GUACAMOLE-312: Add guacd support for tunneling connections over SSH

[necouchman]

This adds the guacd-side settings and functions to support tunneling most of the available protocols over SSH, including SSH, RDP, Telnet, and VNC. When I looked at Websockets and its supporting library, I did not see an obvious way to implement it, there, so I've skipped that one for the moment.

[jseifeddine]

I cloned your PR, docker build fails

468.9 Added: sv-se-qwerty
468.9 Added: da-dk-qwerty
468.9 Added: tr-tr-qwerty
468.9 make  all-recursive
468.9 make[3]: Entering directory '/tmp/guacamole-server/src/protocols/rdp'
468.9 Making all in .
468.9 make[4]: Entering directory '/tmp/guacamole-server/src/protocols/rdp'
468.9   CC       plugins/guac-common-svc/libguac_common_svc_client_la-guac-common-svc.lo
469.2 In file included from /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/client/rdpgfx.h:28,
469.2                  from /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/gdi/gdi.h:34,
469.2                  from /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/freerdp.h:35,
469.2                  from ./channels/common-svc.h:23,
469.2                  from plugins/guac-common-svc/guac-common-svc.c:21:
469.2 /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/codecs.h:93:9: error: 'codecs_free' is deprecated: [since 3.6.0] Use freerdp_client_codecs_free [-Werror=deprecated-declarations]
469.2    93 |         WINPR_DEPRECATED_VAR("[since 3.6.0] Use freerdp_client_codecs_new",
469.2       |         ^~~~~~~~~~~~~~~~~~~~
469.2 In file included from /opt/guacamole/lib/pkgconfig/../../include/winpr3/winpr/winpr.h:22,
469.2                  from /opt/guacamole/lib/pkgconfig/../../include/winpr3/winpr/stream.h:26,
469.2                  from /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/freerdp.h:25:
469.2 /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/codecs.h:91:47: note: declared here
469.2    91 |                              FREERDP_API void codecs_free(rdpCodecs* codecs));
469.2       |                                               ^~~~~~~~~~~
469.2 /opt/guacamole/lib/pkgconfig/../../include/winpr3/winpr/platform.h:497:41: note: in definition of macro 'WINPR_DEPRECATED_VAR'
469.2   497 | #define WINPR_DEPRECATED_VAR(text, obj) obj __attribute__((deprecated(text)))
469.2       |                                         ^~~
469.2 cc1: all warnings being treated as errors
469.2 make[4]: Leaving directory '/tmp/guacamole-server/src/protocols/rdp'
469.2 make[4]: *** [Makefile:1432: plugins/guac-common-svc/libguac_common_svc_client_la-guac-common-svc.lo] Error 1
469.2 make[3]: *** [Makefile:1486: all-recursive] Error 1
469.2 make[3]: Leaving directory '/tmp/guacamole-server/src/protocols/rdp'
469.2 make[2]: *** [Makefile:768: all] Error 2
469.2 make[2]: Leaving directory '/tmp/guacamole-server/src/protocols/rdp'
469.2 make[1]: *** [Makefile:545: all-recursive] Error 1
469.2 make[1]: Leaving directory '/tmp/guacamole-server'
469.2 make: *** [Makefile:465: all] Error 2
------

 1 warning found (use docker --debug to expand):
 - JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 219)
Dockerfile:154
--------------------
 152 |     
 153 |     # Build guacamole-server and its core protocol library dependencies
 154 | >>> RUN ${BUILD_DIR}/src/guacd-docker/bin/build-all.sh
 155 |     
 156 |     # Determine location of the FREERDP library based on the version.
--------------------
ERROR: failed to solve: process "/bin/sh -c ${BUILD_DIR}/src/guacd-docker/bin/build-all.sh" did not complete successfully: exit code: 2

[jseifeddine]

I cloned your PR, docker build fails

468.9 Added: sv-se-qwerty
468.9 Added: da-dk-qwerty
468.9 Added: tr-tr-qwerty
468.9 make  all-recursive
468.9 make[3]: Entering directory '/tmp/guacamole-server/src/protocols/rdp'
468.9 Making all in .
468.9 make[4]: Entering directory '/tmp/guacamole-server/src/protocols/rdp'
468.9   CC       plugins/guac-common-svc/libguac_common_svc_client_la-guac-common-svc.lo
469.2 In file included from /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/client/rdpgfx.h:28,
469.2                  from /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/gdi/gdi.h:34,
469.2                  from /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/freerdp.h:35,
469.2                  from ./channels/common-svc.h:23,
469.2                  from plugins/guac-common-svc/guac-common-svc.c:21:
469.2 /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/codecs.h:93:9: error: 'codecs_free' is deprecated: [since 3.6.0] Use freerdp_client_codecs_free [-Werror=deprecated-declarations]
469.2    93 |         WINPR_DEPRECATED_VAR("[since 3.6.0] Use freerdp_client_codecs_new",
469.2       |         ^~~~~~~~~~~~~~~~~~~~
469.2 In file included from /opt/guacamole/lib/pkgconfig/../../include/winpr3/winpr/winpr.h:22,
469.2                  from /opt/guacamole/lib/pkgconfig/../../include/winpr3/winpr/stream.h:26,
469.2                  from /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/freerdp.h:25:
469.2 /opt/guacamole/lib/pkgconfig/../../include/freerdp3/freerdp/codecs.h:91:47: note: declared here
469.2    91 |                              FREERDP_API void codecs_free(rdpCodecs* codecs));
469.2       |                                               ^~~~~~~~~~~
469.2 /opt/guacamole/lib/pkgconfig/../../include/winpr3/winpr/platform.h:497:41: note: in definition of macro 'WINPR_DEPRECATED_VAR'
469.2   497 | #define WINPR_DEPRECATED_VAR(text, obj) obj __attribute__((deprecated(text)))
469.2       |                                         ^~~
469.2 cc1: all warnings being treated as errors
469.2 make[4]: Leaving directory '/tmp/guacamole-server/src/protocols/rdp'
469.2 make[4]: *** [Makefile:1432: plugins/guac-common-svc/libguac_common_svc_client_la-guac-common-svc.lo] Error 1
469.2 make[3]: *** [Makefile:1486: all-recursive] Error 1
469.2 make[3]: Leaving directory '/tmp/guacamole-server/src/protocols/rdp'
469.2 make[2]: *** [Makefile:768: all] Error 2
469.2 make[2]: Leaving directory '/tmp/guacamole-server/src/protocols/rdp'
469.2 make[1]: *** [Makefile:545: all-recursive] Error 1
469.2 make[1]: Leaving directory '/tmp/guacamole-server'
469.2 make: *** [Makefile:465: all] Error 2
------

 1 warning found (use docker --debug to expand):
 - JSONArgsRecommended: JSON arguments recommended for CMD to prevent unintended behavior related to OS signals (line 219)
Dockerfile:154
--------------------
 152 |     
 153 |     # Build guacamole-server and its core protocol library dependencies
 154 | >>> RUN ${BUILD_DIR}/src/guacd-docker/bin/build-all.sh
 155 |     
 156 |     # Determine location of the FREERDP library based on the version.
--------------------
ERROR: failed to solve: process "/bin/sh -c ${BUILD_DIR}/src/guacd-docker/bin/build-all.sh" did not complete successfully: exit code: 2

A dirty working fix for now,

src/guacd-docker/bin/build-all.sh Line 30

export CFLAGS="-I${PREFIX_DIR}/include -Wno-error=deprecated-declarations"

Dockerfile Line 128-129:

    -DWITH_ZLIB=ON \
    -DDISABLE_WERROR=ON"

[jseifeddine]

Works well, I built both your client and server ssh-tunnel PRs

What would be nice is to save the "Jump Host" config and to reuse it, rather than having to enter all the details per connection.

[jseifeddine]

ok not working in docker

first problem was that it was using a non-existent directory

guacd  | guacd[113]: ERROR:       Failed to make socket directory "/opt/guacamole/var/run/guacd/$4d869762-04d5-4e32-bdc5-90a91fedc043": No such file or directory

as a quick fix, i mounted a volume there

    volumes:
      - ./guacd-var-run:/opt/guacamole/var/run/guacd

But still no cigar, times out

guacd      | guacd[1]: INFO:      Creating new client for protocol "ssh"
guacd      | guacd[1]: INFO:      Connection ID is "$510d4fd2-9bc5-4fb2-bbfc-0825f54b5b78"
guacd      | guacd[206]: INFO:    User "@09816826-2d16-4da4-a80d-c371d94a178f" joined connection "$510d4fd2-9bc5-4fb2-bbfc-0825f54b5b78" (1 users now present)
guacamole  | 00:28:10.749 [http-nio-8080-exec-7] INFO  o.a.g.tunnel.TunnelRequestService - User "john-doe" connected to connection "2".
guacd      | guacd[206]: WARNING: No known host keys provided, host identity will not be verified.
guacd      | guacd[1]: INFO:      Connection "$510d4fd2-9bc5-4fb2-bbfc-0825f54b5b78" removed.
guacamole  | 00:28:26.210 [Thread-22] ERROR o.a.g.w.GuacamoleWebSocketTunnelEndpoint - Connection to guacd terminated abnormally: Connection to guacd timed out.
guacamole  | 00:28:26.211 [Thread-22] INFO  o.a.g.tunnel.TunnelRequestService - User "john-doe" disconnected from connection "2". Duration: 15462 milliseconds

This happens with SSH Tunnel enabled and correct auth details

[necouchman]

@jseifeddine These issues should be resolved, now - I've re-based this against the current main branch and resolved the issues with it, so it should build correctly, now. I'll likely need to fix up the guacamole-client PR, as well.

[jseifeddine]

@jseifeddine These issues should be resolved, now - I've re-based this against the current main branch and resolved the issues with it, so it should build correctly, now. I'll likely need to fix up the guacamole-client PR, as well.

building and testing now, I'll let you know how it goes

thanks so much for your efforts

[jseifeddine]

still same behavior with the tunnel connection

the build succeeds now without warning or error

however the socket dir doesn't exist where you assume it to

guacd  | guacd[17]: DEBUG:        SSH tunneling is enabled, connecting via SSH.
guacd  | guacd[17]: INFO: User "@7383745e-ae04-45eb-be42-e22d8e395188" joined connection "$ab261a50-41b5-419c-9df1-7eafc790bb7b" (1 users now present)
guacd  | guacd[17]: DEBUG:        Client is using protocol version "VERSION_1_5_0"
guacd  | guacd[17]: DEBUG:        Authenticating SSH tunnel with private key.
guacd  | guacd[17]: WARNING:      No known host keys provided, host identity will not be verified.
guacd | guacd[17]: DEBUG:        Supported authentication methods: publickey,password
guacd  | guacd[17]: DEBUG:        SSH session created for tunneling, initializing the tunnel.
guacd  | guacd[17]: DEBUG:        Socket: /opt/guacamole/var/run/guacd/$ab261a50-41b5-419c-9df1-7eafc790bb7b/tunnel
guacd | guacd[17]: ERROR:        Failed to make socket directory "/opt/guacamole/var/run/guacd/$ab261a50-41b5-419c-9df1-7eafc790bb7b": No such file or directory

so I modify the Dockerfile adding this towards the end

# Create necessary directory structure
USER root
RUN mkdir -p /opt/guacamole/var/run/guacd && \
    chown -R guacd:guacd /opt/guacamole/var/run && \
    chmod -R 775 /opt/guacamole/var/run
USER guacd

# Expose the default listener port
EXPOSE 4822

COPY ./src/guacd-docker/bin/entrypoint.sh /opt/guacamole/
ENTRYPOINT [ "/opt/guacamole/entrypoint.sh" ]

this appears to fix the socket dir not existing error and the ssh tunnel seems to be initialized correctly
but you can see connection XXX removed immediately after Waiting for data on socket.

Maybe its something to do with the socket dir?

guacd      | guacd[48]: DEBUG:    Authenticating SSH tunnel with private key.
guacd      | guacd[48]: WARNING:  No known host keys provided, host identity will not be verified.
guacd      | guacd[48]: DEBUG:    Supported authentication methods: publickey,password
guacd      | guacd[48]: DEBUG:    SSH session created for tunneling, initializing the tunnel.
guacd      | guacd[48]: DEBUG:    Socket: /opt/guacamole/var/run/guacd/$0760c98d-7d3f-49fb-b2df-c8ad51d9d650/tunnel
guacd      | guacd[48]: DEBUG:    Socket created, binding.
guacd      | guacd[48]: DEBUG:    Listening on socket, creating worker thread.
guacd      | guacd[48]: DEBUG:    Starting tunnel worker - waiting for connection.
guacd      | guacd[48]: DEBUG:    Worker created, return socket path to client.
guacd      | guacd[48]: DEBUG:    SSH tunnel connection succeeded.
guacd      | guacd[48]: DEBUG:    Connection received, starting libssh2 channel.
guacd      | guacd[48]: DEBUG:    Channel started, starting output thread.
guacd      | guacd[48]: DEBUG:    Processing tunnel data.
guacd      | guacd[48]: DEBUG:    Waiting for data on socket.
guacd      | guacd[1]: INFO:      Connection "$0760c98d-7d3f-49fb-b2df-c8ad51d9d650" removed.
guacd      | guacd[1]: DEBUG:     Unable to request termination of client process: No such process 
guacd      | guacd[1]: DEBUG:     All child processes for connection "$0760c98d-7d3f-49fb-b2df-c8ad51d9d650" have been terminated.
guacamole  | 12:20:08.328 [Thread-6] INFO  o.a.g.tunnel.TunnelRequestService - User "john-doe" disconnected from connection "3". Duration: 4887 milliseconds

[jseifeddine]

@necouchman

Also, these messages may serve as a clue to whats happening

They continue even after i've closed the session in guacamole app and disconnected

guacd      | guacd[1]: DEBUG:     Guacamole connection closed during handshake
guacd      | guacd[1]: DEBUG:     Error reading "select": End of stream reached while reading instruction
guacd      | guacd[1]: DEBUG:     Guacamole connection closed during handshake
guacd     | guacd[1]: DEBUG:     Error reading "select": End of stream reached while reading instruction

also, the sockets dont get cleaned up, they remain - until i restart the container

docker compose exec -it guacd ls /opt/guacamole/var/run/guacd
$0760c98d-7d3f-49fb-b2df-c8ad51d9d650  $e41d1cd4-ad09-4099-b5ab-df1f730e68df