As a test, I made a new Guacamole connection to a server that we did NOT make FIPS 140-2 compliant yet, and was able to get right in. So the FIPS 140-2 is definitely the issue. So I need to know if there’s something in guacamole 0.9.13 that I need to tweak, or libssh2. I’m not sure if I can update libssh2 to a newer version, as 1.4.3 is the latest available in the RHEL 7.4 patch trail.
OK, I see that. Looks like it has support for it, however, I have libssh2 version 1.4.3 installed. I couldn’t find anything that says what 1.4.3 had support for. Assuming that it DOES support the FIPS algorithms, what settings for an SSH connection will I need to set to allow this? The only setting that looks close is the Encryption setting under “Guacamole Proxy Parameters (GUACD)”, but I’m not using it.
On Mon, Jan 22, 2018 at 9:15 AM, <firstname.lastname@example.org> wrote:
Guacd is running. I looked at /var/log/messages and encountered the following:
Jan 22 09:09:21 access guacd: Creating new client for protocol "ssh"
Jan 22 09:09:21 access guacd: Connection ID is "$e25765a1-e06d-4bd7-959c-2e7878839efe"
Jan 22 09:09:21 access guacd: User "@8e09fdad-3f86-4e2c-a85a-2c342e200921" joined connection "$e25765a1-e06d-4bd7-959c-2e7878839efe" (1 users now present)
Jan 22 09:09:21 access server: 09:09:21.596 [http-bio-8080-exec-8] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" connected to connection "3".
Jan 22 09:09:30 access guacd: SSH handshake failed.
Jan 22 09:09:30 access guacd: User "@8e09fdad-3f86-4e2c-a85a-2c342e200921" disconnected (0 users remain)
Jan 22 09:09:30 access guacd: Last user of connection "$e25765a1-e06d-4bd7-959c-2e7878839efe" disconnected
Jan 22 09:09:30 access server: 09:09:30.808 [http-bio-8080-exec-8] INFO o.a.g.tunnel.TunnelRequestService - User "guacadmin" disconnected from connection "3". Duration: 9210 milliseconds
Jan 22 09:09:30 access server: Exception in thread "Thread-30" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed
Jan 22 09:09:30 access server: at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:387)
Jan 22 09:09:30 access server: at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.startMessage(WsRemoteEndpointImplBase.java:344)
Jan 22 09:09:30 access server: at org.apache.tomcat.websocket.WsRemoteEndpointImplBase$TextMessageSendHandler.write(WsRemoteEndpointImplBase.java:788)
Jan 22 09:09:30 access server: at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendPartialString(WsRemoteEndpointImplBase.java:252)
Jan 22 09:09:30 access server: at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:195)
Jan 22 09:09:30 access server: at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37)
Jan 22 09:09:30 access server: at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:167)
Jan 22 09:09:31 access guacd: Connection "$e25765a1-e06d-4bd7-959c-2e7878839efe" removed.
I will say this: late last week, we made all of our servers FIPS-2 compliant due to an IT requirement in our organization. I’m suspecting that, since the server I’m trying to connect to is now FIPS-2 compliant, that’s why the “SSH handshake failed” error is happening. But I don’t see anything in the connection setup to specify what encryption to use for SSH.
For SSH connections, the algorithms for Cipher and Key Exchange are determined by upstream support in the libssh2 library. You can see the current list of supported ciphers, hashes, key exchanges, etc., on the web site: