KCM Version 2.10.0

Features

• Support for Running KCM on ARM

• Per-user KSM Vaults

• KSM Support for Cloud Connector (EC2)

Support for Running KCM on ARM

PRIV-130: The RPMs and Docker images (including kcm-setup.run) now support ARM in addition to x86_64. This doesn't change how anything behaves except that we now support installation on ARM.

Per-user KSM Vaults

PRIV-170: If enabled, users are able to register their own KSM vault within KCM using the “Preferences” tab in the “Settings” screen. That vault will then be used for any connections that the administrator configures to accept user-provided secrets.

This capability is disabled by default. Enabling this capability requires both of the following:

• Setting the ksm-allow-user-config property in guacamole.properties (or the KSM_ALLOW_USER_CONFIG environment variable for the keeper/guacamole Docker image).

• Enabling use of user vaults on any connections that shouldn’t use only the administrator-configured vaults (check the “Allow user-provided KSM configuration“ box for the connections in question).

NOTE: By “administrator-configured vaults”, we mean only those vaults that are purely controlled by administrators: the system-wide vault configured in guacamole.properties and any vaults configured via connection groups.

This was implemented this way because doing otherwise would have security implications. Unless the administrator can also dictate which exact connections should receive credentials from user vaults, allowing users to provide their own vaults would allow those same users to control any connection parameters that use values from KSM. Depending on which connection parameters use KSM tokens, inadvertently allowing a user to control the values of parameters could have profound security implications. For example:

• If the user can control part of the path used for the RDP drive, they will be able to read arbitrary files on the server.

• If the user can control authentication parameters, they can control which credentials are used to connect, perhaps bypassing the intent of the admin.

• If the user can control the hostname or port, they can connect wherever they like with the credentials associated with the connection, again bypassing the intent of the admin.

KSM Support for Cloud Connector (EC2)

PRIV-163: SSH keys and Windows passwords from KSM for machines can now be retrieved for AWS EC2 by the KCM Cloud Connector. This is in addition to the existing support for retrieving SSH keys from the filesystem (beneath /etc/guacamole/cloud-connector-secrets).

Similar to the overall KSM integration, the KSM configuration relevant to AWS must be configured with the aws-discovery-ksm-config property (or the AWS_DISCOVERY_KSM_CONFIG environment variable for Docker).

Relevant records are identified by:

• An "Instance" field that exactly matches the instance ID (if there is only one such record).

  • Some variation in the field naming is tolerated: the field may optionally start with “AWS”, “EC2”, or “Amazon”, may optionally end with “ID”, and is case-insensitive.

• An attachment that exactly matches the key name of the instance plus ".pem" (if there is only one such record).

• A hostname/address field (such as that provided by the “SSH Key” record type) that exactly matches the private IP address of the EC2 instance.

If the SSH key exists on the filesystem, it will always be used in favor of querying KSM.