Re: How does cas-group-attribute work?

2022-03-09 Thread Nick Couchman 
On Mon, Mar 7, 2022 at 4:18 PM Aaron Cayard-Roberts 
wrote:

> Hello all,
>
> We've been using guacamole for a couple of years with CAS for
> authentication and it's been great.  We recently upgraded our system to 1.4
> and everything has been working great.
>
> Currently, we're handling our groups (and connections) through the
> database extension but I was interested in trying out the cas-group-attribute.
> Is this option compatible with the database extension?   I was expecting
> either new groups to be created and/or the membership of the groups to be
> updated based on the cas-group-attribute values of the user's
> sessionbut that doesn't seem to be happening.
>
>
Yes, the extension is "compatible" - really, stackable is the proper term -
with the database extension. That said, it probably won't work in exactly
the way you're expecting it to work. Users who log in via CAS can be
automatically created in the database extension, and you can also create
matching groups in the database extension and apply permissions to those
groups. However, the database extension won't automatically update its
version of group membership with the members that come through in the CAS
extension - rather, this will be evaluated dynamically and transparently
when the user logs in. In this way, there's no way for an admin in
Guacamole to see all of the members of a group that is populated via CAS
membership.

-Nick

Re: Pre-Fill Username using data sent by nginx

2022-03-09 Thread Nick Couchman 
On Wed, Mar 9, 2022 at 1:34 PM Mauricio Silveira 
wrote:

> Hi.
>
>
> I was wondering if there is any way possible to pass a username to
> pre-fill the username field at login page.
>
>
> My usage idea is: I'm using nginx with client certificates as
> pre-authentication, and I'd like to use the UserPrincipalName from the
> client certificate to present the user, guacamole's login page with its
> name already filled and move focus to the password field, so that the
> user with a certificate will only need to type the password to enter a
> session.
>
>
> Optionally, I'd like to make it possible to "lock" the username field
> (Mandatory from username passed from nginx ).
>
>
I would think the better way to go would be to have Guacamole accept the
certificate-based (x509) authentication, either by implementing an
extension that supports it, or by using a SSO-type system that facilitates
it. So, a few options come to mind:
* If Nginx is currently doing the certificate-based authentication, you
could use the Header authentication extension in Guacamole to accept
successful authentication, including the Username, from Nginx. You have to
be a bit careful with this, because you want to make sure that there's no
way for users to bypass the authentication mechanism by spoofing a header
or something like that, but it can be done in a relatively secure fashion.
* You could also use a SSO system to do the certificate-based
authentication, and then one of the Guacamole SSO modules to accept that
authentication. For example, I believe CAS supports x509 authentication, so
you could have CAS do the authentication, and then it can pass through the
relevant information about the user to Guacamole via the CAS authentication
extension.

-Nick

Re: Single connection and the control panel

2022-03-09 Thread Mike Jumper 
On Wed, Mar 9, 2022 at 7:12 AM Brad Saxton  wrote:
>
> Unless I'm missing something, there seems to be an issue for users who only 
> have one connection defined.
>
> For users with only one connection, Guacamole automatically makes that 
> connection upon login without displaying the Guacamole home page.

Yes, this is by design. If a user has access to only one connection,
they are taken to that connection immediately instead of forcing the
user to select their single connection from a list of one choice.

> If though, only one active connection per user is permitted, this causes an 
> issue. If the user was already logged in from another computer and only 1 
> connection per user is allowed, this causes an issue. The user gets an error 
> about exceeding the number of allowed connections and only "Reconnect" or 
> "Logout" are displayed. The user cannot get to the control panel in order to 
> kill the other connection.

If necessary, you can go to the settings screen by pressing
Ctrl+Alt+Shift to open the Guacamole menu. The usual dropdown menu
with "Settings", "Logout", etc. is there.

- Mike

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Pre-Fill Username using data sent by nginx

2022-03-09 Thread Mauricio Silveira 

Hi.


I was wondering if there is any way possible to pass a username to 
pre-fill the username field at login page.



My usage idea is: I'm using nginx with client certificates as 
pre-authentication, and I'd like to use the UserPrincipalName from the 
client certificate to present the user, guacamole's login page with its 
name already filled and move focus to the password field, so that the 
user with a certificate will only need to type the password to enter a 
session.



Optionally, I'd like to make it possible to "lock" the username field 
(Mandatory from username passed from nginx ).



I tried the using 
"https://guacserver.example/#/Whatever245qrgq3yeqreg?username=johndoe=wrong; 
style using a wrong password to see if the username gets filled, but it 
doesn't.


As for the nginx part, if anyone is interested, here's my reference: 
https://clouddocs.f5.com/training/community/nginx/html/class3/module1/module17.html. 
It uses njs module.



Then, I modified njs' subject_alternative.js to return only the UPN from 
the client certificate.



I was thinking something like 
"https://guacserver.example/#/Whatever245qrgq3yeqreg?PREFILL_USERNAME=name_from_njs_san_LOCK=yes; 
to get the desired behavior ( I still have to play around with nginx 
rewrite url to make sure the end user won't be able to modify the 
PREFILL_USERNAME and PREFILL_LOCK arguments ).



I don't know java and angular, but I have some experience with 
C/perl/php/python/js and general scripting ( I usually write code when I 
really need to, I'm not a programmer/developer ).



I'm willing to accept the challenge to create an extension for this 
feature, but I have no idea where to start. I wonder if I should look at 
something like guacamole-auth-quickconnect or guacamole-auth-header as 
reference. Any hints?



Thanks!

- Mauricio Silveira


-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: guacamole 1.4.0 + nginx X-Frame-Options DENY Browser refresh ( F5 ) issue

2022-03-09 Thread Antoine G. 

On 08/03/2022 23:55, Mike Jumper - mjum...@apache.org wrote:
Can you see in browser dev tools the specific request that is blocked 
unless "SAMEORIGIN" is set?


Yes, of course.

Firefox states:
The loading of 
“https://guacamole.example.org/app/element/templates/blank.html” in a 
frame is denied by “X-Frame-Options“ directive set to “DENY“.




-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

RE: [External] Connect to an AWS instance

2022-03-09 Thread Daniel McCarty 
> I had this working a few weeks ago, it is very inexpensive. Guac Bastion 
> looks like costs could run up.

Sorry, didn’t realize that “Guac Bastion” was an actual thing.  I just meant 
that our own guac server is outward-facing.

For us the costs are quite minimal.  Just checked and our t3a.small (upgraded 
from a t3a.micro because it seemed to crash with low memory every 2 weeks) cost 
us a whopping $3.74 last month.  (Might be a partially reserved instance, don’t 
remember.)  Windows instances of course are extra.  Our setup services about a 
dozen users.




Daniel McCarty
Director of Engineering
W. H. Leary Co.
P. +1 708.444.4900
E. dani...@whleary.com | W. whleary.com

From: jim.sulli...@theblockchainacademy.com 

Sent: Wednesday, March 9, 2022 9:21 AM
To: user@guacamole.apache.org
Subject: RE: [External] Connect to an AWS instance

Daniel:

Thanks. I have native guacamole running on an AWS Linux instance and a Windows 
AWS instance. They should be able to communicate.

I had this working a few weeks ago, it is very inexpensive. Guac Bastion looks 
like costs could run up.

Jim Sullivan
Certified Scrum 
Master
Certified SAFe 5 Program 
Consultant
Certified Jira 
Administrator
Hyperledger 
Professional
Hyperledger Blockchain 
Certified
R3 Corda Certified 
Professional
NEAR Certified 
Professional
Healthcare Blockchain 
Certified
Kubernetes DevOps 
Professional
Direct: 917-837-5210
Chief Technology Officer
www.theblockchainacademy.com/
AWS 
Partner

RE: [External] Connect to an AWS instance

2022-03-09 Thread Daniel McCarty 
That’s a start, but it only shows that ICMP is allowed.  You also need to check 
TCP/UDP 3389.  I’m probably at the limit of what I can suggest without more 
knowledge of your cloud setup.  If you have an AWS support package I bet they 
could diagnose things pretty quickly (and see your setup internally).  There’s 
also the “rent an AWS expert” option buried somewhere in the support menus if 
that helps.

(BTW your ping times seem quite high.  For ec2 instances in the same region my 
experience is <1ms.  Is your guac server outside your AWS infra?)

Best regards,
Dan




Daniel McCarty
Director of Engineering
W. H. Leary Co.
P. +1 708.444.4900
E. dani...@whleary.com | W. whleary.com

From: jim.sulli...@theblockchainacademy.com 

Sent: Wednesday, March 9, 2022 9:44 AM
To: user@guacamole.apache.org
Subject: RE: [External] Connect to an AWS instance

The Windows instance can ping the Linux instance running guac.


The Linux instance running guac can ping the target Windows instance.



Jim Sullivan
Certified Scrum 
Master
Certified SAFe 5 Program 
Consultant
Certified Jira 
Administrator
Hyperledger 
Professional
Hyperledger Blockchain 
Certified
R3 Corda Certified 
Professional
NEAR Certified 
Professional
Healthcare Blockchain 
Certified
Kubernetes DevOps 
Professional
Direct: 917-837-5210
Chief Technology Officer
www.theblockchainacademy.com/
AWS 
Partner

RE: [External] Connect to an AWS instance

2022-03-09 Thread jim.sullivan 
Daniel:

 

Thanks. I have native guacamole running on an AWS Linux instance and a Windows 
AWS instance. They should be able to communicate. 

 

I had this working a few weeks ago, it is very inexpensive. Guac Bastion looks 
like costs could run up.

 

Jim Sullivan  

Certified Scrum Master  

Certified SAFe 5 Program Consultant 
 

Certified Jira Administrator 

 

Hyperledger Professional 
 

Hyperledger Blockchain Certified 
 

R3 Corda Certified Professional 
 

NEAR Certified Professional 
 

Healthcare Blockchain Certified 
 

Kubernetes DevOps Professional 
 

Direct: 917-837-5210

Chief Technology Officer

www.theblockchainacademy.com/  

AWS Partner  

  

 

From: Daniel McCarty  
Sent: Wednesday, March 9, 2022 10:14 AM
To: user@guacamole.apache.org
Subject: RE: [External] Connect to an AWS instance

 

We have a similar setup where a bastion guac server facilitates RDP logins to a 
farm of windows instances.  In our case both are in AWS so only the guac server 
is visible to the outside world.  I believe I remember having a similar issue.  
First thing I would check would be to run some sanity tests on the VPC settings 
between your guac and windows instances.

 

 

 


Daniel McCarty
Director of Engineering


W. H. Leary Co.
P. +1 708.444.4900
E. dani...@whleary.com   | W.  
 whleary.com

 

From: Jim Sullivan mailto:jim.sulli...@theblockchainacademy.com> > 
Sent: Wednesday, March 9, 2022 7:59 AM
To: user@guacamole.apache.org  
Subject: Re: [External] Connect to an AWS instance

 


Dan:

 

I am using putty SSH client to reach my Guac server instance and Windows Remote 
Desktop to connect to the Windows instance.

 

Jim Sullivan

917-837-5210

 

Sent from my iPhone

Please excuse any typos

 

On Mar 9, 2022, at 08:28, Daniel McCarty mailto:dani...@whleary.com> > wrote:

 

Hard to say without knowing more about your AWS setup.  Most likely this is 
your firewall and/or VPC settings within AWS.  Can you reach the instance via 
other means?  Public IP, ssh, etc.

 

 

 

 


Daniel McCarty
Director of Engineering


W. H. Leary Co.
P. +1 708.444.4900
E. dani...@whleary.com   | W.  
 whleary.com

 

From: jim.sulli...@theblockchainacademy.com 
  
mailto:jim.sulli...@theblockchainacademy.com> > 
Sent: Tuesday, March 8, 2022 7:22 PM
To: user@guacamole.apache.org  
Subject: [External] Connect to an AWS instance 

 

I am trying to use Guacamole to connect to an AWS instance using RDP. However, 
the connection does not happen, and I get the connection is taking too long. I 
believe I have the configurations correct. Any help would be great. 

 

 

 

Jim Sullivan  

Certified Scrum Master 

 

Certified SAFe 5 Program Consultant 

 

Certified Jira Administrator 

 

Hyperledger Professional

RE: [External] Connect to an AWS instance

2022-03-09 Thread Daniel McCarty 
We have a similar setup where a bastion guac server facilitates RDP logins to a 
farm of windows instances.  In our case both are in AWS so only the guac server 
is visible to the outside world.  I believe I remember having a similar issue.  
First thing I would check would be to run some sanity tests on the VPC settings 
between your guac and windows instances.




Daniel McCarty
Director of Engineering
W. H. Leary Co.
P. +1 708.444.4900
E. dani...@whleary.com | W. whleary.com

From: Jim Sullivan 
Sent: Wednesday, March 9, 2022 7:59 AM
To: user@guacamole.apache.org
Subject: Re: [External] Connect to an AWS instance


Dan:

I am using putty SSH client to reach my Guac server instance and Windows Remote 
Desktop to connect to the Windows instance.

Jim Sullivan
917-837-5210

Sent from my iPhone
Please excuse any typos


On Mar 9, 2022, at 08:28, Daniel McCarty 
mailto:dani...@whleary.com>> wrote:

Hard to say without knowing more about your AWS setup.  Most likely this is 
your firewall and/or VPC settings within AWS.  Can you reach the instance via 
other means?  Public IP, ssh, etc.




Daniel McCarty
Director of Engineering

W. H. Leary Co.
P. +1 708.444.4900
E. dani...@whleary.com | W. 
whleary.com



From: 
jim.sulli...@theblockchainacademy.com
 
mailto:jim.sulli...@theblockchainacademy.com>>
Sent: Tuesday, March 8, 2022 7:22 PM
To: user@guacamole.apache.org
Subject: [External] Connect to an AWS instance

I am trying to use Guacamole to connect to an AWS instance using RDP. However, 
the connection does not happen, and I get the connection is taking too long. I 
believe I have the configurations correct. Any help would be great.



Jim Sullivan
Certified Scrum 
Master
Certified SAFe 5 Program 
Consultant
Certified Jira 
Administrator
Hyperledger 
Professional
Hyperledger Blockchain 
Certified
R3 Corda Certified 
Professional
Healthcare Blockchain 
Certified
Kubernetes DevOps 
Professional
Direct: 917-837-5210
Chief Technology Officer
www.theblockchainacademy.com
AWS

Single connection and the control panel

2022-03-09 Thread Brad Saxton 

Unless I'm missing something, there seems to be an issue for users who only 
have one connection defined.

For users with only one connection, Guacamole automatically makes that 
connection upon login without displaying the Guacamole home page. If though, 
only one active connection per user is permitted, this causes an issue. If the 
user was already logged in from another computer and only 1 connection per user 
is allowed, this causes an issue. The user gets an error about exceeding the 
number of allowed connections and only "Reconnect" or "Logout" are displayed. 
The user cannot get to the control panel in order to kill the other connection.

A simple solution would be to simply give every user a "dummy" connection that 
doesn't actually do anything as this will then have everyone get the Guacamole 
home page listing the "dummy" and the "real" connection.

Is there a better solution that I am missing which would give users with only 
one connection access to the "Settings" menu in order to kill the other 
sessions.

Thanks

--

Brad Saxton
Senior System Administrator
Infrastructure Team
Brock University | Information Technology Services
Niagara Region | 1812 Sir Isaac Brock Way | St. Catharines, ON, Canada L2S 3A1
brocku.ca | T 905-688-5550 x4761 | F 905-688-4191

Re: [External] Connect to an AWS instance

2022-03-09 Thread Jim Sullivan 

Dan:

I am using putty SSH client to reach my Guac server instance and Windows Remote 
Desktop to connect to the Windows instance.

Jim Sullivan
917-837-5210

Sent from my iPhone
Please excuse any typos

> On Mar 9, 2022, at 08:28, Daniel McCarty  wrote:
> 
> 
> Hard to say without knowing more about your AWS setup.  Most likely this is 
> your firewall and/or VPC settings within AWS.  Can you reach the instance via 
> other means?  Public IP, ssh, etc.
>  
>  
>  
> 
> Daniel McCarty
> Director of Engineering
> W. H. Leary Co.
> P. +1 708.444.4900
> E. dani...@whleary.com | W. whleary.com
> 
> 
> 
> From: jim.sulli...@theblockchainacademy.com 
>  
> Sent: Tuesday, March 8, 2022 7:22 PM
> To: user@guacamole.apache.org
> Subject: [External] Connect to an AWS instance
>  
> I am trying to use Guacamole to connect to an AWS instance using RDP. 
> However, the connection does not happen, and I get the connection is taking 
> too long. I believe I have the configurations correct. Any help would be 
> great.
>  
>  
>  
> Jim Sullivan
> Certified Scrum Master
> Certified SAFe 5 Program Consultant
> Certified Jira Administrator
> Hyperledger Professional
> Hyperledger Blockchain Certified
> R3 Corda Certified Professional
> Healthcare Blockchain Certified
> Kubernetes DevOps Professional
> Direct: 917-837-5210
> Chief Technology Officer
> www.theblockchainacademy.com
> AWS Partner
> 
>  
> 
>

RE: [External] Connect to an AWS instance

2022-03-09 Thread Daniel McCarty 
Hard to say without knowing more about your AWS setup.  Most likely this is 
your firewall and/or VPC settings within AWS.  Can you reach the instance via 
other means?  Public IP, ssh, etc.





Daniel McCarty
Director of Engineering
W. H. Leary Co.
P. +1 708.444.4900
E. dani...@whleary.com | W. whleary.com

From: jim.sulli...@theblockchainacademy.com 

Sent: Tuesday, March 8, 2022 7:22 PM
To: user@guacamole.apache.org
Subject: [External] Connect to an AWS instance

I am trying to use Guacamole to connect to an AWS instance using RDP. However, 
the connection does not happen, and I get the connection is taking too long. I 
believe I have the configurations correct. Any help would be great.



Jim Sullivan
Certified Scrum 
Master
Certified SAFe 5 Program 
Consultant
Certified Jira 
Administrator
Hyperledger 
Professional
Hyperledger Blockchain 
Certified
R3 Corda Certified 
Professional
Healthcare Blockchain 
Certified
Kubernetes DevOps 
Professional
Direct: 917-837-5210
Chief Technology Officer
www.theblockchainacademy.com
AWS 
Partner
[btn_liprofile_blue_80x15]

 [cid:image010.jpg@01D83387.47D9D790] 

   [cid:image011.jpg@01D83387.47D9D790]