On Fri, Feb 24, 2023 at 12:41 PM Brad Turnbough < [email protected]> wrote:
> I have recently compiled and installed Guacamole 1.5.0 on Ubuntu 20.04. > Looks pretty impressive from using it just a couple of days. A couple of > questions: > > > > 1) I understand that it is possible to utilize MySQL Authentication > and also RADIUS authentication –separately. Is it possible to use them > BOTH (mysql for the groups / rights and permissions… aka.. the > authorization) and the RADIUS for the authentication? We have MFA set up > and it is consumable via RADIUS. Additionally, I’d like to set up groups > and permissions for various RDP/SSH targets (mysql auth) > Yes, this is definitely possible - Guacamole matches user and group names between authentication modules, so as long as your user is named the same in both the RADIUS and JDBC modules, you should be able to create the connections in the JDBC module and assign them to the user, but still log in via the RADIUS module. There are a couple of things to note, here: * Currently, Guacamole's evaluation of user accounts is case-sensitive, while many authentication systems (LDAP/AD, RADIUS, etc.) tend to be case-insensitive. This means if you have a user in your JDBC module named john_smith, but your user logs in as John_Smith, Guacamole will not consider the users the same, and you may see situations where those permissions don't apply as you would expect because of that. * If you're going to do this, I highly recommend that you make sure the user accounts in the JDBC module have random passwords that absolutely will not be the same as the ones from your RADIUS authentication module. When you create the users in the GUI, if you leave the password blank, a random one will be generated. Similarly, if you enable user auto-creation in the JDBC module, the accounts created will have random passwords. * Finally, the RADIUS module currently has no way to pass group names on to Guacamole. I've thought about implementing it, but the current RADIUS system that I'm stuck with (Windows NPS) doesn't support dynamically sending group information back, so I've never pursued it much. * The RADIUS module relies on some really old Java libraries, with no sign of them being updated anytime, soon. I'm not keen on writing my own RADIUS client, and I think SSO is going to largely supplant RADIUS in the AAA space, anyway, so there's not likely to be much effort put into improving that module going forward. > 2) I don’t have “share” available … I’m assuming a compile flag was > missed to enable this feature? > I'm not entirely sure what you mean by this - can you elaborate? There's no specific compilation flag required for session sharing - it's built into the client, and mainly the JDBC module. > 3) I don’t’ have “File transfer” feature available… Again, I’m > assuming a compile flag was missed in order to enable this feature? > Same, here - there's really nothing you need to do to enable this - it depends on what connection protocol you're using, but RDP has its own mechanism built-in, and RDP, SSH, and VNC also include SFTP support, assuming you have SSH support enabled. You'll need to be more specific about what you're "missing" when you're looking for this. > > > Here is the process I used to compile: > > > > apt-get install build-essential libcairo2-dev libjpeg-turbo8-dev > libpng-dev libtool-bin libossp-uuid-dev libvncserver-dev freerdp2-dev > libssh2-1-dev libtelnet-dev libwebsockets-dev libpulse-dev libvorbis-dev > libwebp-dev libssl-dev libpango1.0-dev libswscale-dev libavcodec-dev > libavutil-dev libavformat-dev > > cd /opt > > mkdir guacamole-1.5.0 > > cd guacamole-1.5.0/ > > wget > https://downloads.apache.org/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz > > tar -xvzf guacamole-server-1.5.0.tar.gz > > cd guacamole-server-1.5.0 > > ./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots > This is a really bad idea, and I'm pretty sure there are banners that warn about this. Likely to cause you more headaches than not. -Nick >
