Hi,

I tried deploying this today, the configuration from the readme for Traefik is quite wrong. Here's a working config, for reference:

version: '3'

services:
  server:
    container_name: guac_server
    image: guacozy/guacozy-server
    restart: always
    depends_on:
      - db
    environment:
      - DJANGO_SECRET_KEY=abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz
      - FIELD_ENCRYPTION_KEY=qjq4ObsXMqiqQyfKgD-jjEGm4ep8RaHKGRg4ohGCi1A=
      - DJANGO_DB_URL=postgres://postgres@db:5432/postgres
      - DJANGO_ALLOWED_HOSTS=*
    ports:
      - 10080:80
      - 10443:443
    labels:
      - traefik.web.port=80
      - traefik.enable=true
      - traefik.web.frontend.rule=Host:guacozy.example.com
      - traefik.docker.network=traefik
  guacd:
    image: linuxserver/guacd
    restart: always
    container_name: guacd
  db:
    container_name: guacdb
    image: postgres:10.4-alpine
    restart: always
    volumes:
    - postgres-data:/var/lib/postgresql/data

volumes:
  postgres-data:

networks:
  default:
    external:
      name: webproxy

Is LDAP auth built in similar to guacamole? If not, can it be easily added be leveraging guacamole's LDAP auth module?

When there are many connections, it would be beneficial to have a "location" column with breadcrumb path to folder in which connection is located.

Django doesn't execute management commands after CACHE_URL was added.

Error:

Note that only Django core commands are listed as settings are not properly configured (error: Set the CACHE_URL environment variable).

Workaround:

set CACHE_URL to local memcache when executing management command

docker-compose exec server sh -c 'export CACHE_URL=locmemcache:// && python ./manage.py generate_encryption_key'

Getting an issue connecting over SSH. The error is CLIENT_UNAUTHORIZED. However the same credentials work on my regular guacamole VM.

Need a field for connection description and maybe additional info.

In frontend it could be implemented by additional component, which displays Description, Log history , Summary of who has access to connection and other useful info.

Could be activated using context menu on Connection element in tree, context menu in Tab name.

Maybe make an option and activate as a info strip on upper side of connection tab automatically.

Description can be multiline and longer, so it makes sense to exclude it from /api/connections/, /api/connectionstree/, but make an additional parameter (e.g. /api/connections//fullinfo/ or /api/connections/?fullinfo=true)

When using AUTH_LDAP_FIND_GROUP_PERMS=True, groups are not mirrored, but "virtually" assigned to user. This works in standart Django but check's in custom django-rules do not work, because logic of checking by groups uses "user.groups" and it is not populated.

Need to add additional check for LDAP groups in django-rules

It would imporve usability to make names it connection tree not selectable and either add a cursor or add a popup indicating that you have to double click.

When I open the administration panel and choose ticket logs shows this error
Reverse for 'backend_folder_change' not found. 'backend_folder_change' is not a valid view function or pattern name.

I noticed some behaviors I have questions on:

CTRL and ALT don't seem to pass through at all, is that possible? CTRL+C and CTRL+V on Windows doesn't seem to work (it just passes the C character, etc).

The Shift key appears to have an odd behavior. If you hold it down for a couple seconds it invokes the Sticky Keys dialog on the remote host (but not on the local host if Windows). Maybe I'm just too slow. ;)

URL connection type would have

1. URL
2. Indication of default target (App tab, New browser window, New browser tab)

explore possibility to tunnel connection via browser, e.g.
/tunnelhttp/?target=https://www.google.com

this would make it possible:

• to give access via web to resources only accessible from guacozy, server (or internal proxy server)
• to hide address info (e.g. /tunnelhttp// could make a connection to URL specified in Connection with UUID, but prohibit specifying arbitraty URLs and hide real URL from end user

Having 280 connections and 30 tree nodes querying /api/connections/tree takes about 1000 ms.
Default connection limit is 1000 ms, so often query to refresh tree end with timeout.

Raise to higher value (e.g. 30s) and investigate performance

In folder admin view (/admin/backend/folder//change/) you can add Groups/Users permissions.

It would be nice to have a report there which would show permissions inherited from ancestors, because permission model propagates permissions to subfolders.

Clipboard is synced on SSH connections, but fails to sync on RDP.

This is not only about Ctrl+C/Ctrl+V (which don't work for some other reasons), but also for Copy/Paste using context menu.

Guacamole supports telnet. Need to add it to connections types.

Hello i have a UPSTREAM_ERROR and "SSH handshake failed" when i try to connect to Kali linux inside WSL on Windows

-my guacozy is installd on a synology ds918+ nas inside docker
-i try to connect to Linux Kali wich is running inside WSL2 in Windows

I routed my windows like this :
netsh interface portproxy add v4tov4 listenport=2022 listenaddress=0.0.0.0 connectport=2022 connectaddress=172.24.176.217
where 172.24.176.217 is the WSL KALI ip
Inside sshd_config in KALI i modified the like this :
Port 2022
SyslogFacility AUTH
LogLevel INFO
PubkeyAuthentication yes
PasswordAuthentication yes
AllowUsers doge

TESTS
Connexion from Powershell : OK
OK : ssh -vvv [email protected] -p2022
OK : ssh -vvv [email protected] -p2022
OK : ssh [email protected] -p2022
OK : ssh [email protected] -p2022
sometimes it does not work, then i "sudo service ssh stop" on the WSL KALI then it works again

Connexion from Powershell example : OK
PS C:\Users\alexe> ssh [email protected] -p2022
[email protected]'s password:
Linux ant 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64
hello wsl kali :)
You have no mail.
Last login: Sat Mar 5 22:51:43 2022 from 172.24.176.1
┏━(Message from Kali developers)
┗━(Run: “touch /.hushlogin” to hide this message)
┌──(doge㉿ant)-[]
└─$ exit
logout
Connection to 172.24.176.217 closed.
PS C:\Users\alexe> ssh [email protected] -p2022
[email protected]'s password:
Linux ant 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64
hello wsl kali :)
You have no mail.
Last login: Sat Mar 5 22:53:50 2022 from 172.24.176.1
┏━(Message from Kali developers)
┗━(Run: “touch /.hushlogin” to hide this message)
┌──(doge㉿ant)-[]
└─$ exit
logout
Connection to 192.168.1.54 closed.
PS C:\Users\alexe>

Connexion from vs-code hosted on the nas : OK
abc@code:~/workspace$ ssh [email protected] -p2022
[email protected]'s password:
Linux ant 5.10.60.1-microsoft-standard-WSL2 #1 SMP Wed Aug 25 23:20:18 UTC 2021 x86_64
hello wsl kali :)
You have no mail.
Last login: Sat Mar 5 22:51:54 2022 from 172.24.176.1
┏━(Message from Kali developers)
┃
┃ This is a minimal installation of Kali Linux, you likely
┃ want to install supplementary tools. Learn how:
┃ ⇒ https://www.kali.org/docs/troubleshooting/common-minimum-setup/
┃
┗━(Run: “touch /.hushlogin” to hide this message)
┌──(doge㉿ant)-[]
└─$

BUG :
When i try to connect from guacozy (nas, docker) :

GUACD information (from DOZZLE) :
today at 22:56:31guacd[7]: DEBUG: Error reading "select": Timeout while waiting for data on socket
today at 22:56:33guacd[7]: INFO: Creating new client for protocol "ssh"
today at 22:56:33guacd[7]: INFO: Connection ID is "$a76f3f71-cc7a-435d-8715-ef9942fa28b2"
today at 22:56:33guacd[20325]: DEBUG: Processing instruction: size
today at 22:56:33guacd[20325]: DEBUG: Processing instruction: audio
today at 22:56:33guacd[20325]: DEBUG: Processing instruction: video
today at 22:56:33guacd[20325]: DEBUG: Processing instruction: image
today at 22:56:33guacd[20325]: DEBUG: Parameter "scrollback" omitted. Using default value of 1000.
today at 22:56:33guacd[20325]: DEBUG: Parameter "font-name" omitted. Using default value of "monospace".
today at 22:56:33guacd[20325]: DEBUG: Parameter "enable-sftp" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "sftp-disable-download" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "sftp-disable-upload" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "read-only" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "typescript-name" omitted. Using default value of "typescript".
today at 22:56:33guacd[20325]: DEBUG: Parameter "create-typescript-path" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "recording-name" omitted. Using default value of "recording".
today at 22:56:33guacd[20325]: DEBUG: Parameter "recording-exclude-output" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "recording-exclude-mouse" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "recording-include-keys" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "server-alive-interval" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Parameter "backspace" omitted. Using default value of 127.
today at 22:56:33guacd[20325]: DEBUG: Parameter "disable-copy" omitted. Using default value of 0.
today at 22:56:33guacd[20325]: DEBUG: Client has not defined its protocol version.
today at 22:56:33guacd[20325]: DEBUG: Successfully connected to host 192.168.1.54, port 2022
today at 22:56:33guacd[20325]: ERROR: SSH handshake failed.
today at 22:56:34guacd[20325]: INFO: User "@dd606589-51b5-498b-bc45-7fcc05700c3f" disconnected (0 users remain)
today at 22:56:34guacd[20325]: INFO: Last user of connection "$a76f3f71-cc7a-435d-8715-ef9942fa28b2" disconnected
today at 22:56:34guacd[20325]: DEBUG: Requesting termination of client...
today at 22:56:34guacd[20325]: DEBUG: Client terminated successfully.
today at 22:56:34guacd[7]: INFO: Connection "$a76f3f71-cc7a-435d-8715-ef9942fa28b2" removed.
today at 22:56:34guacd[7]: ERROR: Guacamole protocol violation. Perhaps the version of guacamole-client is incompatible with this version of guacd?
today at 22:56:34guacd[7]: DEBUG: Error reading "select": Instruction read did not have expected opcode
today at 22:56:34guacd[7]: WARNING: Guacamole handshake failed: Timed out
today at 22:56:34guacd[7]: DEBUG: Error reading "select": Timeout while waiting for data on socket
today at 22:56:34guacd[7]: WARNING: Guacamole handshake failed: Timed out
today at 22:56:34guacd[7]: DEBUG: Error reading "select": Timeout while waiting for data on socket

WSL KALI information :
┌──(root㉿ant)-[/mnt/c/Users/alexe]
└─# sudo service ssh stop
Stopping OpenBSD Secure Shell server: sshd.

┌──(root㉿ant)-[/mnt/c/Users/alexe]
└─# sudo service ssh start -d
Starting OpenBSD Secure Shell server: sshddebug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1m 14 Dec 2021
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 2022 on 0.0.0.0.
Server listening on 0.0.0.0 port 2022.
debug1: Bind to port 2022 on ::.
Server listening on :: port 2022.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: sshd version OpenSSH_8.8, OpenSSL 1.1.1m 14 Dec 2021
debug1: inetd sockets after dupping: 3, 3
Connection from 172.24.176.1 port 64316 on 172.24.176.217 port 2022 rdomain ""
debug1: Local version string SSH-2.0-OpenSSH_8.8p1 Debian-1
debug1: Remote protocol version 2.0, remote software version libssh2_1.8.0
debug1: compat_banner: no match: libssh2_1.8.0
debug1: permanently_set_uid: 118/65534 [preauth]
debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
debug1: SSH2_MSG_KEXINIT sent [preauth]
debug1: SSH2_MSG_KEXINIT received [preauth]
debug1: kex: algorithm: diffie-hellman-group-exchange-sha256 [preauth]
debug1: kex: host key algorithm: (no match) [preauth]
Unable to negotiate with 172.24.176.1 port 64316: no matching host key type found. Their offer: ssh-rsa,ssh-dss [preauth]
debug1: do_cleanup [preauth]
debug1: monitor_read_log: child log fd closed
debug1: do_cleanup
debug1: Killing privsep child 18163
debug1: audit_event: unhandled event 12
failed!
┌──(root㉿ant)-[/mnt/c/Users/alexe]
└─#

Help please :)

Currently terminal-type is hardcoded to "xterm". When connecting to linus and starting midnight commander, F1-F5 keys do not work. They also do not work in Guacamole, so it must be a guacd problem. No possibility to fix in Guacozy.

Proposed solution - implement terminal-type selection and make "linux" the default type.

Would it be possible to create connection defaults (per connection type, maybe per connection type per user)?

For example, my Windows Server 2019 VM's really don't like reconnecting on resize, so I would like to set the RDP resize method default to "Display update".

Docker logs -f "docker continaer name" to guacd and guacozy to view the logs.
When I type curl 'guacd:4822' on guacozy container, guacd container throws an error: "Guacamole protocol violation. Perhaps the version of guacamole-client is incompatible with this version of guacd?"

However, even if a connection is executed in guacozy web, no logs in guacd.
maybe not trying to reach to guacd from guacozy.

In addition, if I run connection in guacozy, I can see these logs in guacozy docker.
"WARNING Not Found: /tunnelws/ticket/c30fa7d1-b334-4259-ad71-35804a3d9911"
or
"WARNING Not Found: /tunnelws/ticket/e37b6e69-9e7a-4fa0-b083-2eda8c86809a/"
like these.

How can I test that guacozy can connect to gaucd.
what can I do?
thank you.

In API browser user is presented with a form to create folder.
Although folder is not created (permission check), user can see a dropdown of available folders in "Parent" field.

"Parent" field should be filter to show only folders accessible to user

I stumbled upon guacozy and I am currently trying it using docker-compose. I have problems with RDP connections. The problem occurs with server 2008 and also with server 2019.

when connecting the first time (via double-click) in guacozy

The server gives an error message saying:

The task you are trying to do can't be completed because Remote Desktop Services is currently busy.
Please try again in a few minutes. Other users should still be able to log on.

when reconnecting after above failed connect

After the above try to connect guacozy shows the options to Reconnect/Close tab.
When now clicking on Reconnect an initial connection will be established but when the remote desktop seems to build up it states:

The system cannot find the file specified.
The inital program cannot be started: None
Please consult help for more information

When I click on OK the session automatically is logging of.

I also have a complete guacamole setup which works fine and I also tried with different and the latest version of guacd - no changes.

Could it be, that guacozy is just so outdated that it will no longer works.

I personally think it has something to do how guacozy initiates the session vi guacd since I also get volume licensing errors when trying to connect with guacozy. I think that the client-name of the initiator (guacozy) is not transmitted correctly but that is just an idea.

Any help would be appreciated. If you need further infos just follow up her.

/api/connections/ leaks valueable info which should not be shared (hostname, username, credentials reference id).

Need to limit connection info in /api/connections/ to ['id','name','parent','protocol']
Make only 'parent' changeable by "patch" request.

Embeded nginx config should automatically redirect to https

It would be nice to have per connection resolutions setting, with default option "Auto", which would work as it works now - scaling to tab size.

Hello,

I have been trying to add some of our linux hosts to the guacozy instance i rolled out, however I get "CLIENT_UNAUTHORIZED" when I try to connect. Here is the screenshot of the error from the first server I have tried adding:

This is a freshly deployed linux host and I am able to connect just fine with putty (via pagent) using the same private key/passphrase

User who is not staff can see all users in /api/users/. This is necessary for share functionality to work. But also this creates a issue that any user without staff status knows who of users is staff ant who is superuser, which could make attack easier

{ "id": 3, "username": "john.smith", "email": "[email protected]", "groups": [], "first_name": "John", "last_name": "Smith", "full_name": "John Smith", "is_staff": false, "is_superuser": false },

Log example

guacd_1   | guacd[6]: INFO:     Creating new client for protocol "ssh"
guacd_1   | guacd[6]: INFO:     Connection ID is "$cbfb626d-547a-4fa6-bf46-7a1817b4b608"
guacd_1   | guacd[988]: INFO:   User "@22714c51-d1b1-4c81-81d5-ef09b40c923b" joined connection "$cbfb626d-547a-4fa6-bf46-7a1817b4b608" (1 users now present)
guacd_1   | guacd[988]: WARNING:        No known host keys provided, host identity will not be verified.
guacd_1   | guacd[6]: INFO:     Connection "$cbfb626d-547a-4fa6-bf46-7a1817b4b608" removed.
guacd_1   | guacd[6]: ERROR:    Guacamole protocol violation. Perhaps the version of guacamole-client is incompatible with this version of guacd?
guacd_1   | guacd[6]: ERROR:    Guacamole protocol violation. Perhaps the version of guacamole-client is incompatible with this version of guacd?

Example of two switches where one takes username and other gives prompt (Same Cisco SG300-52 model)

H:\>ssh [email protected]
[email protected]'s password:
sw-hq-5a-dist-1#exit
Connection to x.x.x.5 closed.

H:\>ssh [email protected]
User Name:admin
Password:*****************
sw-hq-5a-dist-2#exit
Connection to x.x.x.6 closed.

1. Login with user who has "is_staff" but does not have any folders allows
2. In API browse try to create a ticket. "Connection" field dropdown is empty
3. Try to POST anyway. Error 400 returned, but now "Connection" dropdown is populated with a list of all connections in system.

While it is not possible to actually create a ticket for a connection you are now allowed to, this exposed the list of all connections in system, which is a sensitive data.

Add Edit shortcut to drop in administration in Folder edit mode. Should work same way as with Connection->Edit.

Make sure Edit is not showed to users without "is_staff" permission

I run the project with the command:

docker run -it --rm -p 8080:80 -p 8443:443 guacozy/guacozy-server

then I add a connection, but when I connect to it, I get the error:

2019-10-28 09:13:19,494 ERROR Exception inside application: [Errno -2] Name does not resolve
File "/usr/local/lib/python3.7/site-packages/channels/sessions.py", line 183, in call
return await self.inner(receive, self.send)
File "/usr/local/lib/python3.7/site-packages/channels/middleware.py", line 41, in coroutine_call
await inner_instance(receive, send)
File "/usr/local/lib/python3.7/site-packages/channels/consumer.py", line 62, in call
await await_many_dispatch([receive], self.dispatch)
File "/usr/local/lib/python3.7/site-packages/channels/utils.py", line 52, in await_many_dispatch
await dispatch(result)
File "/usr/local/lib/python3.7/site-packages/channels/consumer.py", line 73, in dispatch
await handler(message)
File "/usr/local/lib/python3.7/site-packages/channels/generic/websocket.py", line 175, in websocket_connect
await self.connect()
File "./guacozy_server/guacdproxy/consumers.py", line 119, in connect
await sync_to_async(self.gclient.handshake)(**parameters, **params)
File "/usr/local/lib/python3.7/site-packages/asgiref/sync.py", line 244, in call
return await asyncio.wait_for(future, timeout=None)
File "/usr/local/lib/python3.7/asyncio/tasks.py", line 414, in wait_for
return await futlt = self.fn(*self.args, **self.kwargs)
File "/usr/local/lib/python3.7/site-packages/asgiref/sync.py", line 277, in thread_handler
return func(*args, **kwargs)
File "/usr/local/lib/python3.7/site-packages/guacamole/client.py", line 167, in handshake
self.send_instruction(Instruction('select', protocol))
File "/usr/local/lib/python3.7/site-packages/guacamole/client.py", line 136, in send_instruction
return self.send(instruction.encode())
File "/usr/local/lib/python3.7/site-packages/guacamole/client.py", line 122, in send
self.client.sendall(data.encode())
File "/usr/local/lib/python3.7/site-packages/guacamole/client.py", line 71, in client
(self.host, self.port), self.timeout)
File "/usr/local/lib/python3.7/socket.py", line 707, in create_connection
for res in getaddrinfo(host, port, 0, SOCK_STREAM):
File "/usr/local/lib/python3.7/socket.py", line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
[Errno -2] Name does not resolve

What can I do to fix this problem？
Thank you！

When you open dropdown for credentials when editing a connection, they are listed sorted by ID. They should be sorted alphabetically.

is this project active anymore ?
did not see any codechange for a while

just curious if this would work with a current version of guacamole too (1.5.0)?

Logout button doesn't logout properly, only redirects to login page.

Feature Request:
Is possible to create packages for installation without docker? In enterprise distributions will be easier installation and validation rpm or deb package. Or on second way, is possible to install by clone git into django folder? It can be variantly in installation documentation?

When you have one or more active sessions it should prevent closing the tab by activatng "Changes you made may not be saved." browser popup. It was working before.

When using Static Credentials with SSH key, SSH key is not used/considered.

1. Create a user who has "is_staff" status but has no access to any folder
2. Create a connection via API

Problems:

User without access to folder should not be able to create connection via API
API connection creation is broken, becaus it creates a generic "Connection" (not RDP/SSH/VNC)

for now the best option would be to disable connection creating via API

Hello,

Beforehand, I would like to thank you for creating such a nice tool. It is a shame it is not under development anymore as per my opinion this is the way the default apache guacamole solution should be conceived....In terms of info organization and workflow (again, in my opinion) it is wide better than its forked father.

I am having problems connecting to hosts running Windows Server 2019 and up with RDP protocol. Windows Server 2012 connections work just fine.

I am aware of the security settings and the ignore certificate option enabled for the connections.

It seems like the problem here is that the client is sending a parameter in the "initiate file" section that cannot be interpreted by the host. Indeed the parameter being sent as per the error shown when initiating the connection is "None"

I have neither configured a program to start with the connection nor touched that configuration field at all....here, the capture showing up the error on the connection...

Any help on this regard would be appreciated. I am truly looking forward in using guacozy in a regular basis for my support activities.

Regards,

LB