voegelas / guacamole-auth-pam Goto Github PK
View Code? Open in Web Editor NEWAuthenticate Apache Guacamole users with PAM
License: Apache License 2.0
Authenticate Apache Guacamole users with PAM
License: Apache License 2.0
The following error is thrown when trying to load the extension in Gaucamole 1.0.0.
ERROR o.a.g.extension.ExtensionModule - Extension "guacamole-auth-pam-0.9.14.jar" could not be loaded: Extension "PAM Authentication Extension" is not compatible with this version of Guacamole.
Are there any plans to upgrade it?
I thought I'd try guacamole-auth-pam with guacamole v0.9.14, tomcat8, freerdp-x11 and ubuntu 18.04
I think I have the extension built ok and it is in /etc/guacamole/extensions
I am using xrdp on the ubuntu host so I can connect using RDP from guacamole.
I can log into the host using a xfreerdp from a different machine and I see the xfce4 desktop
If I attempt to access via guacamole:
I see the TAB Icon on the browser show the Guacamole emblem but then I don't see anything further ?
I guess I expected to see a login prompt where I'd enter a UserID and UserPswd from the ubuntu 18.04 system I am trying to access. Of course I am assuming that the guacamole-auth-pam extention is what presents that yes/no ??
Andreas
I wanted to thank you for your work on the PAM authorization extension for Guacamole.
I'd sent an email to the Guacamole developers/User alias about your extension and an idea I had to perhaps enable it to do more if there were additional Guacamole Parameter Tokens available than the currently six defined.
Nick Couchman (one of the Guacamole developers) had some good feedback regarding not only what some tweaks to Guacamole could do but also what he thought might also be done with your Guacamole-Auth-Pam extension.
I just wanted to make sure you had seen that thread and whether what Nick suggested might be possible for your Guacamole extension.
Here is the thread:
Brian Mullan
I get the following in my syslog for each ID
Aug 5 18:35:39 ub-guactest tomcat9[479476]: 18:35:39.142 [http-nio-8080-exec-2] INFO o.a.g.r.auth.AuthenticationService - User "fooadmin" successfully authenticated from 172.xxx.xxx.xxx. Aug 5 18:32:57 ub-guactest tomcat9[479476]: 18:32:57.219 [http-nio-8080-exec-5] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 172.xxx.xxx.xxx for user "foo" failed.
I've got the system setup with SSSD active directory integration. I can login with AD users. I didn't even expect the local pam user to work because I was not able to install libpam4j as it is not packaged for Ubuntu 18.04 or 20.04 that I could find.
Is there anything else that would be useful for me to troubleshoot?
Andreas,
First and for most: Thank you for guacamole-auth-pam!
I made a slight mod to the code to allow anyone who can login to the machine can login to guacamole.
<user name="*">
<config-ref name="ECE -- slow network RDP" />
<config-ref name="ECE -- slow network SFTP" />
<config-ref name="ECE -- fast network" />
</user>
The code is in UserMapping.java:
if (userNameToConfigNames.containsKey(userName)) { configNames.addAll(userNameToConfigNames.get(userName)); } /* Code Added */ if (userNameToConfigNames.containsKey("*")) { configNames.addAll(userNameToConfigNames.get("*")); }
This keeps me from having to maintain a list of users. I just make accounts on the machine and they can use guacamole.
Thoughts?
RHEL 7 VM is configured to use AD authentication without joining to domain. But using sssd.
sssd.conf looks like this,
[sssd]
config_file_version = 2
domains = default
services = nss, pam
full_name_format = %1$s
[nss]
[pam]
[domain/default]
id_provider = ldap
cache_credentials = True
ldap_uri = ldap://windows2016.example.com
ldap_search_base = CN=Users,DC=example,DC=com
ldap_schema = AD
ldap_default_bind_dn = CN=ReadOnlyUser,CN=Users,DC=example,DC=com
ldap_default_authtok_type = obfuscated_password
ldap_default_authtok = <generated_password>
ldap_tls_reqcert = never
ldap_id_mapping = True
enumerate = True
fallback_homedir = /home/%u
default_shell = /bin/bash
access_provider = permit
sudo_provider = ldap
auth_provider = ldap
autofs_provider = ldap
ldapsearch works with ldap and ldaps
getent passwd -s sssd displays AD user information
su - ADuser works
pam files have been updated with sssd.
[root@xxx ~]# grep -i sss /etc/pam.d/*
/etc/pam.d/fingerprint-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/fingerprint-auth:session optional pam_sss.so
/etc/pam.d/fingerprint-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/fingerprint-auth-ac:session optional pam_sss.so
/etc/pam.d/password-auth:auth sufficient pam_sss.so forward_pass
/etc/pam.d/password-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/password-auth:password sufficient pam_sss.so use_authtok
/etc/pam.d/password-auth:session optional pam_sss.so
/etc/pam.d/password-auth-ac:auth sufficient pam_sss.so forward_pass
/etc/pam.d/password-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/password-auth-ac:password sufficient pam_sss.so use_authtok
/etc/pam.d/password-auth-ac:session optional pam_sss.so
/etc/pam.d/smartcard-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/smartcard-auth:session optional pam_sss.so
/etc/pam.d/smartcard-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/smartcard-auth-ac:session optional pam_sss.so
/etc/pam.d/system-auth:auth sufficient pam_sss.so forward_pass
/etc/pam.d/system-auth:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/system-auth:password sufficient pam_sss.so use_authtok
/etc/pam.d/system-auth:session optional pam_sss.so
/etc/pam.d/system-auth-ac:auth sufficient pam_sss.so forward_pass
/etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_sss.so
/etc/pam.d/system-auth-ac:password sufficient pam_sss.so use_authtok
/etc/pam.d/system-auth-ac:session optional pam_sss.so
nsswitch.conf is updated
sshd_config has "PasswordAuthentcation yes"
Selinux disalbed and firewall disabled
Machine is patched with latest updates
When I add this to the /etc/guacamole/extensions directory, it creates a 500 error in the tomcat logs
Hello Andreas,
Thank you for your work on this extension. I have an existing PHP application which successfully uses PAM authentication. I am trying to integrate Guacamole into the server, and would like to use PAM for this as well. I have looked at your source code for clues on logging, and see a thorough logging mechanism, but am unable to isolate the problem. I have guacamole 0.9.13 and guacamole-auth-pam-0.9.13 running on Tomcat 8.5.20 on Ubuntu Server 16.04.
Unfortunately the catalina logs only provide:
22:29:33.646 [http-nio-8080-exec-10] WARN o.a.g.r.auth.AuthenticationService - Authentication attempt from 10.0.0.86 for user "craig" failed.
And the kernel logs only provide:
java[27499]: pam_unix(guacamole:auth): authentication failure; logname= uid=1002 euid=1002 tty= ruser= rhost= user=craig
Here is my unix-user-mapping.xml:
<config name="VNC Connection" protocol="vnc">
<param name="hostname" value="10.0.0.61" />
<param name="port" value="5900" />
<param name="password" value="" />
</config>
<user name="USERNAME">
<config-ref name="VNC Connection" />
</user>
I was able to connect and use the VNC viewer with Guacamole's default configuration.
Appreciate your help!
Craig Jackson
[email protected]
I am using Guacamole 1.3.0 with auth-pam-1.0.0.jar and the unix-user-mapping.xml file. This is working mostly brilliantly with FreeIPA and the guacamole server as ipaclient with sssd. Thank you!
In FreeIPA you can authenticate with OTP by filling in password+otp in the password field. When I login with an user that does not have OTP enabled in FreeIPA Guacamole is showing the connection list perfectly and works as expected. When I login with an user that has OTP enabled and login with the password+otp system, then I get a login without any connections shown.....
[2021-04-23 22:53:34] [info] 22:53:34.828 [http-nio-8080-exec-1] INFO o.a.g.r.auth.AuthenticationService - User "l.gaga" successfully authenticated from [80.127.158.83, 192.168.40.29].
[2021-04-23 22:53:36] [info] 22:53:36.637 [http-nio-8080-exec-1] DEBUG o.a.g.r.auth.AuthenticationService - Login was successful for user "l.gaga".
[2021-04-23 22:53:36] [info] 22:53:36.718 [http-nio-8080-exec-4] DEBUG o.a.g.rest.RESTExceptionMapper - Client request rejected: Session not associated with authentication provider "pam".
Would it be possible to update the pam module to support a password+otp login?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.