Re: 2FA: using TOTP authenticators (examples)
On Wednesday, February 9, 2022, 06:11:59 PM GMT+1, Mike Jumper wrote: >> Any ideas why one can't customize totp-digits and totp-mode whlle using >> these apps (eg. Google Authenticator or MS Authenticator)? > > THESE values (totp-digits and totp-mode) are the only change that you needed > to make, and the only reason that specific authenticator apps would not work. > Some TOTP apps like Google Authenticator will silently > ignore the TOTP digits and mode, instead assuming that the defaults will > always be used. The authenticator app then begins generating invalid TOTP > codes. OK, got it. That was the real issue then. Everything else was coincidental. So I guess there are still no authenticator apps out there that honor the totp-digits and totp-mode settings. Thanks, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: 2FA: using TOTP authenticators (examples)
On Wednesday, February 9, 2022, 06:14:29 PM GMT+1, Hankins, Jonathan wrote: > If you are on 1.4.0 and still have access to another admin account, you can > clear it in the Settings / Users page for guacadmin. > > Otherwise it's in the database, in the guacamole_user_attribute table. Thanks, Jonathan. So, it's expected that if I log in as guacadmin I cannot "Clear TOTP secret" and Save? I get a permission denied error. I can see that it's the case for any "admin" user. I can only clear the secret of another account, not my own. So I made the following change in the DB: update guacamole_user_attribute set attribute_value = 'false' where attribute_name = 'guac-totp-key-confirmed' and user_id = 1; That was enough to re-enroll. Thanks, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
guacd.service dont work on el8
Hello folks, I have problem after install on el8 (rocky8.5), but I don't know if isn't bug.Default service file guacd.service is configured for user daemon and one parameter -f and if I start service, It don't work and no error in log. Selinux is disabled all the time.So then I start instead in cli mode as daemon and It don't work too.I tried start as daemon with paramaeters "-b 0.0.0.0 -f" it dont work too.Finally this works when I start It as user root and with "-b 0.0.0.0 -f", but without this parameters It don't works too.I don't found any hint or warning in standard/error output.Know any what is correct solution? PM. - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
guacamole-ext authentication provider, when failed, redirect to third part web
hello, I'm wording to build my authentication provider ext. then, I extends SimpleAuthenticationProvider class to make it. while all auth params config is ok, it work well. now, what I want is, when my AuthenticationProvier work error, can I redirect wrong web page to third pard web url, like company homepage. what can should i do thanks.
Re: [External] Re: Guacamole not passing credentials to RDP when using Hyper-V/VMConnect mode
Thanks Eli ! If I do that then I would connect to the host instead of the client... and yes, that way works as expected, it goes straight to the desktop, but I need to connect to the client... El 2022-02-09 01:21, Abramson, Eli escribió: Alejandro, I believe you need to change the Security Mode to NLA in the Guacamole connection template. From: Alejandro Hernandez Sent: Tuesday, February 8, 2022 6:48 PM To: user@guacamole.apache.org Cc: sam g Subject: [External] Re: Guacamole not passing credentials to RDP when using Hyper-V/VMConnect mode CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Thanks Sam! But the key combination does work, what I wanted is to go straight to windows desktop... but thats not happening, that do works if I make a direct connection via RDP, but when using Hyper-V/VMConnect it doesn't, it goes to the welcome screen and asks to unlock :( El 2022-02-03 13:15, sam g escribió: Hello, I have a similar setup and it works. Did you tried Control-Alt-END instead? Sam Le jeudi 3 février 2022, 19:57:02 UTC+1, Alejandro Hernandez a écrit : Hello everyone! I have guacamole 1.3 in ubuntu, using mysql extension. I have a Windows Server 2012 R2 running HyperV In Hyper-V, I cloned a server from production and changed its network adapter to a private virtual switch (to preserve IP settings and avoid conflicts in my production network), so this test server doesn't have access to the internet nor any other network. I successfully setted up in Guacamole an RDP connection using port 2179, security mode Hyper-V/VMConnect and specifying Preconnection BLOB. I also configured username, password and domain, but each time Guacamole connects I get to the Windows welcome screen where you have to press Ctr-Alt-Del to get the login screen, as if I had left blank those fields. ¿is this the expected behavior? ¿or am I missing something? I would prefer to correctly set it up so I dont have to neither change the admin password nor share it with someone else in order to let them login... Thanks!!! Have a great day!!!
Re: 2FA: using TOTP authenticators (examples)
Vieri, If you are on 1.4.0 and still have access to another admin account, you can clear it in the Settings / Users page for guacadmin. Otherwise it's in the database, in the guacamole_user_attribute table. On Wed, Feb 9, 2022 at 8:28 AM Vieri wrote: > How does one clear the TOTP data for the guacadmin user? > > Regards, > > Vieri > > - > To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org > For additional commands, e-mail: user-h...@guacamole.apache.org > > -- Jonathan Hankins Homewood City Schools W: 205-877-4548 -- This e-mail is intended only for the recipient and may contain confidential or proprietary information. If you are not the intended recipient, the review, distribution, duplication or retention of this message and its attachments are prohibited. Please notify the sender of this error immediately by reply e-mail, and permanently delete this message and its attachments in any form in which they may have been preserved.
Re: 2FA: using TOTP authenticators (examples)
On Wed, Feb 9, 2022 at 5:53 AM Vieri wrote: > Here's what I did to make it work. > > I edited APP.NAME in > /guacamole/src/main/frontend/src/translations/en.json > This has absolutely no impact on TOTP, and I do not recommend patching the source like this. If you want to override translation strings, the way to do this in a stable manner is with an extension: https://guacamole.apache.org/doc/gug/guacamole-ext Again, however, this has no impact on TOTP whatsoever. It's a coincidence that the timing of this change correlated with TOTP working as expected. and set the exact same string to totp-issuer. > Changing "totp-issuer" will also have no impact whatsoever. It's purely cosmetic. It just tells the authenticator app what name to use for the convenience of the user. Rebuilt guacamole-client. > > Works now with authenticator apps. > > Any ideas why one can't customize totp-digits and totp-mode whlle using > these apps (eg. Google Authenticator or MS Authenticator)? THESE values (totp-digits and totp-mode) are the only change that you needed to make, and the only reason that specific authenticator apps would not work. Some TOTP apps like Google Authenticator will silently ignore the TOTP digits and mode, instead assuming that the defaults will always be used. The authenticator app then begins generating invalid TOTP codes. You do not need to change "totp-issuer" or edit the source. - Mike
Re: GUAC_ID is required
On Wed, Feb 9, 2022 at 8:12 AM chomik MChamster wrote: > Hi Experts, > > I have three instances of guacamole, deployed using the steps from the > official guacamole manual with mysql and saml authentication. > From one of those instances I am getting the "GUAC_ID is required" error: > > tomcat9[505209]: 15:53:04.502 [http-nio-8080-exec-3] DEBUG > o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Error connecting WebSocket > tunnel. > tomcat9[505209]: org.apache.guacamole.GuacamoleClientException: Parameter > "GUAC_ID" is required. > > I did read through this thread - > https://www.mail-archive.com/user@guacamole.apache.org/msg07521.html but > I'm not a developer, nor am I building a custom app or anything like that > (as far as I can tell). The strangest thing to me is that I deployed all > three instances following the same process. I have checked the > guacamole.properties as well as SAML authentication settings on Azure side > but am unable to find the apparent issue. > Wondering if you could point me to what could be the reason for this error > and/or maybe help me understand where is this GUAC_ID taken or generated > from. > That parameter, as well as several others, dictate the details of the request to connect. They are always automatically submitted by the web application. Are your three instances behind a balancer? Any chance they may be different versions, and requests from one are being misrouted by the balancer to another? Are you sure that this error is coming from legitimate connection attempts, and not bogus WebSocket connection attempts from someone probing your server? - Mike
GUAC_ID is required
Hi Experts, I have three instances of guacamole, deployed using the steps from the official guacamole manual with mysql and saml authentication. >From one of those instances I am getting the "GUAC_ID is required" error: tomcat9[505209]: 15:53:04.502 [http-nio-8080-exec-3] DEBUG o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Error connecting WebSocket tunnel. tomcat9[505209]: org.apache.guacamole.GuacamoleClientException: Parameter "GUAC_ID" is required. I did read through this thread - https://www.mail-archive.com/user@guacamole.apache.org/msg07521.html but I'm not a developer, nor am I building a custom app or anything like that (as far as I can tell). The strangest thing to me is that I deployed all three instances following the same process. I have checked the guacamole.properties as well as SAML authentication settings on Azure side but am unable to find the apparent issue. Wondering if you could point me to what could be the reason for this error and/or maybe help me understand where is this GUAC_ID taken or generated from. Thanks, T
Re: 2FA: using TOTP authenticators (examples)
How does one clear the TOTP data for the guacadmin user? Regards, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: 2FA: using TOTP authenticators (examples)
Here's what I did to make it work. I edited APP.NAME in /guacamole/src/main/frontend/src/translations/en.json and set the exact same string to totp-issuer. Rebuilt guacamole-client. Works now with authenticator apps. Any ideas why one can't customize totp-digits and totp-mode whlle using these apps (eg. Google Authenticator or MS Authenticator)? - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: 2FA and sharing profile
Hi Nick, Thanks. This is really good news if it is considered. On Wednesday, 9 February 2022, 03:32:53 am SGT, Nick Couchman wrote: On Tue, Feb 8, 2022 at 12:50 PM Hankins, Jonathan wrote: On Tue, Feb 8, 2022 at 11:16 AM Alejandro Hernandez wrote: I understand that the 1) was addressed on version 1.4, now you are able to turn on TOTP just for some users, not all of them I don't think this is correct -- the TOTP changes listed for 1.4.0 are: 1.4.0 did not include any changes that would allow you to either include or exclude certain users by group from 2FA authentication. In 1.4.0, as in previous versions, TOTP is either on for everyone or off for everyone. There is a Jira issue out there to address this, and I suspect it'll end up in the next release. -Nick
Re: 2FA: using TOTP authenticators (examples)
On Wednesday, February 9, 2022, 01:53:27 PM GMT+1, Vieri wrote: > Answering myself, totp-issuer has to be Apache Guacamole in order to work > out-of-the-box with Google Authenticator, MS Authenticator and the likes. > > If I wanted to change that string, where else should it be done for 2FA to > work with these external apps? Could this be related? https://www.mail-archive.com/issues@guacamole.apache.org/msg05696.html Regards, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: 2FA: using TOTP authenticators (examples)
Answering myself, totp-issuer has to be Apache Guacamole in order to work out-of-the-box with Google Authenticator, MS Authenticator and the likes. If I wanted to change that string, where else should it be done for 2FA to work with these external apps? Regards, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
2FA: using TOTP authenticators (examples)
Hi, I'm following the TOTP guide at https://guacamole.apache.org/doc/gug/totp-auth.html (I'm new to 2FA). I've come to the point where database+LDAP authentication works, but if I enable TOTP I'm unable to pass the verification code. Sorry for the rookie question, but it's the first time I get to grips with two-factor auth in Guacamole. The totp-* variables are default except for totp-issuer. I access the guacamole portal with a desktop computer, enter a user (eg. guacadmin), and I'm shown a QR code. I scan that code with Google Authenticator or MS Authenticator on my cell phone, and I see a 6-digit code with a 30-second countdown. By the way, if I change the guacamole.properties so that totp-digits are 8 and totp-period is 60 seconds, the apps on my smartphone still show me just 6 digits with a 30-second countdown. I suppose this is expected? In any case, each time I try to enter the 6 digits, I get a verification error. What can I try? Can I check the backend? Is the totp data stored in the db? Which table? Regards, Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: guacamole-client: Temporary directory for libraries bundled with extension
BTW, is there a drawback if I use the mysql java connector instead of mariadb's even though my backend is mariadb? Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: guacamole-client: Temporary directory for libraries bundled with extension
On Wednesday, February 9, 2022, 09:59:45 AM GMT+1, Vieri wrote: > If I set mysql-driver: mariadb I get an error (no suitable driver) if I ONLY > have mariadb-java-client-3.0.3.jar in /etc/guacamole/lib/ (I also tried an > earlier version). > If I add mysql-connector-java-8.0.28.jar to that same directory or even leave > JUST that file then Guacamole uses that driver (no errors). Let me rephrase the second sentence: "If I add mysql-connector-java-8.0.28.jar to that same directory or even leave JUST that file AND comment out 'mysql-driver: mariadb' then Guacamole uses the MySQL driver (no errors)." So the mariadb driver is not working or is not detected. I tried all these, and none work: mariadb-java-client-2.5.0.jar mariadb-java-client-2.7.4.jar mariadb-java-client-3.0.3.jar mariadb-java-client-2.7.0.jar mariadb-java-client-2.7.5.jar Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: guacamole-client: Temporary directory for libraries bundled with extension
On Tuesday, February 8, 2022, 10:08:28 PM GMT+1, Nick Couchman wrote: >> # ls /etc/guacamole/lib/ >> mariadb-java-client-3.0.3.jar mysql-connector-java-8.0.28.jar >> >> and then add >> /etc/guacamole/lib/mariadb-java-client-3.0.3.jar:/etc/guacamole/lib/mysql-connector-java-8.0.28.jar >> to my Tomat classpath. >> > > Neither having both of the drivers, nor manually adding the locations to the > classpath should be required to get this to work. However, there may be some > issues with > auto-detection of the correct driver, so if you want to use the MariaDB > driver, you might want to try setting this option in guacamole.properties: > > mysql-driver: mariadb > > and see if that helps. It will force the MySQL extension to look for the > MariaDB driver instead of trying to auto-detect or fall back to the MySQL > driver. Thanks, but it did not work,. I still get the "did not find suitable driver" message. Changing the classpath was a red herring. It doesn't seem to make a difference. However, I think the problem is with mariadb. If I set mysql-driver: mariadb I get an error (no suitable driver) if I ONLY have mariadb-java-client-3.0.3.jar in /etc/guacamole/lib/ (I also tried an earlier version). If I add mysql-connector-java-8.0.28.jar to that same directory or even leave JUST that file then Guacamole uses that driver (no errors). Is anyone else successfully using this driver? /etc/guacamole/lib # jar tvvf mariadb-java-client-3.0.3.jar 102 Fri Jan 21 10:40:50 CET 2022 META-INF/MANIFEST.MF 0 Fri Jan 21 10:40:50 CET 2022 META-INF/ 0 Fri Jan 21 10:40:46 CET 2022 org/ 0 Fri Jan 21 10:40:46 CET 2022 org/mariadb/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/util/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/util/log/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/util/constants/ 0 Fri Jan 21 10:40:46 CET 2022 org/mariadb/jdbc/util/options/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/codec/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/client/ 0 Fri Jan 21 10:40:46 CET 2022 org/mariadb/jdbc/client/util/ 0 Fri Jan 21 10:40:46 CET 2022 org/mariadb/jdbc/client/socket/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/client/socket/impl/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/client/context/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/client/impl/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/client/tls/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/client/result/ 0 Fri Jan 21 10:40:46 CET 2022 org/mariadb/jdbc/message/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/message/client/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/message/server/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/message/server/util/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/tls/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/tls/main/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/codec/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/authentication/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/authentication/standard/ 0 Fri Jan 21 10:40:46 CET 2022 org/mariadb/jdbc/plugin/authentication/standard/ed25519/ 0 Fri Jan 21 10:40:46 CET 2022 org/mariadb/jdbc/plugin/authentication/standard/ed25519/spec/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/authentication/standard/ed25519/math/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/authentication/standard/ed25519/math/ed25519/ 0 Fri Jan 21 10:40:46 CET 2022 org/mariadb/jdbc/plugin/authentication/addon/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/authentication/addon/gssapi/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/credential/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/credential/env/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/credential/system/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/plugin/credential/aws/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/pool/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/export/ 0 Fri Jan 21 10:40:48 CET 2022 org/mariadb/jdbc/type/ 0 Fri Jan 21 10:40:44 CET 2022 META-INF/services/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/versions/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/versions/9/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/versions/11/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/versions/11/org/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/versions/11/org/mariadb/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/versions/11/org/mariadb/jdbc/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/versions/11/org/mariadb/jdbc/client/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/maven/ 0 Fri Jan 21 10:40:50 CET 2022 META-INF/maven/org.mariadb.jdbc/ 0 Fri Jan 21 10:40:50
RE: [External] Re: Guacamole not passing credentials to RDP when using Hyper-V/VMConnect mode
Alejandro, I believe you need to change the Security Mode to NLA in the Guacamole connection template. From: Alejandro Hernandez Sent: Tuesday, February 8, 2022 6:48 PM To: user@guacamole.apache.org Cc: sam g Subject: [External] Re: Guacamole not passing credentials to RDP when using Hyper-V/VMConnect mode CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Thanks Sam! But the key combination does work, what I wanted is to go straight to windows desktop... but thats not happening, that do works if I make a direct connection via RDP, but when using Hyper-V/VMConnect it doesn't, it goes to the welcome screen and asks to unlock :( El 2022-02-03 13:15, sam g escribió: Hello, I have a similar setup and it works. Did you tried Control-Alt-END instead? Sam Le jeudi 3 février 2022, 19:57:02 UTC+1, Alejandro Hernandez mailto:a...@safedataserver.com>> a écrit : Hello everyone! I have guacamole 1.3 in ubuntu, using mysql extension. I have a Windows Server 2012 R2 running HyperV In Hyper-V, I cloned a server from production and changed its network adapter to a private virtual switch (to preserve IP settings and avoid conflicts in my production network), so this test server doesn't have access to the internet nor any other network. I successfully setted up in Guacamole an RDP connection using port 2179, security mode Hyper-V/VMConnect and specifying Preconnection BLOB. I also configured username, password and domain, but each time Guacamole connects I get to the Windows welcome screen where you have to press Ctr-Alt-Del to get the login screen, as if I had left blank those fields. ¿is this the expected behavior? ¿or am I missing something? I would prefer to correctly set it up so I dont have to neither change the admin password nor share it with someone else in order to let them login... Thanks!!! Have a great day!!!
