guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@glyptodon.org>
Subject Re: MySQL
Date Wed, 22 Aug 2018 17:44:19 GMT
On Wed, Aug 22, 2018, 10:29 Nick Couchman <vnick@apache.org> wrote:

> On Wed, Aug 22, 2018 at 1:05 PM Bime, Kerman K. (GSFC-606.2)[InuTeq, LLC] <
> kerman.k.bime@nasa.gov> wrote:
>
>> Hi Nick, and ALL
>>
>>
>>
>> Thanks for your previous help. I have a question about a few steps in my
>> build/configuration.
>>
>>
>>
>> In the process of creating the guacamole_user/admin for the guacamole_db,
>> how does one go about doing so with a hash and perhaps salted password?
>>
>
> You can't - this isn't implemented in the current version of the Guacamole
> JDBC extension.  It has been requested a few times in the past, and there's
> been some discussion on it.  I believe the general consensus is that this
> type of feature would offer very little in the way of real security.
>

This isn't entirely correct. The reason hashing isn't used for the MySQL
password in guacamole.properties is not because it offers no security; it's
because it's impossible.

The point of hashing a password is that the hash is one way. With the hash
in hand, you can use the hash only to validate that a password given to you
is correct. You cannot derive the password from the hash.

To connect to MySQL as the user with permissions to read the tables in the
guacamole database, Guacamole must authenticate with MySQL using a
password. It cannot authenticate with a password hash because (1) it cannot
produce the password from a password hash and (2) if the MySQL server
accepted the hash as if it were the password, then that would mean the hash
is equivalent to the password and the hashed aspect is useless (this would
be a vulnerability in MySQL).

The same goes for authenticating on your behalf with RDP and other systems.
If those systems need a password, then Guacamole will need to pass that
password through. Having a hash of that password will not work for the very
reason that passwords are hashed in the first place.

- Mike

Mime
View raw message