guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC]" <kerman.k.b...@nasa.gov>
Subject MySQL
Date Wed, 22 Aug 2018 17:05:42 GMT
Hi Nick, and ALL

Thanks for your previous help. I have a question about a few steps in my build/configuration.

In the process of creating the guacamole_user/admin for the guacamole_db, how does one go
about doing so with a hash and perhaps salted password?


 mysql> CREATE DATABASE guacamole_db;
Query OK, 1 row affected (0.00 sec)

>>mysql> CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'some_password';
Query OK, 0 rows affected (0.00 sec)

I would then need to print the hash and replace the plain text password in the guacamole.properties
file


 # MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
>>mysql-password: some_password

So far I have tried a number of things, including using SELECT MD5(‘somepassword’); to
print a sum I replaced some_password with but that didn’t seem to work. I also added “mysql-encoding:
md5” to guacamole.properties which didn’t break it, but that didn’t help either.

I did see in the Guacamole Documentation on the MySQL chapter some SET and INSERT syntax,
but I don’t believe that would work either (this might be user error, but I did try that
and kept getting an error stating I had not selected a database).

I am reading through some MySQL documentation, and have tried using CREATE USER ‘myuser’@’localhost’
IDENTIFIED WITH (a number of variations including  mysql_native_pasword, sha256_password…)
BY ‘some_password’;

All to no avail. However, in the process of writing this email I did just see this section
on the MySQl doc.


  *   To avoid specifying the cleartext password if you know its hash value (the value that
PASSWORD()<https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password>
would return for the password), specify the hash value preceded by the keyword PASSWORD:
Press CTRL+C to copy
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';
The server assigns the given password to the account but no authentication plugin. Clients
must provide the password when they connect.

While that might work, if you have any helpful thoughts on the subject, I would be grateful
for your assistance.

Cheers,

-Kerman


From: Nick Couchman <vnick@apache.org>
Sent: Monday, July 30, 2018 4:13 PM
To: user@guacamole.apache.org
Subject: Re: Http Header Auth

On Mon, Jul 30, 2018 at 3:19 PM Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC] <kerman.k.bime@nasa.gov<mailto:kerman.k.bime@nasa.gov>>
wrote:
To whom it may concern,

Could you provide more information on configuring guacamole.properties for HTTP Header Authentication.
The manual/documentation essentially just says to drop the jar file in GUAC_Home/extensions.

Yes, and reload Tomcat or the re-deploy the Guacamole WAR file.  The only thing to configure
within Guacamole is if you want to change the header that's used to something other than REMOTE_USER,
you can set that, as well.

Other than that, you also have to set up your web server to provide that authentication -
you can do this in Tomcat (or your Java Application Server - Jetty, JBOSS, etc.), or you can
do it on an upstream reverse proxy server, like Nginx or Apache httpd.  You can find examples
of how to configure this for Nginx at the following page:

https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/


I understand that this needs to be layered on top of a db like MySql (which I have setup),
however it does’t provide more info that. For the lay person, i would like some sort of
direction of how to configure that portion. Also, any info besides how to configure and more
on what information I need to give guacamole.properties to make it http auth work would be
great.


You'll basically want to take a look at the chapter on JDBC configuration and configure that.
 Layering the modules does not require anything special, per se - you install and configure
each of the modules, and the "layering" happens automatically.  It is done via username, so
if the username of your user logged in via the HTTP header module matches one present in the
JDBC module, the permissions in the JDBC module will be assigned to that user.  You might
find the following section helpful - it deals with LDAP + JDBC, but really applies anything,
including Header auth, plus JDBC:

http://guacamole.apache.org/doc/gug/ldap-auth.html#ldap-and-database

Feel free to post back if you have additional questions!

-Nick
Mime
View raw message