Keeps asking for Keyphrase

[wschlotter]

I believe i have all the settings right, but when i try to access the server via SSH i keep getting asked for keyphrase. I do not have any keyphrase on my key.

[MaxWaldorf]

Never had the issue

Make sure you leave space after private key

---

From: Billy Schlotter @.> Sent: Wednesday, October 13, 2021 4:40:36 AM To: MaxWaldorf/guacamole @.> Cc: Subscribed @.***> Subject: [MaxWaldorf/guacamole] Keeps asking for Keyphrase (#8)

I believe i have all the settings right, but when i try to access the server via SSH i keep getting asked for keyphrase. I do not have any keyphrase on my key.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHubhttps://github.com/MaxWaldorf/guacamole/issues/8, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ADZENXJF45P2Z3RBL2S64ELUGTWSJANCNFSM5F4C5NNQ.

[wschlotter]

When you say an extra space are you meaning an extra return? when i do that and i save it strips it out.

https://tinyurl.com/yzdqdzdd https://tinyurl.com/yhnozodr

[MaxWaldorf]

Yes an extra return space.

[wschlotter]

When i do that it strips it out and still have the same issue.

[MaxWaldorf]

Don't enter a password in your config just the private key and user name...

Is your private key protected by a passphrase?

Make sure you copy the key from a cat command if needed

[edofullin]

Same issue here, I get asked for the passphrase even if the key does not have any.

Using latest image from DockerHub on Raspberry Pi 4 arm64

This is how the key has been generated:

[edoardo@edoardo-fedora Temporary]$ ssh-keygen -C user@guac.com
Generating public/private rsa key pair.
Enter file in which to save the key (/home/edoardo/.ssh/id_rsa): /home/edoardo/Temporary/guac_rsa
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/edoardo/Temporary/guac_rsa
Your public key has been saved in /home/edoardo/Temporary/guac_rsa.pub
The key fingerprint is:
SHA256:UQDYuNqAvDOL0MMrRmjdOWFtcdmxPLZmrp9ubREFhqA user@guac.com
The key's randomart image is:
+---[RSA 3072]----+
|     +...o=.oo.  |
|    o ...+.oo  . |
|..   ..E+  =  .  |
|... .o o .. o.   |
|.oo+o + S  +  .  |
|o*=..+    +  .   |
|= +o  .    .. .  |
|oo.       ...o   |
|..       .++.    |
+----[SHA256]-----+
[edoardo@edoardo-fedora Temporary]$ cat guac_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAmCK1fTt3zlj1ETpEVNjaq1vNp8WpYnFbdiKhlQmu67MDleIubcBM
J8ibi5Ow9KLX8OWpV9GEjoljitwAupcVxMZulbtSehQazzDotbmKmbeObqm8NhKO/p7a2l
/L1uhyVvXWjY52u6YtIY/O2JYWSAKwjBtb0g/ZxzapDmTP1xZnQJ3TJqdFPKv6NqFXh6UC
LJG8690W345vtdl6IfNhy6lXFg4FaFiENWEimY6Btwn31JGI0j6BQR+HFiokP04EAUzCae
Us09IniMxjwqyDhaFHiyGoSPRoiLkok+v9wlFL/9Xs0rNiZ80seEgCoYTxlbcslYs0FAPD
71M6EluTxwf3fAf5eIAxSGwyRg18KTHgIXeXeKYybfbho0BVKTaQavAV3ZvucSmYWwYz+r
ZaXIMSz4Zgz2q4CpBOwBZ9/maMipN/PCG6+EEoF+FoJR7DKFI7zDuStuAoeO1QPr4erM5w
0tuylHQzawAIhzKomoUtMqt20TFEwgZIIev52CwNAAAFiL9fKzW/Xys1AAAAB3NzaC1yc2
EAAAGBAJgitX07d85Y9RE6RFTY2qtbzafFqWJxW3YioZUJruuzA5XiLm3ATCfIm4uTsPSi
1/DlqVfRhI6JY4rcALqXFcTGbpW7UnoUGs8w6LW5ipm3jm6pvDYSjv6e2tpfy9boclb11o
2OdrumLSGPztiWFkgCsIwbW9IP2cc2qQ5kz9cWZ0Cd0yanRTyr+jahV4elAiyRvOvdFt+O
b7XZeiHzYcupVxYOBWhYhDVhIpmOgbcJ99SRiNI+gUEfhxYqJD9OBAFMwmnlLNPSJ4jMY8
Ksg4WhR4shqEj0aIi5KJPr/cJRS//V7NKzYmfNLHhIAqGE8ZW3LJWLNBQDw+9TOhJbk8cH
93wH+XiAMUhsMkYNfCkx4CF3l3imMm324aNAVSk2kGrwFd2b7nEpmFsGM/q2WlyDEs+GYM
9quAqQTsAWff5mjIqTfzwhuvhBKBfhaCUewyhSO8w7krbgKHjtUD6+HqzOcNLbspR0M2sA
CIcyqJqFLTKrdtExRMIGSCHr+dgsDQAAAAMBAAEAAAGAfUQG/+iZSzSABQFfBiXQV0wt17
ivMbl4v5rgROFGQBiUGTO1WvT9P7y0JocjKytydo4Dk6WWae7CIbHof7qrV+yzXWJyFMa9
FGCHHCp77vnuszvbFwLM7uZJ+YjrRDb8/pFJaiElrnizrHDGthtOmVhtmc9lGV+nx5pANP
PZFpcByXiqRadxIPXR/m12rt+1HJGbZvISRVz4qlk5cP7/RTxX0ncVCMfphDJI1Ps730S7
5TE34TVKJB8bkap9UgqfiJkihdmsn/V7MLoeZsMlWvdTLRk13wTW26jRG8McGiMH7ollTz
GOz/HFSoJRrLptod0HWokjVQhcj2WaEqz5RIMdKjgYwOX3w7jG9SEWyHv0cEvrWc7mqM9c
lYWjyy/BZZVWzgsyJ3SJdVFdBVDqzHojDSwuaTYiYsSKfEDidvk+OxhB9XaYiOlBRlS1N6
FfMbWt3uJow4+qKJsURDS7XJUKd7TEGY3QV+emb19EI4xwVl+qrsheTeKEGeZ1QqdZAAAA
wBIbP7eH9h+5j1vQx121ICRzbVjeOhoKjEIfTzIxhU9uvtBodnaqkylaQ/1BljGkCINuSr
MetJPUxGITsM1bgJLNuxzn5SZ3r5345bUyQKNhtIHVe5hlQ/Qdy3QhUxzp+CdIyRyPMWA2
gJJiHcjc9Dtp3GBKnxKEkGECnPnEujvDU//a3c99DQTQhbegwZd+0zwLXjo8pyu90iHUdY
KHevFkHF46GOMF+cFR3dXFZlbbQmwZAUCgE2sWHd6FYuw8PwAAAMEAxxeO+2kZDtXEXDL2
QH89m9QSVl7IxPjJXJF8IhcuYwH0O4AMb6XtgblqX6Iv/9AG7tEiSY0NZyLuZutyHxUWil
8fwbnLmO/TrOlzHDcxrFzsUfTmH+TnR2uqPyN8DOHaLKqiGo6rcFA2mUEkRCdalkyif1BV
5Whaxg3VjP8U9UUHkPPcAQslhvzWLZyka54/+AhVRxZcG7UYLk5x4vehL36YHAXJzCmtvz
m2DfBEVbG16oG4CPZN50gvU/I9ZMZrAAAAwQDDnyPuyFmrpHvQYLFVzYl6Wbeg2TaPD8tP
HGN37l8trAhG9k2S6B7mgshittMevb0no+lWSPwcUXEGopTphD0IdDHGBtoitUzG5cMN0+
taFSxgtzFCAsAJW67+neZXvQgLNkdeqFhA8qdrbuD7EDovrbdzBtwoyi/Vg0Yj2NKv3iNo
IT2pUaqhwJq/iLYd80lraivzpxHlhl6YkcVSmHcWl1glZ5xCRXJMKZ03bpIj5j5ZXXXOfM
6TdrBnh3vUxWcAAAANdXNlckBndWFjLmNvbQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

This is how it is imported:

Logs:

09:08:17.516 [http-nio-8080-exec-10] INFO  o.a.g.tunnel.TunnelRequestService - User "edoardo" disconnected from connection "14". Duration: 4176 milliseconds

guacd[262]: INFO:   Connection "$dbd78f60-4c64-4bc6-bed3-91f0b1bc2589" removed.

guacd[262]: INFO:   Creating new client for protocol "ssh"

guacd[262]: INFO:   Connection ID is "$cd5f62af-dfad-4462-87de-1cca434ff832"

guacd[3184]: INFO:  User "@6f2715ee-e0ed-4e90-b40a-68f590721d79" joined connection "$cd5f62af-dfad-4462-87de-1cca434ff832" (1 users now present)

09:08:25.892 [http-nio-8080-exec-2] INFO  o.a.g.tunnel.TunnelRequestService - User "edoardo" connected to connection "14".

guacd[3184]: ERROR: Auth key import failed: (null)

guacd[3184]: INFO:  User "@6f2715ee-e0ed-4e90-b40a-68f590721d79" disconnected (0 users remain)

guacd[3184]: INFO:  Last user of connection "$cd5f62af-dfad-4462-87de-1cca434ff832" disconnected

09:08:29.041 [http-nio-8080-exec-5] INFO  o.a.g.tunnel.TunnelRequestService - User "edoardo" disconnected from connection "14". Duration: 3148 milliseconds

Exception in thread "Thread-177" java.lang.IllegalStateException: Message will not be sent because the WebSocket session has been closed

    at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.writeMessagePart(WsRemoteEndpointImplBase.java:439)

    at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:311)

    at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendMessageBlock(WsRemoteEndpointImplBase.java:251)

    at org.apache.tomcat.websocket.WsRemoteEndpointImplBase.sendString(WsRemoteEndpointImplBase.java:192)

    at org.apache.tomcat.websocket.WsRemoteEndpointBasic.sendText(WsRemoteEndpointBasic.java:37)

    at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.sendInstruction(GuacamoleWebSocketTunnelEndpoint.java:152)

    at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint.access$200(GuacamoleWebSocketTunnelEndpoint.java:53)

    at org.apache.guacamole.websocket.GuacamoleWebSocketTunnelEndpoint$2.run(GuacamoleWebSocketTunnelEndpoint.java:253)

guacd[262]: INFO:   Connection "$cd5f62af-dfad-4462-87de-1cca434ff832" removed.

guacd[262]: INFO:   Creating new client for protocol "ssh"

guacd[262]: INFO:   Connection ID is "$b3f1afc8-07eb-4a95-b687-f1e4baf9533e"

guacd[3201]: INFO:  User "@bbbfaca5-758c-49d6-84c2-90c5ac0e4b17" joined connection "$b3f1afc8-07eb-4a95-b687-f1e4baf9533e" (1 users now present)

09:11:01.873 [http-nio-8080-exec-8] INFO  o.a.g.tunnel.TunnelRequestService - User "edoardo" connected to connection "14".

[wschlotter]

Still having the same issue.

[wschlotter]

Anymore help on this?

[MaxWaldorf]

I just checked and there is no space or return char after: -----END RSA PRIVATE KEY-----

Other than that, this seems to be more of a Guacamole issue than a problem I can fix on my end...

[edofullin]

Tried again and no luck, unfortunately.

I'll check if the same is present on the official x86 image in the next days.

Thanks for your help

[timdonovanuk]

I've been tearing my hair over this. Pub/Priv key authentication does not seem to work with this version of Guacamole.

[MaxWaldorf]

Strange that I am able to use it on my side but it is on raspberry (arm64)...

[timdonovanuk]

Thanks anyway @MaxWaldorf!

I don't suppose you could share the steps you used to create the priv/key? I've found various reddit threads and Guacamole mailing lists that suggest it doesn't support the newer format, and all sorts of commands to convert them to various formats.

Or did you literally just use the standard ssh-keygen -t rsa, and then copypaste the text from id_rsa file into the Guacamole private key field?

Cheers!

[timdonovanuk]

So I noticed that the way the Guacamole webui sends the private key to be stored is by doing an HTTP PUT...but it seems like it strips the final new line off the key! AFAIK this is a requirement for it to work, right?

I'm not sure what to do with this information yet...

Edit: tried using curl to send the key with a \n at the end. It saves it properly and retrieves it with a newline now in the GUI but still no luck. Damn, thought I'd cracked this.

[edofullin]

Strange that I am able to use it on my side but it is on raspberry (arm64)...

Did you try with a new container and new connection? it seems odd

[seantdavidson]

Try creating your SSH key using the following, Guacamole has certain way the key need to be written for it to work.

ssh-keygen -t rsa -b 4096 -m PEM -C "Comment"

[edofullin]

ssh-keygen -t rsa -b 4096 -m PEM -C "Comment"

Can confirm that works, I really expected guacamole to support RFC4716 and not only PEM (which, according to man page, is legacy)

I'm sorry for bothering the author, this should probably be reported upstream (although I did not try on "official" guacamole) and thanks @seantdavidson for help!

[wschlotter]

Just catching up. Thanks for all the help. Will try and create a key with PEM later today.

[Macleykun]

Try creating your SSH key using the following, Guacamole has certain way the key need to be written for it to work.

ssh-keygen -t rsa -b 4096 -m PEM -C "Comment"

Sorry to revive this issue. But did this work? Also with the ed25519 type? Is there an issue to support the modern format of keys instead of using pem?

[seantdavidson]

My understanding is Guacamole does not work with ed25519 keys. I did tons of research and can’t verify it works with anyone on the Guacamole team.

[SVG62]

Печальная история с ключами, я так радовался, что нашел органичное решение с удаленным доступом через вебморду....а тут такое.

[typkrft]

My understanding is Guacamole does not work with ed25519 keys. I did tons of research and can’t verify it works with anyone on the Guacamole team.

Looks like 1.5.0 will add support, but no release date as of yet. https://issues.apache.org/jira/browse/GUACAMOLE-745 https://www.mail-archive.com/dev@guacamole.apache.org/msg08512.html

[SVG62]

Решение найдено: ssh-keygen -f ~/.ssh/id_rsa -p -m pem теперь все нормально ходит и пароль принимает. Получается из DEK-Info: DES-EDE3-CBC примет DEK-Info: AES-128-CBC и с ним работает.

[RastaTaz]

Using current docker image, I still have same issue with a private RSA key that has no passphrase using PEM format (and native ssh-kaygen format as well). WebUI keeps asking for a passphrase and ends up failing with "Auth key import failed" error.

2022-10-15T21:42:32.070358766Z guacd[7]: INFO:  Creating new client for protocol "ssh"
2022-10-15T21:42:32.071161905Z guacd[7]: INFO:  Connection ID is "$f1f03a83-562e-4180-bcef-75c0f41c4088"
2022-10-15T21:42:32.076648240Z guacd[786]: INFO:    User "@8c3ebbec-c1ea-4252-97bd-20157cf37805" joined connection "$f1f03a83-562e-4180-bcef-75c0f41c4088" (1 users now present)
2022-10-15T21:42:33.663942382Z guacd[786]: ERROR:   Auth key import failed: (null)
2022-10-15T21:42:33.665684126Z guacd[786]: INFO:    User "@8c3ebbec-c1ea-4252-97bd-20157cf37805" disconnected (0 users remain)
2022-10-15T21:42:33.665741609Z guacd[786]: INFO:    Last user of connection "$f1f03a83-562e-4180-bcef-75c0f41c4088" disconnected
2022-10-15T21:42:33.678514680Z guacd[7]: INFO:  Connection "$f1f03a83-562e-4180-bcef-75c0f41c4088" removed.