[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879422#comment-16879422
]
Nick Couchman commented on GUACAMOLE-547:
-
[~shishax]: I closed the PR that you opened after testing and confirming that
setting a password within a SSH connection works perfectly fine. As David
says, this particular issue was about supporting devices that implement the
NONE authentication method, which establishes the connection without the
password (and usually prompts for a password using its own mechanism).
It's worth noting that the issue you're seeing is definitely something that
could be happening, but isn't something that can really be resolved. That is:
- Device implements NONE authentication protocol
- You connect with Guacamole, specifying a username and password
- Device accepts your SSH connection with NONE, ignoring the password and then
prompting you
In this case, no matter what changes you make, you will *always* be prompted
for a password because the password prompt is happening during the terminal
session, outside of the SSH connection.
As far as I can tell, the Guacamole Server code works perfectly fine for
storing and using passwords when the remote server is using password
authentication.
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879408#comment-16879408
]
David Hauk commented on GUACAMOLE-547:
--
Federico, this issue isn't about not passing a password, its about using the
RPC4252 "None" authentication method, which embedded devices (like cisco
wireless lan controllers and other embedded linux hardware) use to indicate
that no authentication is taking place at all.
Commonly these devices just "accept" the SSH connection, map it to a low
privilege user, and capture it into a configuration script using inittab so
they don't get a login shell.
Simply not passing a password causes the connection from Guacamole to fail, as
the device is expecting "None", but it instead gets an empty username or
password.
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879406#comment-16879406
]
Federico Giuba commented on GUACAMOLE-547:
--
Maybe I'm missing something but, as it is, it's no more possible to specify a
password for a SSH connection as a connection parameter.
The 'password' parameter is always ignored and the terminal prompt for the
password request.
Am i wrong?
I sent a PR for fixing the issue:
[https://github.com/apache/guacamole-server/pull/226]
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Issue Comment Deleted] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Federico Giuba updated GUACAMOLE-547:
-
Comment: was deleted
(was: Maybe I'm missing something but, as it is, it's no more possible to
specify a password for a SSH connection as a connection parameter.
The 'password' parameter is always ignored and the terminal prompt for the
password request.
Am i wrong?
I sent a PR for fixing the issue:
[https://github.com/apache/guacamole-server/pull/226])
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[
https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879405#comment-16879405
]
Federico Giuba commented on GUACAMOLE-547:
--
Maybe I'm missing something but, as it is, it's no more possible to specify a
password for a SSH connection as a connection parameter.
The 'password' parameter is always ignored and the terminal prompt for the
password request.
Am i wrong?
I sent a PR for fixing the issue:
[https://github.com/apache/guacamole-server/pull/226]
> Add support for the "none" SSH authentication method
>
>
> Key: GUACAMOLE-547
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-547
> Project: Guacamole
> Issue Type: New Feature
> Components: Documentation, SSH
> Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8
> 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
>Reporter: David Hauk
>Assignee: Nick Couchman
>Priority: Minor
> Fix For: 1.1.0
>
> Attachments: guacd_debug_fail.txt, openssh_verbose_successful
> connection.txt
>
>
> When connecting to embedded devices that implicitly allow SSH access guacd
> fails when the authentication method is (none). The devices permit any SSH
> user with no password access to the console, and then provide authentication
> internally via their interactive shell.
> Test cases:
> # no username and no password configured: Guacamole requests both, then
> fails to connect.
> # username but no password: Guacamole requests password, and then fails to
> connect.
> # username and password: Guacamole asks for no input, and then fails to
> connect.
> I've attached guacd debug logs from the failed connection attempts, plus
> OpenSSH (-vv) logs from a successful connection. (Files have been suitably
> redacted). The bit they share in common is they both state "Authentication
> (none)" but OpenSSH proceeds with the connection, while guacd terminates the
> connection:
> Guacd:
> {code:java}
> guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22
> guacd[100079]: DEBUG: Supported authentication methods: (null)
> guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9"
> removed.{code}
> OpenSSH:
> {code:java}
> debug1: SSH2_MSG_SERVICE_ACCEPT received
> debug1: Authentication succeeded (none).
> Authenticated to 192.168.233.20 ([192.168.233.20]:22).
> debug1: channel 0: new [client-session]
> debug2: channel 0: send open
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) Add support for U2F Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Description: Implement Universal 2nd Factor authentication support, which appears to be a hardware key mechanism. (was: Is U2F support planned?) > Add support for U2F Authentication > -- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Implement Universal 2nd Factor authentication support, which appears to be a > hardware key mechanism. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-221) Parameter prompting within client interface
[
https://issues.apache.org/jira/browse/GUACAMOLE-221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879185#comment-16879185
]
Nick Couchman commented on GUACAMOLE-221:
-
[~mimugmail]: There is no such thing as a "paid feature" in Guacamole. It is
an open source project. You could possibly pay someone to work on this
feature, but the code would be contributed to Guacamole and would be available
to all.
{quote}
When a new user joins the team we'd have to add a new connection profile for
each system.
{quote}
Maybe so, but maybe not. You should look at Parameter Tokens
(http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens)
and see if those would help out your use-case.
> Parameter prompting within client interface
> ---
>
> Key: GUACAMOLE-221
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-221
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole
>Reporter: Michael Jumper
>Assignee: Nick Couchman
>Priority: Major
>
> {panel:bgColor=#EE}
> *The description of this issue was copied from
> [GUAC-335|https://glyptodon.org/jira/browse/GUAC-335], an issue in the JIRA
> instance used by the Guacamole project prior to its acceptance into the
> Apache Incubator.*
> Comments, attachments, related issues, and history from prior to acceptance
> *have not been copied* and can be found instead at the original issue.
> {panel}
> Some parameters, such as the username/password for VNC or RDP, are better
> entered manually within the client when connecting rather than stored on the
> server in MySQL or {{user-mapping.xml}}.
> Storing secure data within parameters on the server side has security
> implications that don't fit well with all use cases.
> Further, some connections would benefit if their settings can be modified
> locally before connecting. A user could change the color depth or screen size
> of their RDP session, for example, for the sake of a slower connection.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) U2F support
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Component/s: (was: guacamole) guacamole-client > U2F support > --- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > Labels: u2f > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) Add support for U2F Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Summary: Add support for U2F Authentication (was: U2F support) > Add support for U2F Authentication > -- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) Add support for U2F Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Issue Type: New Feature (was: Wish) > Add support for U2F Authentication > -- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) U2F support
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Labels: (was: u2f) > U2F support > --- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-839) U2F support
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879183#comment-16879183 ] Nick Couchman commented on GUACAMOLE-839: - I have not seen any requests for or conversations about implementing support for it at this point. > U2F support > --- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole >Reporter: Bastian Machek >Priority: Minor > Labels: u2f > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) U2F support
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Priority: Minor (was: Major) > U2F support > --- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole >Reporter: Bastian Machek >Priority: Minor > Labels: u2f > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-221) Parameter prompting within client interface
[
https://issues.apache.org/jira/browse/GUACAMOLE-221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16879178#comment-16879178
]
Michael Muenz commented on GUACAMOLE-221:
-
is there a chance to make this a paid feature to speed up development?
Main problem is we want to use GUAC as a team, and everyone has different
credentials. When a new user joins the team we'd have to add a new connection
profile for each system.
> Parameter prompting within client interface
> ---
>
> Key: GUACAMOLE-221
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-221
> Project: Guacamole
> Issue Type: New Feature
> Components: guacamole
>Reporter: Michael Jumper
>Assignee: Nick Couchman
>Priority: Major
>
> {panel:bgColor=#EE}
> *The description of this issue was copied from
> [GUAC-335|https://glyptodon.org/jira/browse/GUAC-335], an issue in the JIRA
> instance used by the Guacamole project prior to its acceptance into the
> Apache Incubator.*
> Comments, attachments, related issues, and history from prior to acceptance
> *have not been copied* and can be found instead at the original issue.
> {panel}
> Some parameters, such as the username/password for VNC or RDP, are better
> entered manually within the client when connecting rather than stored on the
> server in MySQL or {{user-mapping.xml}}.
> Storing secure data within parameters on the server side has security
> implications that don't fit well with all use cases.
> Further, some connections would benefit if their settings can be modified
> locally before connecting. A user could change the color depth or screen size
> of their RDP session, for example, for the sake of a slower connection.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
