On Fri, Jan 27, 2023 at 8:32 PM Timur Bazhirov <[email protected]> wrote:
> Greetings, > > We have a question regarding establishing a direct connection (instead of > a login screen) for a user to SSH or VNC sessions. > > We've been using Guacamole for some time and recently started work > on updating it to the latest version. In version 0.9.12, we used to form a > URL and then use the HMAC and secret-key-based authentication to directly > proxy a user to a session. Here a URL would look something like this: > > > <HOSTNAME>/guacamole/#/client?timestamp=1674863599405&signature=31BNen1LuL1ukF7NjW8ocbor4ME&username=john&protocol=ssh. > > > When reading the version 1.4.0 documentation, we understand that HMAC is > no longer an option, although there is JSON-based authentication and also > quick-connect as extensions. However, we could not understand how to adjust > the above URL to land a user in an SSH and VNC session directly without > them having to use the Guacamole login screen with username/password. > > Can anyone help us with this? If there's a JavaScript implementation, in > particular, it would be great to know. > Many things have changed between version 0.9.12 and 1.4.0. Things that would, in particular, impact you in this regard: * The way URLs for connections are generated was updated right around 0.9.12. The connection identifier, data source, and type are encoded in a base64 parameter in the URL. So, a connection URL will look something like this: https://guacamole.example.local/#/client/NQBjAHBvc3RncmVzcWw The characters after /client/ are the encoding of the components that make up the connection. This is quite a bit different from what you have above - the connection parameters (hostname, protocol, username, etc.) are not part of the URI. * It's possible that you were or are using the noauth extension, which allowed the Guacamole interface to be used without any authentication. We first deprecated and then removed that extension entirely, so it is no longer available - you must use some form of authentication. You can either use one of the existing modules or write your own, but you should not allow access to the interface without requiring authentication. There are many ways to do this - for example, if you have a CAS, SAML or OpenID SSO provider, you can integrate Guacamole with those and users will be seamlessly logged in. You can also use something like CredSSP or SPNEGO authentication pass-through with Tomcat, combined with the Header authentication module. -Nick
