guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC]" <kerman.k.b...@nasa.gov>
Subject RE: MySQL
Date Wed, 22 Aug 2018 19:57:44 GMT
Thanks Nick,

That answers all of my questions!

Cheers

-Kerman

From: Nick Couchman <vnick@apache.org>
Sent: Wednesday, August 22, 2018 1:29 PM
To: user@guacamole.apache.org
Subject: Re: MySQL

On Wed, Aug 22, 2018 at 1:05 PM Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC] <kerman.k.bime@nasa.gov<mailto:kerman.k.bime@nasa.gov>>
wrote:
Hi Nick, and ALL

Thanks for your previous help. I have a question about a few steps in my build/configuration.

In the process of creating the guacamole_user/admin for the guacamole_db, how does one go
about doing so with a hash and perhaps salted password?

You can't - this isn't implemented in the current version of the Guacamole JDBC extension.
 It has been requested a few times in the past, and there's been some discussion on it.  I
believe the general consensus is that this type of feature would offer very little in the
way of real security.  If you're putting something into the /etc/guacamole.properties file
as a way for Guacamole to connect to the database, then *whatever* you put in there, whether
it is human-readable text, salted, hashed, etc., is going to allow anyone who can see that
file to access your database under that account.  So, while you may not have the actual password
listed, you still have a credential listed that could still be used by someone to compromise
your system.  Why does it matter if it is hashed, salted, encrypted, summed, etc.?

There are some things that you can do to secure your installation, particularly with regard
to the database:
- Don't use the root account in MySQL (you're not, this is good :-).
- Use a firewall to make sure only the hosts necessary have access to the database.
- As with your CREATE USER command below, make sure the user only has access from the host
where the JDBC extension is running (@'localhost' - exactly what you've done).
- Make sure permissions on guacamole.properties are as tight as possible - only the user running
guacd (if it's running on the same server) and the user running Tomcat will need read access.
 If that's the same user, chown it to that user and set 0400 permissions on it; if they are
different users create a group with those users in it, chown it to one of those users and
the group, and chmod to 0440.
- Make sure the password is different from other accounts on the system - for example, do
not set the root password, MySQL root password, and guacamole_user password to the same thing.



 mysql> CREATE DATABASE guacamole_db;
Query OK, 1 row affected (0.00 sec)

>>mysql> CREATE USER 'guacamole_user'@'localhost' IDENTIFIED BY 'some_password';
Query OK, 0 rows affected (0.00 sec)

I would then need to print the hash and replace the plain text password in the guacamole.properties
file


 # MySQL properties
mysql-hostname: localhost
mysql-port: 3306
mysql-database: guacamole_db
mysql-username: guacamole_user
>>mysql-password: some_password

So far I have tried a number of things, including using SELECT MD5(‘somepassword’); to
print a sum I replaced some_password with but that didn’t seem to work. I also added “mysql-encoding:
md5” to guacamole.properties which didn’t break it, but that didn’t help either.

This isn't a valid option for the JDBC extension - valid options are listed in the manual
page:

http://guacamole.apache.org/doc/gug/jdbc-auth.html#jdbc-auth-mysql


I did see in the Guacamole Documentation on the MySQL chapter some SET and INSERT syntax,
but I don’t believe that would work either (this might be user error, but I did try that
and kept getting an error stating I had not selected a database).

I am reading through some MySQL documentation, and have tried using CREATE USER ‘myuser’@’localhost’
IDENTIFIED WITH (a number of variations including  mysql_native_pasword, sha256_password…)
BY ‘some_password’;

This controls how MySQL stores the password, not how the password is communicated between
the client and the MySQL server, nor how applications might support transmitting credentials.


All to no avail. However, in the process of writing this email I did just see this section
on the MySQl doc.


  *   To avoid specifying the cleartext password if you know its hash value (the value that
PASSWORD()<https://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html#function_password>
would return for the password), specify the hash value preceded by the keyword PASSWORD:
Press CTRL+C to copy
CREATE USER 'jeffrey'@'localhost'
IDENTIFIED BY PASSWORD '*90E462C37378CED12064BB3388827D2BA3A9B689';
The server assigns the given password to the account but no authentication plugin. Clients
must provide the password when they connect.

While avoiding a clear-text password here may make it *harder* for someone to determine the
credentials, it doesn't make it impossible.  I was able to determine, via about 2 minutes
of Google search, that the hash value you pasted in there is "biscuit" (right?).

In the end, though, it doesn't really matter - at some point, you have to feed some credentials
to the Guacamole JDBC extension that can be used to authenticate against MySQL.  No matter
how you specify these credentials - plaintext, encrypted, hashed, salted - if someone gets
ahold of them, they will be able to access the database under that account.  This makes the
process of supporting other-than-plaintext credentials in Guacamole configurations of rather
limited value.

-Nick
Mime
View raw message