Thank you,
Brad Turnbough
Senior Technology Analyst
[cid:Backlund-Investment-logo_20ce9d6e-04b9-4d73-9d17-cfc69decf4cc.gif]
P: 309.272.2739 F: 309.272.2839
www.betterbanks.com<http://www.betterbanks.com/>
www.statestreetbank.com<http://www.statestreetbank.com>
NOTICE: The information contained in this email and any document attached
hereto is intended only for the named recipient(s). If you are not the intended
recipient, nor the employee or agent responsible for delivering this message in
confidence to the intended recipient(s), you are hereby notified that you have
received this transmittal in error, and any review, dissemination, distribution
or copying of this transmittal or its attachments is strictly prohibited. If
you have received this transmittal and/or attachments in error, please notify
me immediately by reply e-mail and then delete this message, including any
attachments.
From: Nick Couchman <[email protected]>
Sent: Friday, February 24, 2023 12:00 PM
To: [email protected]
Subject: Re: Guacamole / Ubuntu 20.04 x64 Questions
External email. Please make sure you trust this source before clicking links or
opening attachments.
On Fri, Feb 24, 2023 at 12:41 PM Brad Turnbough
<[email protected]<mailto:[email protected]>>
wrote:
I have recently compiled and installed Guacamole 1.5.0 on Ubuntu 20.04. Looks
pretty impressive from using it just a couple of days. A couple of questions:
1) I understand that it is possible to utilize MySQL Authentication and
also RADIUS authentication –separately. Is it possible to use them BOTH (mysql
for the groups / rights and permissions… aka.. the authorization) and the
RADIUS for the authentication? We have MFA set up and it is consumable via
RADIUS. Additionally, I’d like to set up groups and permissions for various
RDP/SSH targets (mysql auth)
Yes, this is definitely possible - Guacamole matches user and group names
between authentication modules, so as long as your user is named the same in
both the RADIUS and JDBC modules, you should be able to create the connections
in the JDBC module and assign them to the user, but still log in via the RADIUS
module. There are a couple of things to note, here:
* Currently, Guacamole's evaluation of user accounts is case-sensitive, while
many authentication systems (LDAP/AD, RADIUS, etc.) tend to be
case-insensitive. This means if you have a user in your JDBC module named
john_smith, but your user logs in as John_Smith, Guacamole will not consider
the users the same, and you may see situations where those permissions don't
apply as you would expect because of that.
* If you're going to do this, I highly recommend that you make sure the user
accounts in the JDBC module have random passwords that absolutely will not be
the same as the ones from your RADIUS authentication module. When you create
the users in the GUI, if you leave the password blank, a random one will be
generated. Similarly, if you enable user auto-creation in the JDBC module, the
accounts created will have random passwords.
* Finally, the RADIUS module currently has no way to pass group names on to
Guacamole. I've thought about implementing it, but the current RADIUS system
that I'm stuck with (Windows NPS) doesn't support dynamically sending group
information back, so I've never pursued it much.
* The RADIUS module relies on some really old Java libraries, with no sign of
them being updated anytime, soon. I'm not keen on writing my own RADIUS client,
and I think SSO is going to largely supplant RADIUS in the AAA space, anyway,
so there's not likely to be much effort put into improving that module going
forward.
Thank you for this information. Exactly what I was looking for. I might give
it a try after I snapshot the machine in order to give me a way to roll back in
case the configuration goes belly up.
2) I don’t have “share” available … I’m assuming a compile flag was missed
to enable this feature?
I'm not entirely sure what you mean by this - can you elaborate? There's no
specific compilation flag required for session sharing - it's built into the
client, and mainly the JDBC module.
If I connect to a windows machine via RDP and then press ‘ctrl-alt-shift’ I am
presented with the menu for that host. In that menu, I am supposed to have the
option to ‘share’ the session with another user. There isn’t an option to
‘share’ the session for the RDP connection as several online resources point
out. Does it maybe have to do with something related to my instance of
Guacamole not having MySQL auth enabled? Seems rather odd I don’t have all of
the features.
3) I don’t’ have “File transfer” feature available… Again, I’m assuming a
compile flag was missed in order to enable this feature?
Same, here - there's really nothing you need to do to enable this - it depends
on what connection protocol you're using, but RDP has its own mechanism
built-in, and RDP, SSH, and VNC also include SFTP support, assuming you have
SSH support enabled. You'll need to be more specific about what you're
"missing" when you're looking for this.
The same as above, but instead of the ‘share’ feature, I expect to see ‘file
transfer’ in the menu presented when I press ‘ctrl-alt-shift’
Here is the process I used to compile:
apt-get install build-essential libcairo2-dev libjpeg-turbo8-dev libpng-dev
libtool-bin libossp-uuid-dev libvncserver-dev freerdp2-dev libssh2-1-dev
libtelnet-dev libwebsockets-dev libpulse-dev libvorbis-dev libwebp-dev
libssl-dev libpango1.0-dev libswscale-dev libavcodec-dev libavutil-dev
libavformat-dev
cd /opt
mkdir guacamole-1.5.0
cd guacamole-1.5.0/
wget
https://downloads.apache.org/guacamole/1.5.0/source/guacamole-server-1.5.0.tar.gz
tar -xvzf guacamole-server-1.5.0.tar.gz
cd guacamole-server-1.5.0
./configure --with-init-dir=/etc/init.d --enable-allow-freerdp-snapshots
This is a really bad idea, and I'm pretty sure there are banners that warn
about this. Likely to cause you more headaches than not.
I apologize, but what do you mean it is a bad idea? I don’t know what is
wrong, or why it is wrong. Can you elaborate a bit? Make a suggestion as to
what to do instead? Thank you!!!
-Nick
