>Your best option is to set filesystem permissions appropriately such that only Guacamole can read guacamole.properties.
I had a similar thought a few months ago and this is your best best. Yes, the password is stored in plain text on a publicly available server, but it's not being transmitted externally, so locking it down should be sufficient. We use smtp relay on a couple of servers and have the config files storing the credentials set to 644. I just checked and guacamole.properties is set to 604, which from what I can recall was the most restrictive mode without the service becoming inaccessible. Erik Berndt / Systems Administrator 5551 Wellington Rd, Gainesville, VA 20155 703.631.0004 x520 (Phone) / 703.257.1725 (Fax) http://www.superiorpaving.net Need to open an IT support ticket? http://FixIT.superiorpaving.net/portal or [email protected] On Thu, Jul 12, 2018 at 4:19 AM, Mike Jumper <[email protected]> wrote: > On Thu, Jul 12, 2018, 01:07 smoke <[email protected]> wrote: > >> Hello! >> >> I am a little put off by the unhashed password in >> ldap-search-bind-password >> (guacamole.properties). Is there a way to use the hash instead of the >> visible pass? The same thing goes for the postgresql-password. >> > > No - they're not that kind of password. > > Hashing only makes sense for passwords which will be verified by Guacamole > - passwords which Guacamole does not need to know verbatim. In this case, > those passwords must be sent by Guacamole to the LDAP or PostgreSQL server > to authenticate, thus it must have the actual raw password, not a hash. > > Your best option is to set filesystem permissions appropriately such that > only Guacamole can read guacamole.properties. > > - Mike > > -- This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to whom they are addressed. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, be advised that you have received this e-mail in error and that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error, please immediately notify Superior Paving Corp. by telephone at (703) 631-0004. You will be reimbursed for reasonable costs incurred in notifying us.
