voegelas / guacamole-auth-pam Goto Github PK

The following error is thrown when trying to load the extension in Gaucamole 1.0.0.

ERROR o.a.g.extension.ExtensionModule - Extension "guacamole-auth-pam-0.9.14.jar" could not be loaded: Extension "PAM Authentication Extension" is not compatible with this version of Guacamole.

Are there any plans to upgrade it?

I thought I'd try guacamole-auth-pam with guacamole v0.9.14, tomcat8, freerdp-x11 and ubuntu 18.04
I think I have the extension built ok and it is in /etc/guacamole/extensions
I am using xrdp on the ubuntu host so I can connect using RDP from guacamole.

I can log into the host using a xfreerdp from a different machine and I see the xfce4 desktop

If I attempt to access via guacamole:

http://x.x.x.x:8080/guacamole

I see the TAB Icon on the browser show the Guacamole emblem but then I don't see anything further ?

I guess I expected to see a login prompt where I'd enter a UserID and UserPswd from the ubuntu 18.04 system I am trying to access. Of course I am assuming that the guacamole-auth-pam extention is what presents that yes/no ??

Andreas

I wanted to thank you for your work on the PAM authorization extension for Guacamole.
I'd sent an email to the Guacamole developers/User alias about your extension and an idea I had to perhaps enable it to do more if there were additional Guacamole Parameter Tokens available than the currently six defined.

Nick Couchman (one of the Guacamole developers) had some good feedback regarding not only what some tweaks to Guacamole could do but also what he thought might also be done with your Guacamole-Auth-Pam extension.

I just wanted to make sure you had seen that thread and whether what Nick suggested might be possible for your Guacamole extension.

Here is the thread:

http://apache-guacamole-incubating-users.2363388.n4.nabble.com/Are-there-or-could-there-be-more-Parameter-Tokens-than-are-in-the-Documentation-tp4647.html

Brian Mullan

I get the following in my syslog for each ID
Aug 5 18:35:39 ub-guactest tomcat9[479476]: 18:35:39.142 [http-nio-8080-exec-2] INFO o.a.g.r.auth.AuthenticationService - User "fooadmin" successfully authenticated from 172.xxx.xxx.xxx. Aug 5 18:32:57 ub-guactest tomcat9[479476]: 18:32:57.219 [http-nio-8080-exec-5] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.xxx.xxx.xxx for user "foo" failed.

I've got the system setup with SSSD active directory integration. I can login with AD users. I didn't even expect the local pam user to work because I was not able to install libpam4j as it is not packaged for Ubuntu 18.04 or 20.04 that I could find.

Is there anything else that would be useful for me to troubleshoot?

Andreas,

First and for most: Thank you for guacamole-auth-pam!

I made a slight mod to the code to allow anyone who can login to the machine can login to guacamole.

<user name="*">
<config-ref name="ECE -- slow network RDP" />
<config-ref name="ECE -- slow network SFTP" />
<config-ref name="ECE -- fast network" />
</user>

The code is in UserMapping.java:

  if (userNameToConfigNames.containsKey(userName)) {
       configNames.addAll(userNameToConfigNames.get(userName));
   }

   /* Code Added */
   if (userNameToConfigNames.containsKey("*")) {
       configNames.addAll(userNameToConfigNames.get("*"));
   }

This keeps me from having to maintain a list of users. I just make accounts on the machine and they can use guacamole.

Thoughts?

RHEL 7 VM is configured to use AD authentication without joining to domain. But using sssd.

sssd.conf looks like this,

[sssd]
config_file_version = 2
domains = default
services = nss, pam
full_name_format = %1$s

[nss]

[pam]

[domain/default]
id_provider = ldap
cache_credentials = True
ldap_uri = ldap://windows2016.example.com
ldap_search_base = CN=Users,DC=example,DC=com
ldap_schema = AD
ldap_default_bind_dn = CN=ReadOnlyUser,CN=Users,DC=example,DC=com
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = <generated_password>

ldap_tls_reqcert = never

ldap_id_mapping = True

enumerate = True

fallback_homedir = /home/%u
default_shell = /bin/bash
access_provider = permit
sudo_provider = ldap
auth_provider = ldap
autofs_provider = ldap

ldapsearch works with ldap and ldaps
getent passwd -s sssd displays AD user information
su - ADuser works
pam files have been updated with sssd.

[root@xxx ~]# grep -i sss /etc/pam.d/*
/etc/pam.d/fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/fingerprint-auth:session optional pam_sss.so
/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/fingerprint-auth-ac:session optional pam_sss.so
/etc/pam.d/password-auth:auth sufficient pam_sss.so forward_pass
/etc/pam.d/password-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/password-auth:password sufficient pam_sss.so use_authtok
/etc/pam.d/password-auth:session optional pam_sss.so
/etc/pam.d/password-auth-ac:auth sufficient pam_sss.so forward_pass
/etc/pam.d/password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/password-auth-ac:password sufficient pam_sss.so use_authtok
/etc/pam.d/password-auth-ac:session optional pam_sss.so
/etc/pam.d/smartcard-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/smartcard-auth:session optional pam_sss.so
/etc/pam.d/smartcard-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/smartcard-auth-ac:session optional pam_sss.so
/etc/pam.d/system-auth:auth sufficient pam_sss.so forward_pass
/etc/pam.d/system-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/system-auth:password sufficient pam_sss.so use_authtok
/etc/pam.d/system-auth:session optional pam_sss.so
/etc/pam.d/system-auth-ac:auth sufficient pam_sss.so forward_pass
/etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/system-auth-ac:password sufficient pam_sss.so use_authtok
/etc/pam.d/system-auth-ac:session optional pam_sss.so

nsswitch.conf is updated

sshd_config has "PasswordAuthentcation yes"

Selinux disalbed and firewall disabled

Machine is patched with latest updates

When I add this to the /etc/guacamole/extensions directory, it creates a 500 error in the tomcat logs

Hello Andreas,

Thank you for your work on this extension. I have an existing PHP application which successfully uses PAM authentication. I am trying to integrate Guacamole into the server, and would like to use PAM for this as well. I have looked at your source code for clues on logging, and see a thorough logging mechanism, but am unable to isolate the problem. I have guacamole 0.9.13 and guacamole-auth-pam-0.9.13 running on Tomcat 8.5.20 on Ubuntu Server 16.04.

Unfortunately the catalina logs only provide:
22:29:33.646 [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.0.0.86 for user "craig" failed.

And the kernel logs only provide:
java[27499]: pam_unix(guacamole:auth): authentication failure; logname= uid=1002 euid=1002 tty= ruser= rhost= user=craig

Here is my unix-user-mapping.xml:

<config name="VNC Connection" protocol="vnc">
    <param name="hostname" value="10.0.0.61" />
    <param name="port" value="5900" />
    <param name="password" value="" />
</config>

<user name="USERNAME">
    <config-ref name="VNC Connection" />
</user>

I was able to connect and use the VNC viewer with Guacamole's default configuration.

Appreciate your help!
Craig Jackson
[email protected]

I am using Guacamole 1.3.0 with auth-pam-1.0.0.jar and the unix-user-mapping.xml file. This is working mostly brilliantly with FreeIPA and the guacamole server as ipaclient with sssd. Thank you!

In FreeIPA you can authenticate with OTP by filling in password+otp in the password field. When I login with an user that does not have OTP enabled in FreeIPA Guacamole is showing the connection list perfectly and works as expected. When I login with an user that has OTP enabled and login with the password+otp system, then I get a login without any connections shown.....

[2021-04-23 22:53:34] [info] 22:53:34.828 [http-nio-8080-exec-1] INFO o.a.g.r.auth.AuthenticationService - User "l.gaga" successfully authenticated from [80.127.158.83, 192.168.40.29].
[2021-04-23 22:53:36] [info] 22:53:36.637 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "l.gaga".
[2021-04-23 22:53:36] [info] 22:53:36.718 [http-nio-8080-exec-4] DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Session not associated with authentication provider "pam".

Would it be possible to update the pam module to support a password+otp login?