamole support Ed25519 SSH keys ? > This would more depend on whether or not libssh2 supports it, and in what version of libssh2 it exists. guacd leverages libssh2 for the underlying SSH functionality, so most of the issues that occur like this are due to (lack of) support in the underlying library. According to https://libssh2.org/ ssh-rsa and ssh-dss are supported. -Nick
Can't get SSH key to work
Hi, Does Guacamole support Ed25519 SSH keys ? I can't get it to work, I always get a key import failure message: guacd_1 | guacd[6]: INFO:Creating new client for protocol "ssh" guacd_1 | guacd[6]: INFO:Connection ID is "$bb601e6d-3328-4fbb-9b1b-46f37d229015" guacamole| 14:39:01.033 [http-nio-8080-exec-14] INFO o.a.g.tunnel.TunnelRequestService - User "nicoulaj" connected to connection "3". guacd_1 | guacd[296]: DEBUG:Parameter "font-name" omitted. Using default value of "monospace". guacd_1 | guacd[296]: DEBUG:Parameter "font-size" omitted. Using default value of 12. guacd_1 | guacd[296]: DEBUG:Parameter "color-scheme" omitted. Using default value of "". guacd_1 | guacd[296]: DEBUG:Parameter "enable-sftp" omitted. Using default value of 0. guacd_1 | guacd[296]: DEBUG:Parameter "sftp-root-directory" omitted. Using default value of "/". guacd_1 | guacd[296]: DEBUG:Parameter "read-only" omitted. Using default value of 0. guacd_1 | guacd[296]: DEBUG:Parameter "typescript-name" omitted. Using default value of "typescript". guacd_1 | guacd[296]: DEBUG:Parameter "create-typescript-path" omitted. Using default value of 0. guacd_1 | guacd[296]: DEBUG:Parameter "recording-name" omitted. Using default value of "recording". guacd_1 | guacd[296]: DEBUG:Parameter "recording-exclude-output" omitted. Using default value of 0. guacd_1 | guacd[296]: DEBUG:Parameter "recording-exclude-mouse" omitted. Using default value of 0. guacd_1 | guacd[296]: DEBUG:Parameter "recording-include-keys" omitted. Using default value of 0. guacd_1 | guacd[296]: DEBUG:Parameter "create-recording-path" omitted. Using default value of 0. guacd_1 | guacd[296]: DEBUG:Parameter "server-alive-interval" omitted. Using default value of 0. guacd_1 | guacd[296]: DEBUG:Parameter "backspace" omitted. Using default value of 127. guacd_1 | guacd[296]: DEBUG:Parameter "terminal-type" omitted. Using default value of "linux". guacd_1 | guacd[296]: INFO:User "@2ebfa878-493f-4411-bda6-a0ce307bf0af" joined connection "$bb601e6d-3328-4fbb-9b1b-46f37d229015" (1 users now present) guacd_1 | guacd[296]: DEBUG:Attempting private key import (WITHOUT passphrase) guacd_1 | guacd[296]: DEBUG:Initial import failed: (null) guacd_1 | guacd[296]: DEBUG:Re-attempting private key import (WITH passphrase) guacd_1 | guacd[296]: ERROR:Auth key import failed: (null) guacd_1 | guacd[296]: INFO:User "@2ebfa878-493f-4411-bda6-a0ce307bf0af" disconnected (0 users remain) guacd_1 | guacd[296]: INFO:Last user of connection "$bb601e6d-3328-4fbb-9b1b-46f37d229015" disconnected I am using guacamole official Docker images (latest 1.0.0), the key was created using OpenSSH's "ssh-keygen -t ed25519" with a passphrase. I pasted it with the header and footer and tried several variants (lines merged, blank line after, etc)... Any idea how to further debug this ? Thanks, Julien