Re: header authentication with BASE64 encoding

[Nick Couchman]

On Fri, Feb 23, 2024 at 7:48 AM  wrote:

> Thanks for the quick reply, Nick.
>
>
>
> Can you point out a justified reason for the LDAP module behavior you were
> mentioning? As far as I can think of, there shouldn’t be any practical
> reason for not being able to use the search user’s binding in order to
> query the logon user’s memberships in guacConfigGroup objects.
>
>
>

It's actually quite practical and quite intentionally designed to behave
that way. It allows for the LDAP extension to make use of the security
built in to the LDAP directory, so that you can restrict access to
connections by simply using LDAP ACLs to restrict what the user can see. I
would imagine that, at some point, we may provide alternatives within the
implementation to this - a configuration option that makes it behave
differently - but I would also expect we would retain this as the default
behavior.


> In any case, if this is how it is implemented I reckon that I could simply
> revert back to using the plain user-mapping.xml fie, hoping that header
> authentication works fine with it. So getting back to my original question,
> is there a known way I get access to the guacamole-auth-header source code,
> or alternatively get assistance from its authors in order to add support
> for base64 encoding?
>
>
>

The user-mapping.xml file will not work because it does not "layer" with
any of the other modules, for a couple of reasons. One is that it sort of
behaves like the LDAP module does, in one respect, where the ability to get
access to the connections defined in the file is based on you
authenticating with a valid username *and* password as defined in the file
- and if you're not entering a password, or entering a password that
doesn't match the one in the file, you're not going to get the connections
as defined in the file. The extension for storing connections that will
allow you to use Header, SSO, etc., is really the JDBC module - it's very
much designed to be a flexible back-end that works well with most of the
other modules.

The source code for guacamole-client can be found here:

https://github.com/apache/guacamole-client

with the header module, specifically, here:

https://github.com/apache/guacamole-client/tree/master/extensions/guacamole-auth-header

I was the original author of the header module, so I'm fairly familiar with
the code. Also, a quick Google search for "how to detect base64 encoding in
Java" turns up some options that should be pretty straight-forward:

String stringToBeChecked = "...";
boolean isBase64 = Base64.isArrayByteBase64(stringToBeChecked.getBytes());

(from
https://stackoverflow.com/questions/8571501/how-to-check-whether-a-string-is-base64-encoded-or-not
).

Should be easy enough to add that check into the Header module where it
gets the username, and then decode if it believes it is Base64 encoded.

-Nick

>

RE: header authentication with BASE64 encoding

[uri]

Thanks for the quick reply, Nick.

Can you point out a justified reason for the LDAP module behavior you were 
mentioning? As far as I can think of, there shouldn’t be any practical reason 
for not being able to use the search user’s binding in order to query the logon 
user’s memberships in guacConfigGroup objects.

In any case, if this is how it is implemented I reckon that I could simply 
revert back to using the plain user-mapping.xml fie, hoping that header 
authentication works fine with it. So getting back to my original question, is 
there a known way I get access to the guacamole-auth-header source code, or 
alternatively get assistance from its authors in order to add support for 
base64 encoding?

Best wishes,
Uri


From: Nick Couchman 
Sent: Friday, February 23, 2024 2:05 PM
To: user@guacamole.apache.org
Subject: Re: header authentication with BASE64 encoding

On Fri, Feb 23, 2024 at 6:53 AM mailto:u...@alyn.org>> wrote:
Hi there!

I’m new to Guacamole, and have successfully installed it (v1.5.4) in order to 
implement clientless VPN RDP access to our network. The Guacamole server is 
placed behind a corporate firewall which strongly authenticates users and then 
serves them the Guacamole web-app through its own native reverse-proxy engine.

I installed the LDAP authentication extension, expanded our Active Directory 
Schema (adding the guacConfigProtocol and guacConfigParameter attributes along 
with the guacConfigGroup class), and everything is working fine in this aspect, 
I.e., connections and connection parameters are all managed within Active 
Directory.

The last missing piece is header authentication – our firewall is able to pass 
on the authenticated username as a custom HTTP header, but after installing and 
testing out guacamole-auth-header-1.5.4.jar I stumbled into the following 
problem: Our firewall encodes the username header in BASE64, but the Guacamole 
header extension does seem to support it and seems to be expecting clear-text 
usernames. After investigating the issue, there is no way we can tweak our 
firewall to avoid encoding the username, it strictly enforces this behavior.

Has anyone stumbled into this problem before? Is there some known way the 
header extension can support BASE64 encoding? If not, where can I find the 
header extension source code in order to try and add support for BASE64 myself?


I've not hit this problem before, although I don't find it terribly surprising 
- given the types of usernames (UPNs, for example - 
u...@domain.com<mailto:u...@domain.com> - or NT-style Windows domain - 
DOMAIN\USER), I can see why a firewall would do this.

There's not currently any way for the extension to handle this directly - it 
would take some code modifications to do it. It probably wouldn't be terribly 
difficult to do and either have a configuration property to tell it what to do, 
or maybe even auto-detect when something is Base64 encoded.

That said, I think you're going to run into an issue when you put this into 
place if you're trying to couple the header authentication module with the LDAP 
module, particularly if you're storing connection information inside of LDAP 
(which you indicated above). The LDAP module relies on the username *AND* 
password of the user logging in for the process of querying the LDAP tree for 
accessible connections. So, the flow of the LDAP module is:
* User enters credentials.
* Guacamole connects with the search bind credentials and locates the user.
* Guacamole re-connects with the located user DN and the password the user 
entered.
* Guacamole searches for available users, groups, and connections.

The key is that Guacamole *always* un-binds from the search user and re-binds 
as the user who is logging in. This means, if you use Header (or any of the SSO 
modules), Guacamole will not be able to query LDAP, so you won't get any of 
that information.

-Nick




הודעת דואר אלקטרוני זו נשלחה אליך מבית החולים אלי"ן. יתכן שבהודעה כלול מידע 
רפואי רגיש המוגן בחוק הגנת הפרטיות התשמ"ה 1981, מידע שנועד לשימושם הבלעדי של 
המכותבים הישירים אליהם נשלחה ההודעה במקור. אם ההודעה אינה מיועדת לך, ואף שיתכן 
שהגיעה אליך בטעות, הרי שחלה עליך חובת שמירת סודיות. במקרה כזה אנא עדכן באופן 
מיידי את השולח, ומחק/י את כל עותקיה של ההודעה הנמצאים ברשותך.

The contents of this email was sent to you by ALYN Hospital. This email might 
contain confidential medical information, which is legally protected by the 
1981 privacy law. This information is intended only for the use of the original 
addressee/s of the email from the original sender only. If you are not an 
intended recipient of the original sender, you are hereby notified that any 
disclosure, copying, and distribution of this information, is strictly 
prohibited. If you have received this email in error, please immediately notify 
the sender and delete any copies of this email in your possession.

Re: header authentication with BASE64 encoding

[Nick Couchman]

On Fri, Feb 23, 2024 at 6:53 AM  wrote:

> Hi there!
>
>
>
> I’m new to Guacamole, and have successfully installed it (v1.5.4) in order
> to implement clientless VPN RDP access to our network. The Guacamole server
> is placed behind a corporate firewall which strongly authenticates users
> and then serves them the Guacamole web-app through its own native
> reverse-proxy engine.
>
>
>
> I installed the LDAP authentication extension, expanded our Active
> Directory Schema (adding the guacConfigProtocol and guacConfigParameter
> attributes along with the guacConfigGroup class), and everything is working
> fine in this aspect, I.e., connections and connection parameters are all
> managed within Active Directory.
>
>
>
> The last missing piece is header authentication – our firewall is able to
> pass on the authenticated username as a custom HTTP header, but after
> installing and testing out guacamole-auth-header-1.5.4.jar I stumbled into
> the following problem: Our firewall encodes the username header in BASE64,
> but the Guacamole header extension does seem to support it and seems to be
> expecting clear-text usernames. After investigating the issue, there is no
> way we can tweak our firewall to avoid encoding the username, it strictly
> enforces this behavior.
>
>
>
> Has anyone stumbled into this problem before? Is there some known way the
> header extension can support BASE64 encoding? If not, where can I find the
> header extension source code in order to try and add support for BASE64
> myself?
>
>
>

I've not hit this problem before, although I don't find it terribly
surprising - given the types of usernames (UPNs, for example -
u...@domain.com - or NT-style Windows domain - DOMAIN\USER), I can see why
a firewall would do this.

There's not currently any way for the extension to handle this directly -
it would take some code modifications to do it. It probably wouldn't be
terribly difficult to do and either have a configuration property to tell
it what to do, or maybe even auto-detect when something is Base64 encoded.

That said, I think you're going to run into an issue when you put this into
place if you're trying to couple the header authentication module with the
LDAP module, particularly if you're storing connection information inside
of LDAP (which you indicated above). The LDAP module relies on the username
*AND* password of the user logging in for the process of querying the LDAP
tree for accessible connections. So, the flow of the LDAP module is:
* User enters credentials.
* Guacamole connects with the search bind credentials and locates the user.
* Guacamole re-connects with the located user DN and the password the user
entered.
* Guacamole searches for available users, groups, and connections.

The key is that Guacamole *always* un-binds from the search user and
re-binds as the user who is logging in. This means, if you use Header (or
any of the SSO modules), Guacamole will not be able to query LDAP, so you
won't get any of that information.

-Nick

>

header authentication with BASE64 encoding

[uri]

Hi there!

I’m new to Guacamole, and have successfully installed it (v1.5.4) in order to 
implement clientless VPN RDP access to our network. The Guacamole server is 
placed behind a corporate firewall which strongly authenticates users and then 
serves them the Guacamole web-app through its own native reverse-proxy engine.

I installed the LDAP authentication extension, expanded our Active Directory 
Schema (adding the guacConfigProtocol and guacConfigParameter attributes along 
with the guacConfigGroup class), and everything is working fine in this aspect, 
I.e., connections and connection parameters are all managed within Active 
Directory.

The last missing piece is header authentication – our firewall is able to pass 
on the authenticated username as a custom HTTP header, but after installing and 
testing out guacamole-auth-header-1.5.4.jar I stumbled into the following 
problem: Our firewall encodes the username header in BASE64, but the Guacamole 
header extension does seem to support it and seems to be expecting clear-text 
usernames. After investigating the issue, there is no way we can tweak our 
firewall to avoid encoding the username, it strictly enforces this behavior.

Has anyone stumbled into this problem before? Is there some known way the 
header extension can support BASE64 encoding? If not, where can I find the 
header extension source code in order to try and add support for BASE64 myself?

Thanks in advance and best regards,
Uri Inbar







הודעת דואר אלקטרוני זו נשלחה אליך מבית החולים אלי"ן. יתכן שבהודעה כלול מידע 
רפואי רגיש המוגן בחוק הגנת הפרטיות התשמ"ה 1981, מידע שנועד לשימושם הבלעדי של 
המכותבים הישירים אליהם נשלחה ההודעה במקור. אם ההודעה אינה מיועדת לך, ואף שיתכן 
שהגיעה אליך בטעות, הרי שחלה עליך חובת שמירת סודיות. במקרה כזה אנא עדכן באופן 
מיידי את השולח, ומחק/י את כל עותקיה של ההודעה הנמצאים ברשותך.

The contents of this email was sent to you by ALYN Hospital. This email might 
contain confidential medical information, which is legally protected by the 
1981 privacy law. This information is intended only for the use of the original 
addressee/s of the email from the original sender only. If you are not an 
intended recipient of the original sender, you are hereby notified that any 
disclosure, copying, and distribution of this information, is strictly 
prohibited. If you have received this email in error, please immediately notify 
the sender and delete any copies of this email in your possession.