On Tue, Oct 24, 2017 at 11:36 AM, <[email protected]> wrote:
> Hello Guys
>
> Currently guacamole does not allow having each user with his/her private
> ssh-key and username defined.
>
Well, yes on the private key - kind of on the username. If the user's
Guacamole username differs from the one on the connection, then, yes, you
are correct, you cannot define a separate username. If the Guacamole
username is the same as the connection, then you can use the
${GUAC_USERNAME} token, which will fill it in.
> I was thinking about a possible solution. Briefly, it goes like this:
> There would be an additional entry in the user settings, where each user
> can define his/her private ssh-key.
> There should also be an override option for the current user mapped to a
> specific server.
> This is a need by our security policy to have all users logged in
> interactively by their personal credentials.
>
I understand the desire to have per-user SSH keys, and, at least initially,
I like the idea; however, keep in mind that these credentials would still
be stored in the central Guacamole database, which has some risk associated
with it, particularly if users do not encrypt their SSH keys. Furthermore,
having per-user, encrypted SSH keys in Guacamole probably doesn't make
sense (or, at least, doesn't provide any additional security) until we
support parameter prompting in the Guacamole client, as you'd have to store
the password for the SSH key in the database, as well (or it would have to
match the user's Guacamole password so that you could use the
${GUAC_PASSWORD} token).
>
> I attached a possible graphical implementation.
>
I think the mailing list strips out attachments, and I didn't see anything.
>
> Technically, I have the idea to check the following upon each new session
> opening:
> If the override option is set and the specific user credentials username
> and specific ssh-key are valid, then I would replace the default username
> and the ssh-keys string with the values specified by the user settings.
>
> What do you think? Would it be possible to implement such a solution?
>
Yes, I'm sure it would be possible to implement the solution - the other
developers will have to weigh in on their interest in adding it. You are
welcome to open a JIRA issue for this feature request:
https://issues.apache.org/jira/browse/GUACAMOLE/
Regards,
Nick
