RE: Change to the way of authenticating provided by Guacamole

[Gabriel Huerta Araujo]

I did what log told me to do: “set "skip-if-unavailable: tacacs" within your 
guacamole.properties”

And now when I enter to give my credentials, it works. But how can I do to 
eliminate “The "tacacs" authentication provider has been skipped due to an 
internal error. If this is unexpected or you are the developer of this 
authentication provider, you may wish to enable debug-level logging: null” 
message?

[2023-04-01 01:13:56] [info] 01:13:56.357 [http-nio-8080-exec-4] WARN  
o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider has 
been skipped due to an internal error. If this is unexpected or you are the 
developer of this authentication provider, you may wish to enable debug-level 
logging: null
[2023-04-01 01:14:20] [info] 01:14:20.392 [http-nio-8080-exec-3] INFO  
o.a.g.a.t.AuthenticationProviderService - User "gabriel" successfully 
authenticated with Tacacs from XX.XXX.XX.XX.
[2023-04-01 01:14:20] [info] 01:14:20.395 [http-nio-8080-exec-3] INFO  
o.a.g.r.auth.AuthenticationService - User "gabriel" successfully authenticated 
from XX.XXX.XX.XX.

-Gabriel

De: Gabriel Huerta Araujo
Enviado el: sábado, 1 de abril de 2023 01:13 a. m.
Para: user@guacamole.apache.org
Asunto: RE: Change to the way of authenticating provided by Guacamole


Hi Nick, sorry for not appearing by this place... I was busy with other 
projects.

I have included the jar to validate Tacacs authentication:



[2023-04-01 01:05:59] [info] 01:05:59.560 [main] INFO  
o.a.g.extension.ExtensionModule - Extension "MySQL Authentication" (mysql) 
loaded.

[2023-04-01 01:05:59] [info] 01:05:59.730 [main] INFO  
o.a.g.extension.ExtensionModule - Extension "Tacacs Authentication Extension" 
(guac-tacacs) loaded.



But when I restarted Tomcat, and this new Authentication provider is loaded, an 
error appears.



This is the error:



[2023-04-01 01:09:33] [info] 01:09:33.810 [http-nio-8080-exec-6] WARN  
o.a.g.e.AuthenticationProviderFacade - The "tacacs" authentication provider has 
encountered an internal error which will halt the authentication process. If 
this is unexpected or you are the developer of this authentication provider, 
you may wish to enable debug-level logging. If this is expected and you wish to 
ignore such failures in the future, please set "skip-if-unavailable: tacacs" 
within your guacamole.properties.

[2023-04-01 01:09:33] [info] 01:09:33.821 [http-nio-8080-exec-6] ERROR 
o.a.g.rest.RESTExceptionMapper - An internal error occurred, but did not 
contain an error message. Enable debug-level logging for details.



Into extensions directory are two jars: One required to Tacacs Authentication 
and other for retrieving connections groups information (MySQL)



ls -ltr /etc/guacamole/extensions

total 6704

-rw-rw-r-- 1 1001 1001 6102374 dic 29  2021 guacamole-auth-jdbc-mysql-1.4.0.jar

-rw-r--r-- 1 root root  758237 abr  1 00:43 guacamole-auth-tacacs-1.4.0.jar



What seems to be the trouble?



-Gabriel



-----Mensaje original-----
De: Nick Couchman <vn...@apache.org<mailto:vn...@apache.org>>
Enviado el: miércoles, 15 de marzo de 2023 08:49 a. m.
Para: user@guacamole.apache.org<mailto:user@guacamole.apache.org>
Asunto: Re: Change to the way of authenticating provided by Guacamole



On Tue, Mar 14, 2023 at 7:36 PM Gabriel Huerta Araujo 
<huert...@globalhitss.com.invalid<mailto:huert...@globalhitss.com.invalid>> 
wrote:

>

> I found class SharedAuthenticationProviderService, which has below 
> method(authenticateUser). It receives credentials of Credentials type. Below 
> is its definition:

>

>     @Override

>     public AuthenticatedUser authenticateUser(AuthenticationProvider 
> authenticationProvider,

>             Credentials credentials) throws GuacamoleException {

>

>         // Check whether user is authenticating with a valid sharing key

>         AuthenticatedUser user = 
> sharingService.retrieveSharedConnectionUser(authenticationProvider, 
> credentials);

>         if (user != null)

>             return user;

>

>         // Otherwise, unauthorized

>         throw new GuacamoleInvalidCredentialsException("Invalid

> login", CredentialsInfo.USERNAME_PASSWORD);

>

>     }

>

> By above code, I think  I have to make call to Perl invocation before 
> retrieving authenticated user, and then compare with it. If their credentials 
> are diferents, to update credentials with Tacacs value using 
> updateUserContext function.

>

> How do you see my implementation proposal?



A couple of things:

* I would not look at the ShareAuthenticationProviderService as an example of 
this - it is fairly complex in creating temporary tokens and authenticating 
users temporarily. The simplest module out there is probably the 
guacamole-auth-header module, and it might be a better starting point for you 
to create a simple authentication extension that will call the Perl script.

* It would be better to avoid trying to change an existing authentication 
module, you should take the time to fully implement a new one. You can use the 
header extension as a starting point, but you should take the time to name the 
classes properly, set up any logging you feel is necessary, etc. Even if you 
copy the existing header extension and make changes, make sure you rename the 
classes, remove items that aren't required, etc. It'll help you out in the long 
run.



-Nick



---------------------------------------------------------------------

To unsubscribe, e-mail: 
user-unsubscr...@guacamole.apache.org<mailto:user-unsubscr...@guacamole.apache.org>

For additional commands, e-mail: 
user-h...@guacamole.apache.org<mailto:user-h...@guacamole.apache.org>