guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jean louis Abegg <jean.louis.abegg...@gmail.com>
Subject Re: security concerns
Date Thu, 03 Nov 2016 16:08:49 GMT
Hi Nikola, and thank you for taking time to share your informations,

1°) we both agree this would be a plus. Maybe this will be heard by
developpers?

2°) Yes, the certificate would be an obligation only for access from WAN
(and no certs if accessed from lan. port 8143?). This would permit to fully
encrypt comunications from the start, and, if an alert does arise, to block
access by revoking the concerned certs ( in case the laptop get robed...).
I agree a VPN could produce the same results, except...VPN ports are
sometimes blocked and not https,the VPN process could sometime be
complicated ( open vpn, auth, get the tap and then launch the rd
connexion...too heavy for basics users ) The process has to be
straightforward, secure and a childsplay :-S. I think it's possible to do
that from apache. If apache can do it, surely nginx can do it too. But
managing that directly from guacamole would be a great simplification.

3°) 2 auth process, could help both the overall security, and the
information of who connect and when. I do appreciate the notifications
google send when new computers connect to an account. The true aim, i
guess, is to finaly have a monolithic program, with 1 extensions for each
specific needs, ans, maybe, as much included extensions "direct from the
shelf". Each developpement made is a step ahead, but sooner or later, the
'official one', should be done. That one may be inspired by all those who
were made, but will have to be supported nearly as closely as the core
program itself... I suppose that finaly, the functionality will be made
available within guacamole? That said, i'll look for your extension ;-)

I think that it would be a good idea to encrypt the conections passwords
within the database too.

Do you thin an issue in glyptodon would be appropriate?

Regards,
Jean-louis




2016-11-03 15:10 GMT+01:00 Nikola Malešević <nikola.malesevic@gmail.com>:

> Hi Jean Louis,
>
> If you are using database authentication, Guacamole user accounts'
> passwords are stored encrypted with SHA256 algorithm and with different
> salt every time, which makes it very secure (no rainbow table attacks, for
> instance). Remote connection data, however, including usernames and
> passwords, is stored unencrypted in the database.
>
> If the attacker managed to get access to your database, he could read that
> data BUT you should not worry about it if you read the answer to your
> second question below.
>
> Regarding your questions, I'll give you my advice. You should know that I
> started using guacamole couple of months ago and I am by no means an expert.
>
> > 1°) how about offering programmable access auth on different machines?
> or users? ( by calendar/hours )
> This functionality I am looking for myself. You will notice my question
> from couple of days ago on this message board regarding developing
> extension to implement similar functionality.
>
> > 2°) how about a personnal child certificate each users would have to
> import in his browser to establish crypted comunication with guacamole?
> This certificate generated directly under guacamole of course ;-)
> You seem to be asking to generate a certificate to access Guacamole
> interface from said Guacamole interface. That does not make too much sense,
> really, because you would need to access it somehow in the first place, and
> if you are able to do that, you are compromising the whole system. Or
> perhaps I did not understand your intention.
> If you are looking for the solution where an administrator would give away
> certificates for clients, why not use VPN solution where your server would
> have a private network with clients and access would be allowed only with
> SSH certificates? That would also solve your security concern from above,
> because the IP addresses of clients would be inside private network,
> unaccessible from outside world. That way, even if the attacker gets hold
> of RDP username/password, he has no means to access the client by that IP.
>
> 3°) how about a 2 auth process to access guacamole, with notification mail
> send both to user and admin?
> I have recently developed an extension for custom user authentication. Did
> you consider developing an extension for that purpose? You could develop
> something similar to match your needs perhaps.
>
> Hope that helps.
>
> Regards,
> Nikola
>
> On 3 November 2016 at 12:04, jean louis Abegg <
> jean.louis.abegg.39@gmail.com> wrote:
>
>> Hello and many thanks to the guacamole developpement team, this tool is a
>> great idea!
>>
>> i've some questions about the security of the tool.
>>
>> i've used the script of HERNAN, on centos 7. Fast, easy and
>> straightforward!
>>
>> i've dumped the mariadb database. What if a hacker could access the DB,
>> he could grasp any machines declared in the DB ?
>>
>> I've seen that the users ( guacadmin and others ) have their pw
>> encrypted. A good point i think.
>>
>> however, i've seen either, that the password used for the connections on
>> the machines ( rdp, vnc...) are unencripted...
>>
>> I know, for having those informations, i've had to dump the
>> database...hackers probably won't have this attack surface...?
>>
>> If i plan to use guacamole for "webalising" some apps or RD on the
>> web...am i nutsy? Have anyone tried to hack guacamole? ( of course, leaving
>> only https access )
>>
>> And that make me ask 3 other questions...
>>
>> 1°) how about offering programmable access auth on different machines? or
>> users? ( by calendar/hours )
>> 2°) how about a personnal child certificate each users would have to
>> import in his browser to establish crypted comunication with guacamole?
>> This certificate generated directly under guacamole of course ;-)
>> 3°) how about a 2 auth process to access guacamole, with notification
>> mail send both to user and admin?
>>
>> Well whaterver, many thanks again for all the guacamole community.
>>
>>
>>
>

Mime
View raw message