[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[ https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879422#comment-16879422 ] Nick Couchman commented on GUACAMOLE-547: - [~shishax]: I closed the PR that you opened after testing and confirming that setting a password within a SSH connection works perfectly fine. As David says, this particular issue was about supporting devices that implement the NONE authentication method, which establishes the connection without the password (and usually prompts for a password using its own mechanism). It's worth noting that the issue you're seeing is definitely something that could be happening, but isn't something that can really be resolved. That is: - Device implements NONE authentication protocol - You connect with Guacamole, specifying a username and password - Device accepts your SSH connection with NONE, ignoring the password and then prompting you In this case, no matter what changes you make, you will *always* be prompted for a password because the password prompt is happening during the terminal session, outside of the SSH connection. As far as I can tell, the Guacamole Server code works perfectly fine for storing and using passwords when the remote server is using password authentication. > Add support for the "none" SSH authentication method > > > Key: GUACAMOLE-547 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-547 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, SSH > Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8 > 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux >Reporter: David Hauk >Assignee: Nick Couchman >Priority: Minor > Fix For: 1.1.0 > > Attachments: guacd_debug_fail.txt, openssh_verbose_successful > connection.txt > > > When connecting to embedded devices that implicitly allow SSH access guacd > fails when the authentication method is (none). The devices permit any SSH > user with no password access to the console, and then provide authentication > internally via their interactive shell. > Test cases: > # no username and no password configured: Guacamole requests both, then > fails to connect. > # username but no password: Guacamole requests password, and then fails to > connect. > # username and password: Guacamole asks for no input, and then fails to > connect. > I've attached guacd debug logs from the failed connection attempts, plus > OpenSSH (-vv) logs from a successful connection. (Files have been suitably > redacted). The bit they share in common is they both state "Authentication > (none)" but OpenSSH proceeds with the connection, while guacd terminates the > connection: > Guacd: > {code:java} > guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22 > guacd[100079]: DEBUG: Supported authentication methods: (null) > guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9" > removed.{code} > OpenSSH: > {code:java} > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentication succeeded (none). > Authenticated to 192.168.233.20 ([192.168.233.20]:22). > debug1: channel 0: new [client-session] > debug2: channel 0: send open > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[ https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879408#comment-16879408 ] David Hauk commented on GUACAMOLE-547: -- Federico, this issue isn't about not passing a password, its about using the RPC4252 "None" authentication method, which embedded devices (like cisco wireless lan controllers and other embedded linux hardware) use to indicate that no authentication is taking place at all. Commonly these devices just "accept" the SSH connection, map it to a low privilege user, and capture it into a configuration script using inittab so they don't get a login shell. Simply not passing a password causes the connection from Guacamole to fail, as the device is expecting "None", but it instead gets an empty username or password. > Add support for the "none" SSH authentication method > > > Key: GUACAMOLE-547 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-547 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, SSH > Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8 > 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux >Reporter: David Hauk >Assignee: Nick Couchman >Priority: Minor > Fix For: 1.1.0 > > Attachments: guacd_debug_fail.txt, openssh_verbose_successful > connection.txt > > > When connecting to embedded devices that implicitly allow SSH access guacd > fails when the authentication method is (none). The devices permit any SSH > user with no password access to the console, and then provide authentication > internally via their interactive shell. > Test cases: > # no username and no password configured: Guacamole requests both, then > fails to connect. > # username but no password: Guacamole requests password, and then fails to > connect. > # username and password: Guacamole asks for no input, and then fails to > connect. > I've attached guacd debug logs from the failed connection attempts, plus > OpenSSH (-vv) logs from a successful connection. (Files have been suitably > redacted). The bit they share in common is they both state "Authentication > (none)" but OpenSSH proceeds with the connection, while guacd terminates the > connection: > Guacd: > {code:java} > guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22 > guacd[100079]: DEBUG: Supported authentication methods: (null) > guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9" > removed.{code} > OpenSSH: > {code:java} > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentication succeeded (none). > Authenticated to 192.168.233.20 ([192.168.233.20]:22). > debug1: channel 0: new [client-session] > debug2: channel 0: send open > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[ https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879406#comment-16879406 ] Federico Giuba commented on GUACAMOLE-547: -- Maybe I'm missing something but, as it is, it's no more possible to specify a password for a SSH connection as a connection parameter. The 'password' parameter is always ignored and the terminal prompt for the password request. Am i wrong? I sent a PR for fixing the issue: [https://github.com/apache/guacamole-server/pull/226] > Add support for the "none" SSH authentication method > > > Key: GUACAMOLE-547 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-547 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, SSH > Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8 > 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux >Reporter: David Hauk >Assignee: Nick Couchman >Priority: Minor > Fix For: 1.1.0 > > Attachments: guacd_debug_fail.txt, openssh_verbose_successful > connection.txt > > > When connecting to embedded devices that implicitly allow SSH access guacd > fails when the authentication method is (none). The devices permit any SSH > user with no password access to the console, and then provide authentication > internally via their interactive shell. > Test cases: > # no username and no password configured: Guacamole requests both, then > fails to connect. > # username but no password: Guacamole requests password, and then fails to > connect. > # username and password: Guacamole asks for no input, and then fails to > connect. > I've attached guacd debug logs from the failed connection attempts, plus > OpenSSH (-vv) logs from a successful connection. (Files have been suitably > redacted). The bit they share in common is they both state "Authentication > (none)" but OpenSSH proceeds with the connection, while guacd terminates the > connection: > Guacd: > {code:java} > guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22 > guacd[100079]: DEBUG: Supported authentication methods: (null) > guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9" > removed.{code} > OpenSSH: > {code:java} > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentication succeeded (none). > Authenticated to 192.168.233.20 ([192.168.233.20]:22). > debug1: channel 0: new [client-session] > debug2: channel 0: send open > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Issue Comment Deleted] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[ https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Federico Giuba updated GUACAMOLE-547: - Comment: was deleted (was: Maybe I'm missing something but, as it is, it's no more possible to specify a password for a SSH connection as a connection parameter. The 'password' parameter is always ignored and the terminal prompt for the password request. Am i wrong? I sent a PR for fixing the issue: [https://github.com/apache/guacamole-server/pull/226]) > Add support for the "none" SSH authentication method > > > Key: GUACAMOLE-547 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-547 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, SSH > Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8 > 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux >Reporter: David Hauk >Assignee: Nick Couchman >Priority: Minor > Fix For: 1.1.0 > > Attachments: guacd_debug_fail.txt, openssh_verbose_successful > connection.txt > > > When connecting to embedded devices that implicitly allow SSH access guacd > fails when the authentication method is (none). The devices permit any SSH > user with no password access to the console, and then provide authentication > internally via their interactive shell. > Test cases: > # no username and no password configured: Guacamole requests both, then > fails to connect. > # username but no password: Guacamole requests password, and then fails to > connect. > # username and password: Guacamole asks for no input, and then fails to > connect. > I've attached guacd debug logs from the failed connection attempts, plus > OpenSSH (-vv) logs from a successful connection. (Files have been suitably > redacted). The bit they share in common is they both state "Authentication > (none)" but OpenSSH proceeds with the connection, while guacd terminates the > connection: > Guacd: > {code:java} > guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22 > guacd[100079]: DEBUG: Supported authentication methods: (null) > guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9" > removed.{code} > OpenSSH: > {code:java} > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentication succeeded (none). > Authenticated to 192.168.233.20 ([192.168.233.20]:22). > debug1: channel 0: new [client-session] > debug2: channel 0: send open > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-547) Add support for the "none" SSH authentication method
[ https://issues.apache.org/jira/browse/GUACAMOLE-547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879405#comment-16879405 ] Federico Giuba commented on GUACAMOLE-547: -- Maybe I'm missing something but, as it is, it's no more possible to specify a password for a SSH connection as a connection parameter. The 'password' parameter is always ignored and the terminal prompt for the password request. Am i wrong? I sent a PR for fixing the issue: [https://github.com/apache/guacamole-server/pull/226] > Add support for the "none" SSH authentication method > > > Key: GUACAMOLE-547 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-547 > Project: Guacamole > Issue Type: New Feature > Components: Documentation, SSH > Environment: Linux 4.13.0-1012-azure #15-Ubuntu SMP Thu Mar 8 > 10:47:27 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux >Reporter: David Hauk >Assignee: Nick Couchman >Priority: Minor > Fix For: 1.1.0 > > Attachments: guacd_debug_fail.txt, openssh_verbose_successful > connection.txt > > > When connecting to embedded devices that implicitly allow SSH access guacd > fails when the authentication method is (none). The devices permit any SSH > user with no password access to the console, and then provide authentication > internally via their interactive shell. > Test cases: > # no username and no password configured: Guacamole requests both, then > fails to connect. > # username but no password: Guacamole requests password, and then fails to > connect. > # username and password: Guacamole asks for no input, and then fails to > connect. > I've attached guacd debug logs from the failed connection attempts, plus > OpenSSH (-vv) logs from a successful connection. (Files have been suitably > redacted). The bit they share in common is they both state "Authentication > (none)" but OpenSSH proceeds with the connection, while guacd terminates the > connection: > Guacd: > {code:java} > guacd[100079]: DEBUG: Successfully connected to host 192.168.233.20, port 22 > guacd[100079]: DEBUG: Supported authentication methods: (null) > guacd[100066]: INFO: Connection "$abc52848-a11c-4397-a657-7c2d4bfdb5e9" > removed.{code} > OpenSSH: > {code:java} > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentication succeeded (none). > Authenticated to 192.168.233.20 ([192.168.233.20]:22). > debug1: channel 0: new [client-session] > debug2: channel 0: send open > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-839) Add support for U2F Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879360#comment-16879360 ] Nick Couchman commented on GUACAMOLE-839: - >From what I see online, it looks like this is probably some form of >certificate-based authentication, similar to a Smart Card or the like, so my >guess would be that adding x509 authentication support to Guacamole would also >cover this, and from that point would be a matter of O/S and Browser support >for talking to the U2F device. It is worth noting that this can probably be done, already, in Guacamole, through other mechanisms - SSO, in particular. It's quite possible CAS supports this, already (not certain on that), and any other SSO systems also supported by Guacamole would likely be able to give this support. > Add support for U2F Authentication > -- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Implement Universal 2nd Factor authentication support, which appears to be a > hardware key mechanism. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) Add support for U2F Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Description: Implement Universal 2nd Factor authentication support, which appears to be a hardware key mechanism. (was: Is U2F support planned?) > Add support for U2F Authentication > -- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Implement Universal 2nd Factor authentication support, which appears to be a > hardware key mechanism. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-221) Parameter prompting within client interface
[ https://issues.apache.org/jira/browse/GUACAMOLE-221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879186#comment-16879186 ] Michael Muenz commented on GUACAMOLE-221: - Thanks for you fast response Nick. Perhaps I wasn't clear enough, I'd like to pay someone - best someone with commit bit - to build this feature as open source, useable for everyone. We also sponsored features for projects like OPNsense in the past, no big deal. > Parameter prompting within client interface > --- > > Key: GUACAMOLE-221 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-221 > Project: Guacamole > Issue Type: New Feature > Components: guacamole >Reporter: Michael Jumper >Assignee: Nick Couchman >Priority: Major > > {panel:bgColor=#EE} > *The description of this issue was copied from > [GUAC-335|https://glyptodon.org/jira/browse/GUAC-335], an issue in the JIRA > instance used by the Guacamole project prior to its acceptance into the > Apache Incubator.* > Comments, attachments, related issues, and history from prior to acceptance > *have not been copied* and can be found instead at the original issue. > {panel} > Some parameters, such as the username/password for VNC or RDP, are better > entered manually within the client when connecting rather than stored on the > server in MySQL or {{user-mapping.xml}}. > Storing secure data within parameters on the server side has security > implications that don't fit well with all use cases. > Further, some connections would benefit if their settings can be modified > locally before connecting. A user could change the color depth or screen size > of their RDP session, for example, for the sake of a slower connection. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-221) Parameter prompting within client interface
[ https://issues.apache.org/jira/browse/GUACAMOLE-221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879185#comment-16879185 ] Nick Couchman commented on GUACAMOLE-221: - [~mimugmail]: There is no such thing as a "paid feature" in Guacamole. It is an open source project. You could possibly pay someone to work on this feature, but the code would be contributed to Guacamole and would be available to all. {quote} When a new user joins the team we'd have to add a new connection profile for each system. {quote} Maybe so, but maybe not. You should look at Parameter Tokens (http://guacamole.apache.org/doc/gug/configuring-guacamole.html#parameter-tokens) and see if those would help out your use-case. > Parameter prompting within client interface > --- > > Key: GUACAMOLE-221 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-221 > Project: Guacamole > Issue Type: New Feature > Components: guacamole >Reporter: Michael Jumper >Assignee: Nick Couchman >Priority: Major > > {panel:bgColor=#EE} > *The description of this issue was copied from > [GUAC-335|https://glyptodon.org/jira/browse/GUAC-335], an issue in the JIRA > instance used by the Guacamole project prior to its acceptance into the > Apache Incubator.* > Comments, attachments, related issues, and history from prior to acceptance > *have not been copied* and can be found instead at the original issue. > {panel} > Some parameters, such as the username/password for VNC or RDP, are better > entered manually within the client when connecting rather than stored on the > server in MySQL or {{user-mapping.xml}}. > Storing secure data within parameters on the server side has security > implications that don't fit well with all use cases. > Further, some connections would benefit if their settings can be modified > locally before connecting. A user could change the color depth or screen size > of their RDP session, for example, for the sake of a slower connection. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) U2F support
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Component/s: (was: guacamole) guacamole-client > U2F support > --- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > Labels: u2f > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) Add support for U2F Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Summary: Add support for U2F Authentication (was: U2F support) > Add support for U2F Authentication > -- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) U2F support
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Labels: (was: u2f) > U2F support > --- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) Add support for U2F Authentication
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Issue Type: New Feature (was: Wish) > Add support for U2F Authentication > -- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: New Feature > Components: guacamole-client >Reporter: Bastian Machek >Priority: Minor > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-839) U2F support
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879183#comment-16879183 ] Nick Couchman commented on GUACAMOLE-839: - I have not seen any requests for or conversations about implementing support for it at this point. > U2F support > --- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole >Reporter: Bastian Machek >Priority: Minor > Labels: u2f > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (GUACAMOLE-839) U2F support
[ https://issues.apache.org/jira/browse/GUACAMOLE-839?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Nick Couchman updated GUACAMOLE-839: Priority: Minor (was: Major) > U2F support > --- > > Key: GUACAMOLE-839 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-839 > Project: Guacamole > Issue Type: Wish > Components: guacamole >Reporter: Bastian Machek >Priority: Minor > Labels: u2f > > Is U2F support planned? -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (GUACAMOLE-221) Parameter prompting within client interface
[ https://issues.apache.org/jira/browse/GUACAMOLE-221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16879178#comment-16879178 ] Michael Muenz commented on GUACAMOLE-221: - is there a chance to make this a paid feature to speed up development? Main problem is we want to use GUAC as a team, and everyone has different credentials. When a new user joins the team we'd have to add a new connection profile for each system. > Parameter prompting within client interface > --- > > Key: GUACAMOLE-221 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-221 > Project: Guacamole > Issue Type: New Feature > Components: guacamole >Reporter: Michael Jumper >Assignee: Nick Couchman >Priority: Major > > {panel:bgColor=#EE} > *The description of this issue was copied from > [GUAC-335|https://glyptodon.org/jira/browse/GUAC-335], an issue in the JIRA > instance used by the Guacamole project prior to its acceptance into the > Apache Incubator.* > Comments, attachments, related issues, and history from prior to acceptance > *have not been copied* and can be found instead at the original issue. > {panel} > Some parameters, such as the username/password for VNC or RDP, are better > entered manually within the client when connecting rather than stored on the > server in MySQL or {{user-mapping.xml}}. > Storing secure data within parameters on the server side has security > implications that don't fit well with all use cases. > Further, some connections would benefit if their settings can be modified > locally before connecting. A user could change the color depth or screen size > of their RDP session, for example, for the sake of a slower connection. -- This message was sent by Atlassian JIRA (v7.6.3#76005)