search

vadimpronin / guacamole-lite

Node.js library for creating Guacamole-compatible servers. Guacamole is a RDP/VNC/SSH/Telnet client for HTML5 browsers.
Apache License 2.0
250 stars 78 forks source link

crypto token #22

Closed dnapier closed 6 years ago

dnapier commented 6 years ago

I'm a bit confused regarding the use of the token.

I'm passing a json token to the guacamole-lite server listening at port 8080 from the client side javascript using guacamole-common-js.

It needs to be encrypted with the crypto package but the crypto package is only available on node (server side). The crypto example you gave is for encrypting the token to send to the guacamole-lite server, correct?

What am I missing here?

vadimpronin commented 6 years ago

Ok, the token is basically one of the ways to tell guacamole-lite to which server it should connect and with what parameters. Because the token is just an encrypted json with all these parameters. Now there are multiple ways to send these parameters to guacamole-lite:

  1. Encrypted token
  2. Unencrypted GET parameters (query string)
  3. Hardcoded config in guacamole-lite

I don't really understand what is your use case, but from your question I assume that you want to configure connection parameters (IP, login, password, etc) on the frontend (in browser). If that is true, I must warn you that though it is possible (by overriding some guacamole-lite defaults) it is very unsecure because first of all anyone would be able to use you guacamole-lite instance to connect to any server server they want (not only the ones you want them to) and also anyone would be able to see all credentials needed to connect to your servers (IP, login, password, etc). So generally it is a very bad idea to generate connection parameters (either in token on unencrypted) on the frontend.

The idea behind the token is that your backend app takes connection parameters, encrypts them into the token and then passes this token to the frontend. In this case a user will not be able to decrypt it and see you connection parameters. And also as long as the token is generated using a key that is only known to your backend app and guacamole-lite we ensure that a user can not generate the token with their own connection parameters and try to connect to some random server.

And that is the reason why both examples of generating the token are for the backend (nodejs and PHP) and you probably can't (or at least you should not) generate tokens in browser.

dnapier commented 6 years ago

Use case: I'm building a lab environment for users to access remote machines through a custom web app.

It's being built using the Meteor framework with a React UI.

I think my confusion is from the guacamole-lite documentation:

Then you need to open guacamole connection to ws://your-guacamole-server:8080/?token=token

I was under the impression this meant from guacamole-common-js loaded on the front end with (from Chapter 18 of Guac docs):

var tunnel = new Guacamole.WebSocketTunnel("ws://<server>:8080/?token=${encryptedToken}");
var client = new Guacamole.Client(tunnel);
client.connect();

The idea behind the token is that your backend app takes connection parameters, encrypts them into the token and then passes this token to the frontend.

The token is being passed to the front end? I'm struggling with wording this, so please understand, but the front end doesn't require any of the token data, does it?

Security From my App's perspective, it's not critical that the token comes from the front end, but in reference to your security concerns, guacamole will only render if the user has completed our authentication process.

dnapier commented 6 years ago

Update on this, after reading through the implementation for WebSocketTunnel, we found that everything following the domain:port needed to be passed to client.connect(token), rather than the above code. I plan to update your documentation with a front end example, to clarify for others running into these issues. This issue can be closed. :+1:

BartNetJS commented 5 years ago

Hi @dnapier, where can I find your front end example? I'm struggling with the same issue on encrypting a token client side

dnapier commented 5 years ago

Hey @BartNetJS! Sorry, I never got around to putting in a pull request for this. I'll try to get it in later today, but just as a heads up, our implementation uses React, and while this issue got resolved, we still have an issue of user input. Currently it loads the remote connection but we haven't been able to interact with it.

dnapier commented 5 years ago

@BartNetJS: Fresh off the press, just created this pull request. Let me know if you have any questions regarding it!

https://github.com/vadimpronin/guacamole-lite/pull/25

BartNetJS commented 5 years ago

great @dnapier, i will test it tomorrow and let you know

vadimpronin commented 5 years ago

@dnapier Thanks for the example! @BartNetJS please let me know the results of your test so I could merge the pull request

BartNetJS commented 5 years ago

@dnapier it is working great. thanks! @vadimpronin I didn't test the react implementation. I've just copied parts of the code. So I can only confirm that the connection to guacamole-lite works.