Re: Custom user-defined connection credentials
On Mon, Apr 29, 2024 at 10:11 AM Vieri wrote: > > On Monday, April 29, 2024 at 03:01:06 PM GMT+2, Nick Couchman < > vn...@apache.org> wrote: > > > > I think the closest thing to what you're looking for that is currently > supported in Guacamole is the "vault" extension, which supports > > pulling tokens from a credential vault. The only vault currently > supported is Keeper Secrets Manager, > > but support could certainly be extended to other types of vaults with > some code writing. > > Thanks for that, but I was hoping not to store credentials in the cloud. > In fact, I was wondering if the feature could be within Guacamole "core" > (not even an extension). The credentials could be stored within the local > guac DB (just like the user and connection data), and a relationship with > the user ID could be set (guacamole_user.entity_id). Whenever a user tries > to connect to a guac DB-defined connection/host the guacamole client could > ask the user to pick any of its "credential sets" from the guac DB (or none > for user input). > > I don't know if the "vault credential retrieval system" can be adapted to > this simpler setup. > Can the "vault" just be a table within guac DB? > > Vieri, Yeah, I totally understand, and it's why I mentioned that there are probably ways to extend it into other areas. First, I'm not sure about Keeper Security Manager, whether it's hosted locally or in the Cloud. There are some other folks on here who could advise on that, I'm just not that familiar with it. Regarding the possibility of the vault being a table within the DB - I would say that it is probably more complicated than that, but that there should be ways to develop something to host it locally, within the application, and not have to rely on another piece of software or Cloud offering. But that capability does not exist today, it would need to be developed. -Nick
Re: Custom user-defined connection credentials
On Monday, April 29, 2024 at 03:01:06 PM GMT+2, Nick Couchman wrote: > > I think the closest thing to what you're looking for that is currently > supported in Guacamole is the "vault" extension, which supports > pulling tokens from a credential vault. The only vault currently supported is > Keeper Secrets Manager, > but support could certainly be extended to other types of vaults with some > code writing. Thanks for that, but I was hoping not to store credentials in the cloud. In fact, I was wondering if the feature could be within Guacamole "core" (not even an extension). The credentials could be stored within the local guac DB (just like the user and connection data), and a relationship with the user ID could be set (guacamole_user.entity_id). Whenever a user tries to connect to a guac DB-defined connection/host the guacamole client could ask the user to pick any of its "credential sets" from the guac DB (or none for user input). I don't know if the "vault credential retrieval system" can be adapted to this simpler setup. Can the "vault" just be a table within guac DB? Vieri - To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
Re: Custom user-defined connection credentials
On Mon, Apr 29, 2024 at 6:35 AM Vieri wrote: > Hi, > > I set up guacamole with SAML SSO (no clearpass). > > The users log into the system and are assigned to RDP, ssh, vnc > connections, as needed. > In all of the connection settings (eg for RDP), the following are left > blank: > > Under PARAMETERS, Authentication: > Username, Password, Domain, Security mode > > So, for a given RDP connection, any SAML-authenticated user can > potentially access that target host by entering user credentials again. > > I was wondering if it were possible for Guacamole to have an extra > user-defined "object" for credential storage. > For instance, a user could create "credentials1" with a set of RDP > credentials, "credentials2", etc. in his/her profile. > When connecting to an authorized host (guacamole "connection"), the > guacamole client GUI could ask the user which "credentials" object to use > for that connection. > > I think the closest thing to what you're looking for that is currently supported in Guacamole is the "vault" extension, which supports pulling tokens from a credential vault. The only vault currently supported is Keeper Secrets Manager, but support could certainly be extended to other types of vaults with some code writing. -Nick
Custom user-defined connection credentials
Hi,
I set up guacamole with SAML SSO (no clearpass).
The users log into the system and are assigned to RDP, ssh, vnc connections, as
needed.
In all of the connection settings (eg for RDP), the following are left blank:
Under PARAMETERS, Authentication:
Username, Password, Domain, Security mode
So, for a given RDP connection, any SAML-authenticated user can potentially
access that target host by entering user credentials again.
I was wondering if it were possible for Guacamole to have an extra user-defined
"object" for credential storage.
For instance, a user could create "credentials1" with a set of RDP credentials,
"credentials2", etc. in his/her profile.
When connecting to an authorized host (guacamole "connection"), the guacamole
client GUI could ask the user which "credentials" object to use for that
connection.
Updating the credentials would be up to each user, and it would greatly ease
logging into systems when using an IdP which does not support clearpass hence
no way of using ${GUAC_PASSWORD} (also when one needs to change the credentials
anyway to, say, local admin/root, etc.).
Regards,
Vieri
-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org
