-
Notifications
You must be signed in to change notification settings - Fork 924
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Embedding GateOne guideline #119
Comments
To backup my problem, console shows the following error: ReferenceError: u is not defined |
Also, I didn't completely understand what --new_api_key really does. How does it going to help embedding GateOne to our sample webapp? |
After a little bit thinking about the api key, I am guessing that I should add the api key which gateone.py creates to the user's table in my DB. Then everytime a user wants to access the terminal it calls the GateOne with the respective auth parameters. Am I right? |
The ReferenceError is a bug... I just fixed it (just a typo). That'll be in a commit tonight. The API key is there to allow your application to pass through it's authenticated user to Gate One. This way Gate One won't have to re-authenticate the user if your application has already taken care of it. The 'chat' app in the tests directory demonstrates how to use the API functionality. Think of API authentication as a secure form of this:
Of course, you can't do that because the user could manipulate the JavaScript on the page to become whatever user they want (hijacking their session, terminals, etc). So you generate a shared secret (API key) between your application and Gate One that you can securely communicate the username with the Gate One server via a little bit of JavaScript (a JSON object, specifically). By generating a signed message every time the user loads your web page it is nearly impossible for an attacker to be able to steal your user's Gate One session. There's a lot of nuance to secure authentication... If you want to know more about it I recommend you take a look at the code here: https://github.com/liftoff/GateOne/blob/master/gateone/gateone.py#L1085 It has a lot of comments demonstrating how it to use it and the protections it affords. |
Thanks. Now it's working without error. But, now it redirects me to the following address: I have copied 'accept_certificate.html' to the related folder. It seems that it's working fine but every 5 seconds it redirects the user to the above address and returns back to my page. I think it fails on the certificate. Also, I tested the chat sample program. It doesn't work though. Chat program runs on port 8080 but the url it tries to redirect is on 443. So it breaks on redirecting. I changed the default port to 443. But, it didn't work. |
Yeah, there's something strange going on with the code that detects whether or not the client has accepted the server's certificate. I'm working on it. |
I just pushed a commit that should "fix" the redirect issue. I put "fix" in quotes because it is likely that the problem is that your Gate One server is configured for PAM, Google, or Kerberos authentication which won't work with the tutorial (as it exists right now anyway). So now if you're trying out the tutorial in this situation it will pop-up a message telling you precisely what the problem is. Also, the commit I just pushed will enable users to resume their sessions when Gate One is embedded into another app with anonymous authentication enabled. Resuming sessions always worked fine when using API authentication but it never worked for anonymous auth (when embedding anyway). So that's that. Let me know if the aforementioned changes have resolved this problem for you. Thanks |
I just pushed another commit that now features a fully-working "DIY" section in the tutorial covering "embedded mode". It isn't complete but at least it works as designed now. Please let me know what you think when you get around to checking it out =D |
Great! With the latest commit the problems have gone away. I have an opinion about the api key: Isn't it better to print out api key only? |
You're misunderstanding how to use the API key... You only need one API key per application. So you run it the --new_api_key once and you're done. From then on when you want to preauthenticate a user and pass that to Gate One you sign the user's information using that API key. It doesn't matter what user you're signing with your API key. All that matters is that your API key is registered in your server.conf and that the signature is valid. So you could pass-through hundreds of different users with the same API key. |
Aha! I got it. |
FYI: Here's an example of using the API key to create the 'auth' object in PHP (what language are you using?):
In the above example I'm constructing what will end up as the 'auth' object that will be passed to GateOne.init() via the 'authobj' variable. The first line creates the object and the second line creates the signature using the existing object's values. Here's how it could be used to pass through that user's information:
The 'auth' object is just JSON containing the username (aka 'upn') and some other information that's necessary to verify the message. |
Users will be able to see your API key via the developer tools but they will not be able to see your API secret. The secret is known to your application (on the back-end) and to the Gate One server. The client never gets that information. All they get is a signed JSON message that is only valid within the time frame specified by the api_time_window (so that answers that question too =). |
Ooh! You're right. I didn't notice the secret key. Thanks for clarifying. :) |
However, I am still thinking that API key is redundant. We can neglect it and the code will work fine. :) |
BTW: The reason for the api authentication time window is to prevent authentication replay attacks... Say your application just generated a valid 'auth' object which was used by a client. An attacker could intercept that information and use it to hijack the user's session. Gate One keeps track of all authentication signatures so that once it has been used it cannot be used again... So that's not a problem unless you restart your Gate One server right after the 'auth' object is generated. In that case when the server comes back up it won't be aware that it has already been used. To prevent this (unlikely event) from happening I added the api_time_window option which essentially amounts to a maximum time window in which an authentication signature is valid. In other words, as long as you wait longer than api_time_window before restarting your Gate One server you will never have to worry about authentication replay attacks :). It works in a similar fashion to Kerberos, actually. |
You're right: API-based authentication isn't essential. With "auth = None" users will still be able to do everything they could without API-based authentication except some things will be inconvenient or just won't work:
If you're not using ssh_connect.py only the first two bullets will matter. You can remove the SSH, Bookmarks, and Logging plugins too if you don't care about those things. The first bullet will always apply though. |
So, you're saying that using the API key will resolve all of the above issues? |
Yep! It will ensure that all of your user sessions as associated with their specific identity in your application. |
Interesting! Thanks a million for such a thorough answer. |
I'm going to close this issue out since everything mentioned has been fixed. Please open a new one if you encounter anything else! Thanks |
Hi, |
No problem! Just tell me the following:
For reference, here's usually what causes "not working (at all)" problems when embedding Gate One...
Most other issues are usually bugs or CSS-related :) |
Sorry for now the ssl_error is not popping up but instead there are is some css glitch like you said
|
Can you paste your server.conf? I think your problem might have to do with a bad url_prefix setting. |
locale = "en_IN" |
OK, I believe your problem is due to a mixture of an old version of gateone.js and a current version of Gate One (server). Are you serving up a copy of gateone.js from your web server that's different from the one that comes with Gate One? I ask because that "/style?theme=black&container=gateone&prefix=go_" URL is something Gate One doesn't use anymore. The Github code loads CSS over the WebSocket and has been doing so for quite some time now (a few months?). |
I did switch between the 1.0.2 release and the latest repo for i was facing problems with both. I will try to reinstall completely again. Also i wanted to ask that is it possible to somehow use the GatOne.init() in backend so that i can hide password in autoConnectURL? |
The autoConnectURL is really meant for things where revealing the password doesn't matter or situations where you've setup pre-shared SSH keys. The alternative is to write your own wrapper around the SSH command that doesn't take any input at all but instead just connects automatically to the host that you want. Something as simple as a shell script would do the trick. |
Thanks for your sugession. Is there any example for such kind of wrapper in documentation? |
Well, yes... ssh_connect.py itself is just a wrapper around the SSH command :) It creates a tiny shell script and executes that... If you take a look at the top of the script you'll see the template it uses. It should be pretty easy to copy the template to have it execute a hard-coded 'ssh whatever' command. |
I recently switched to archlinux and python3.2.3. |
You should've opened a new issue for the Python 3 thing... Having said that I'll be pushing a commit shortly that fixes some Python 3-specific bugs. For reference, if you were running Gate One on Python 2.X and now you're running it on Python 3.X you need to run Gate One's setup.py using python 3... It will overwrite all the .py files and update them to work with Python 3. ...but before you do that give me a few minutes to write some proper commit messages and push out the update :) |
Hi @liftoff, |
I tried to embed GateOne terminal in a simple html page to see how it is gonna work. It seems that you're currently working on writing a documentation about embedding GateOne in a web app. I read the first part although it's incomplete. I included the gateone.js to my page and created a div with 'gateone' id. But it doesn't show anything. After a while an alert box come up saying that:
You will now be directed to a page where you can accept the Gate One server's SSL certificate.
However, nothing happens.
Is there anything else which I should do in addition to above?
The text was updated successfully, but these errors were encountered: