Re: header authentication with BASE64 encoding
On Fri, Feb 23, 2024 at 7:48 AM wrote: > Thanks for the quick reply, Nick. > > > > Can you point out a justified reason for the LDAP module behavior you were > mentioning? As far as I can think of, there shouldn’t be any practical > reason for not being able to use the search user’s binding in order to > query the logon user’s memberships in guacConfigGroup objects. > > > It's actually quite practical and quite intentionally designed to behave that way. It allows for the LDAP extension to make use of the security built in to the LDAP directory, so that you can restrict access to connections by simply using LDAP ACLs to restrict what the user can see. I would imagine that, at some point, we may provide alternatives within the implementation to this - a configuration option that makes it behave differently - but I would also expect we would retain this as the default behavior. > In any case, if this is how it is implemented I reckon that I could simply > revert back to using the plain user-mapping.xml fie, hoping that header > authentication works fine with it. So getting back to my original question, > is there a known way I get access to the guacamole-auth-header source code, > or alternatively get assistance from its authors in order to add support > for base64 encoding? > > > The user-mapping.xml file will not work because it does not "layer" with any of the other modules, for a couple of reasons. One is that it sort of behaves like the LDAP module does, in one respect, where the ability to get access to the connections defined in the file is based on you authenticating with a valid username *and* password as defined in the file - and if you're not entering a password, or entering a password that doesn't match the one in the file, you're not going to get the connections as defined in the file. The extension for storing connections that will allow you to use Header, SSO, etc., is really the JDBC module - it's very much designed to be a flexible back-end that works well with most of the other modules. The source code for guacamole-client can be found here: https://github.com/apache/guacamole-client with the header module, specifically, here: https://github.com/apache/guacamole-client/tree/master/extensions/guacamole-auth-header I was the original author of the header module, so I'm fairly familiar with the code. Also, a quick Google search for "how to detect base64 encoding in Java" turns up some options that should be pretty straight-forward: String stringToBeChecked = "..."; boolean isBase64 = Base64.isArrayByteBase64(stringToBeChecked.getBytes()); (from https://stackoverflow.com/questions/8571501/how-to-check-whether-a-string-is-base64-encoded-or-not ). Should be easy enough to add that check into the Header module where it gets the username, and then decode if it believes it is Base64 encoded. -Nick >
RE: header authentication with BASE64 encoding
Thanks for the quick reply, Nick. Can you point out a justified reason for the LDAP module behavior you were mentioning? As far as I can think of, there shouldn’t be any practical reason for not being able to use the search user’s binding in order to query the logon user’s memberships in guacConfigGroup objects. In any case, if this is how it is implemented I reckon that I could simply revert back to using the plain user-mapping.xml fie, hoping that header authentication works fine with it. So getting back to my original question, is there a known way I get access to the guacamole-auth-header source code, or alternatively get assistance from its authors in order to add support for base64 encoding? Best wishes, Uri From: Nick Couchman Sent: Friday, February 23, 2024 2:05 PM To: user@guacamole.apache.org Subject: Re: header authentication with BASE64 encoding On Fri, Feb 23, 2024 at 6:53 AM mailto:u...@alyn.org>> wrote: Hi there! I’m new to Guacamole, and have successfully installed it (v1.5.4) in order to implement clientless VPN RDP access to our network. The Guacamole server is placed behind a corporate firewall which strongly authenticates users and then serves them the Guacamole web-app through its own native reverse-proxy engine. I installed the LDAP authentication extension, expanded our Active Directory Schema (adding the guacConfigProtocol and guacConfigParameter attributes along with the guacConfigGroup class), and everything is working fine in this aspect, I.e., connections and connection parameters are all managed within Active Directory. The last missing piece is header authentication – our firewall is able to pass on the authenticated username as a custom HTTP header, but after installing and testing out guacamole-auth-header-1.5.4.jar I stumbled into the following problem: Our firewall encodes the username header in BASE64, but the Guacamole header extension does seem to support it and seems to be expecting clear-text usernames. After investigating the issue, there is no way we can tweak our firewall to avoid encoding the username, it strictly enforces this behavior. Has anyone stumbled into this problem before? Is there some known way the header extension can support BASE64 encoding? If not, where can I find the header extension source code in order to try and add support for BASE64 myself? I've not hit this problem before, although I don't find it terribly surprising - given the types of usernames (UPNs, for example - u...@domain.com<mailto:u...@domain.com> - or NT-style Windows domain - DOMAIN\USER), I can see why a firewall would do this. There's not currently any way for the extension to handle this directly - it would take some code modifications to do it. It probably wouldn't be terribly difficult to do and either have a configuration property to tell it what to do, or maybe even auto-detect when something is Base64 encoded. That said, I think you're going to run into an issue when you put this into place if you're trying to couple the header authentication module with the LDAP module, particularly if you're storing connection information inside of LDAP (which you indicated above). The LDAP module relies on the username *AND* password of the user logging in for the process of querying the LDAP tree for accessible connections. So, the flow of the LDAP module is: * User enters credentials. * Guacamole connects with the search bind credentials and locates the user. * Guacamole re-connects with the located user DN and the password the user entered. * Guacamole searches for available users, groups, and connections. The key is that Guacamole *always* un-binds from the search user and re-binds as the user who is logging in. This means, if you use Header (or any of the SSO modules), Guacamole will not be able to query LDAP, so you won't get any of that information. -Nick הודעת דואר אלקטרוני זו נשלחה אליך מבית החולים אלי"ן. יתכן שבהודעה כלול מידע רפואי רגיש המוגן בחוק הגנת הפרטיות התשמ"ה 1981, מידע שנועד לשימושם הבלעדי של המכותבים הישירים אליהם נשלחה ההודעה במקור. אם ההודעה אינה מיועדת לך, ואף שיתכן שהגיעה אליך בטעות, הרי שחלה עליך חובת שמירת סודיות. במקרה כזה אנא עדכן באופן מיידי את השולח, ומחק/י את כל עותקיה של ההודעה הנמצאים ברשותך. The contents of this email was sent to you by ALYN Hospital. This email might contain confidential medical information, which is legally protected by the 1981 privacy law. This information is intended only for the use of the original addressee/s of the email from the original sender only. If you are not an intended recipient of the original sender, you are hereby notified that any disclosure, copying, and distribution of this information, is strictly prohibited. If you have received this email in error, please immediately notify the sender and delete any copies of this email in your possession.
Re: header authentication with BASE64 encoding
On Fri, Feb 23, 2024 at 6:53 AM wrote: > Hi there! > > > > I’m new to Guacamole, and have successfully installed it (v1.5.4) in order > to implement clientless VPN RDP access to our network. The Guacamole server > is placed behind a corporate firewall which strongly authenticates users > and then serves them the Guacamole web-app through its own native > reverse-proxy engine. > > > > I installed the LDAP authentication extension, expanded our Active > Directory Schema (adding the guacConfigProtocol and guacConfigParameter > attributes along with the guacConfigGroup class), and everything is working > fine in this aspect, I.e., connections and connection parameters are all > managed within Active Directory. > > > > The last missing piece is header authentication – our firewall is able to > pass on the authenticated username as a custom HTTP header, but after > installing and testing out guacamole-auth-header-1.5.4.jar I stumbled into > the following problem: Our firewall encodes the username header in BASE64, > but the Guacamole header extension does seem to support it and seems to be > expecting clear-text usernames. After investigating the issue, there is no > way we can tweak our firewall to avoid encoding the username, it strictly > enforces this behavior. > > > > Has anyone stumbled into this problem before? Is there some known way the > header extension can support BASE64 encoding? If not, where can I find the > header extension source code in order to try and add support for BASE64 > myself? > > > I've not hit this problem before, although I don't find it terribly surprising - given the types of usernames (UPNs, for example - u...@domain.com - or NT-style Windows domain - DOMAIN\USER), I can see why a firewall would do this. There's not currently any way for the extension to handle this directly - it would take some code modifications to do it. It probably wouldn't be terribly difficult to do and either have a configuration property to tell it what to do, or maybe even auto-detect when something is Base64 encoded. That said, I think you're going to run into an issue when you put this into place if you're trying to couple the header authentication module with the LDAP module, particularly if you're storing connection information inside of LDAP (which you indicated above). The LDAP module relies on the username *AND* password of the user logging in for the process of querying the LDAP tree for accessible connections. So, the flow of the LDAP module is: * User enters credentials. * Guacamole connects with the search bind credentials and locates the user. * Guacamole re-connects with the located user DN and the password the user entered. * Guacamole searches for available users, groups, and connections. The key is that Guacamole *always* un-binds from the search user and re-binds as the user who is logging in. This means, if you use Header (or any of the SSO modules), Guacamole will not be able to query LDAP, so you won't get any of that information. -Nick >
header authentication with BASE64 encoding
Hi there! I’m new to Guacamole, and have successfully installed it (v1.5.4) in order to implement clientless VPN RDP access to our network. The Guacamole server is placed behind a corporate firewall which strongly authenticates users and then serves them the Guacamole web-app through its own native reverse-proxy engine. I installed the LDAP authentication extension, expanded our Active Directory Schema (adding the guacConfigProtocol and guacConfigParameter attributes along with the guacConfigGroup class), and everything is working fine in this aspect, I.e., connections and connection parameters are all managed within Active Directory. The last missing piece is header authentication – our firewall is able to pass on the authenticated username as a custom HTTP header, but after installing and testing out guacamole-auth-header-1.5.4.jar I stumbled into the following problem: Our firewall encodes the username header in BASE64, but the Guacamole header extension does seem to support it and seems to be expecting clear-text usernames. After investigating the issue, there is no way we can tweak our firewall to avoid encoding the username, it strictly enforces this behavior. Has anyone stumbled into this problem before? Is there some known way the header extension can support BASE64 encoding? If not, where can I find the header extension source code in order to try and add support for BASE64 myself? Thanks in advance and best regards, Uri Inbar הודעת דואר אלקטרוני זו נשלחה אליך מבית החולים אלי"ן. יתכן שבהודעה כלול מידע רפואי רגיש המוגן בחוק הגנת הפרטיות התשמ"ה 1981, מידע שנועד לשימושם הבלעדי של המכותבים הישירים אליהם נשלחה ההודעה במקור. אם ההודעה אינה מיועדת לך, ואף שיתכן שהגיעה אליך בטעות, הרי שחלה עליך חובת שמירת סודיות. במקרה כזה אנא עדכן באופן מיידי את השולח, ומחק/י את כל עותקיה של ההודעה הנמצאים ברשותך. The contents of this email was sent to you by ALYN Hospital. This email might contain confidential medical information, which is legally protected by the 1981 privacy law. This information is intended only for the use of the original addressee/s of the email from the original sender only. If you are not an intended recipient of the original sender, you are hereby notified that any disclosure, copying, and distribution of this information, is strictly prohibited. If you have received this email in error, please immediately notify the sender and delete any copies of this email in your possession.