Encrypted JSON Configuration Properties

Advanced configuration properties for Encrypted JSON Auth

The properties listed here are only applicable if encrypted JSON authentication is being used. Support for encrypted JSON authentication is installed using the kcm-guacamole-auth-json package. If using the keeper/guacamole Docker image, support for encrypted JSON authentication is instead configured using environment variables.

Shared JSON secret key

A shared secret key is used by systems generating JSON data to encrypt and sign the JSON, and by the Guacamole server to verify and decrypt received data. This key must be 128 bits, specified with 32 hexadecimal digits.

Property name
Description

json-secret-key

The 128-bit secret key that will be used to encrypt and sign JSON sent to Guacamole for authentication, formatted as 32 hexadecimal digits. Received JSON will not be accepted unless it has been encrypted and signed using this key.

This key can be essentially anything as long as it is unpredictable. An easy way of generating such a key is to echo a passphrase through the "md5sum" utility. This is the technique OpenSSL itself uses to generate 128-bit keys from passphrases. For example:

$ echo -n "ThisIsATest" | md5sum
4c0b569e4c96df157eee1b65dd0e4d41 -
$

Source network restrictions

By default, received encrypted JSON will be accepted as long as it is valid and properly signed with the secret key. This can be further restricted to accept encrypted JSON only from machines which match a comma-separated list of trusted IP addresses and/or CIDR subnets.

Property name
Description

json-trusted-networks

A comma-separated list of IP addresses and/or CIDR subnets which should be allowed to authenticate using encrypted JSON. By default, encrypted JSON is accepted without restriction from any address or subnet.

Last updated