🐛 [guacamole] only PEM ssh keys supported (fixed in abesnier/guacamole)

[fischer-felix]

Which addon?

• Addon name : Guacamole Client
• Addon version : 1.4.2-7_ing

Describe the bug

When creating an ssh connection using a non PEM format ssh key, connecting will fail. This is problematic, since the use of these older encryption formats is discouraged nowadays, and some servers won't let you use them at all.

This is not an issue in abesnier/docker-guacamole, wich is also a fork of oznu/guacamole just like maxwaldorf's version. In my experience running them standalone, they are mostly identical in how they are set up, so I suggest switching to abesnier's fork, as it is also a bit more maintained at the moment.

To Reproduce

1. Go to Settings > Connections > New Connection
2. Add a new connection of type SSH
3. Add an Ed25519 private key (that is already working for this host)
4. Save the connection
5. Try connecting to the server

Full addon log

LOG

``` [21/Jan/2023:14:53:19 +0100] 200 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) POST /api/tokens HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) [21/Jan/2023:14:53:19 +0100] 200 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) GET /api/session/data/postgresql/connections/2 HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) guacd[476]: INFO: Creating new client for protocol "ssh" guacd[476]: INFO: Connection ID is "$1d7c99df-5857-423f-b974-79765c0928f8" guacd[715]: INFO: User "@592911f7-5fff-4722-899b-997c89423295" joined connection "$1d7c99df-5857-423f-b974-79765c0928f8" (1 users now present) 14:53:19.858 [http-nio-8080-exec-5] INFO o.a.g.tunnel.TunnelRequestService - User "felix" connected to connection "2". [21/Jan/2023:14:53:19 +0100] 200 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) GET /api/session/tunnels/70663a4e-8929-4d0c-b01a-6d5b22013b0c/protocol?token=658859A2301F751DCE0D73F7A434280C1C5B9A66A0C80BE951F702FCF0B4707E HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) [21/Jan/2023:14:53:19 +0100] 200 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) GET /api/session/tunnels/70663a4e-8929-4d0c-b01a-6d5b22013b0c/activeConnection/connection/sharingProfiles HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) guacd[715]: ERROR: Auth key import failed: (null) guacd[715]: INFO: User "@592911f7-5fff-4722-899b-997c89423295" disconnected (0 users remain) guacd[715]: INFO: Last user of connection "$1d7c99df-5857-423f-b974-79765c0928f8" disconnected [21/Jan/2023:14:53:22 +0100] 101 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) GET /websocket-tunnel?token=658859A2301F751DCE0D73F7A434280C1C5B9A66A0C80BE951F702FCF0B4707E&GUAC_DATA_SOURCE=postgresql&GUAC_ID=2&GUAC_TYPE=c&GUAC_WIDTH=1664&GUAC_HEIGHT=965&GUAC_DPI=96&GUAC_TIMEZONE=Europe/Berlin&GUAC_AUDIO=audio/L8&GUAC_AUDIO=audio/L16&GUAC_IMAGE=image/jpeg&GUAC_IMAGE=image/png&GUAC_IMAGE=image/webp HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) guacd[476]: INFO: Connection "$1d7c99df-5857-423f-b974-79765c0928f8" removed. 14:53:22.309 [Thread-9] INFO o.a.g.tunnel.TunnelRequestService - User "felix" disconnected from connection "2". Duration: 2450 milliseconds [21/Jan/2023:14:53:22 +0100] 200 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) POST /api/tokens HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) [21/Jan/2023:14:53:24 +0100] 200 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) POST /api/tokens HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) [21/Jan/2023:14:53:24 +0100] 200 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) GET /api/session/data/postgresql-shared/activeConnections HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) [21/Jan/2023:14:53:24 +0100] 200 192.168.151.57, 172.30.33.5, 172.30.32.1(172.30.32.2) GET /api/session/data/postgresql/activeConnections HTTP/1.1 (Mozilla/5.0 (X11; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0) ```

Full addon config

EXTENSIONS: auth-totp
TZ: Europe/Berlin

System

• Supervisor version: 2022.12.1
• Host system version: 9.4

[alexbelgium]

Hi, I've made the switch. Can you please test if everything works? Thanks

[fischer-felix]

Thanks for the quick reply! Tried updating and reinstalling, however, starting failed in both cases with s6-overlay-suexec: fatal: can only run as pid 1 Most results on Google for this suggest you have to set init: false in Dockerfile / command used to run.

[alexbelgium]

Thanks, building!

[fischer-felix]

Definitely worked, now it gets to the point where syslogd is started, however it gets stuck on s6-socklog: fatal: unable to bind socket to /dev/log: Read-only file system. I checked, and /dev/log is not actually read only, but rather a symlink to /run/systemd/journal/dev-log, which does not exist.

[alexbelgium]

Oh no... I remember that issue in the past but don't remember me being able to solve it. I had simply dropped the addon...

[alexbelgium]

That was the exact reason why I dropped this image : https://github.com/abesnier/docker-guacamole/issues/5

[alexbelgium]

Any help there is welcome :-)

[fischer-felix]

Could you use a volume mounted to /dev/log to work around this? I'm not sure how s6 does the logging, but if it cleans up after itself, that could work. If it does not, we would have to find a way to limit the size of this volume, otherwise the logs would eventually take up too much space.

[fischer-felix]

Another option would be logging to stdout.

s6-socklog has an option to change the UNIX socket it logs to (-x) (https://skarnet.org/software/s6/s6-socklog.html)

Then socat could output this to stdout, so it would appear in the docker logs and the system would deal with the size (https://stackoverflow.com/questions/26390126/is-it-possible-to-attach-unix-socket-as-stdin-to-process-in-bash)

[fischer-felix]

Managed to get it running! I created a socket in /tmp/somesocket using the python command from here and pointed s6-socklog to it:

/etc/s6-overlay/s6-rc.d/syslogd/run:

#!/command/execlineb -P

s6-envuidgid -D 32760:32760: -- syslog
s6-socklog -d3 -U -t3000 -x /tmp/somesocket

Guacamole started without a problem, and using Ed25519 keys worked.

I don't know what is being logged here, but if it is in any way relevant, using socat to redirect it to stdout should take care of that.

[alexbelgium]

you're the best!!! I'll implement that

[alexbelgium]

mmh this requires python I'll try another way to create a socket to avoid making the image bigger

[fischer-felix]

Was python not installed already? I can't recall installing it while testing.

[fischer-felix]

In my container it shows Nov 14 as the date of the python3.10 binary and it is not in /var/log/dpkg.log (i.e. I did not manually install it)

[alexbelgium]

you're right, python is not found but python3 is

[fischer-felix]

Nice, that one also got me 😅

[alexbelgium]

Ok, new version being pushed!

[fischer-felix]

Works a treat!

[alexbelgium]

This was really an enjoyable experience, thanks very much for the co-implementation of the feature!

[E-NINA]

Hello, I'm not sure if this the right place to post but last change don't works for me:

Failed to start add-on
Can't start addon_db21ed7f_guacamole: 500 Server Error for http+docker://localhost/v1.41/containers/49343eac2d534a454d2f2159509a044b8c6fd713375183731b663700a03b658d/start: Internal Server Error ("failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error mounting "tmpfs" to rootfs at "/dev/shm": SecureJoin /var/lib/docker/overlay2/922908d015ccf14d6719da9957c49576953e82a47c8293fc39ada25189cebbcd/merged//dev/shm/: too many levels of symbolic links: unknown")

Also with the last 1.4.2-7_11

[alexbelgium]

Mmh I can't replicate, @fischer-felix can you? Thanks

[fischer-felix]

Only thing that I could think of would be that maybe it does not like upgrading directly to the new version. I had definitely uninstalled and reinstalled it once, so maybe that could help.

[E-NINA]

Hello, I removed completly and installed again latest version same issue: