... I had a longer discussion off-list today about it and wanted to
share my thoughts:
Guacamole already supports VNC and SSH. Thus session management
("autostart") could be implement as easy as the following:
a) Adding support for a generic connection with variable support
Assuming we could use variables in connections, for instance the
username, we could implement sessions that *contain* the username in the
connection string.
All users could have the "same" connection, just different variable parts
b) Adding support for vnc-over-ssh-over-unix-socket
You probably know that you can easily tunnel vnc through ssh [0].
If guacamole would support combining ssh with vnc, guacamole could do
the following:
ssh user@host "
if [ ! -f .guacamole.sock ]; then
vncserver-on-.guacamole.sock
fi
socat - .guacamole.sock"
Obviously this is only sample code and the admin could be able to
specify custom code.
Guacamole could either use the user credentials (as logged in) for the
ssh connection or an ssh keypair or a different [saved?] password.
The advantage of this approach is also that there are no listeners that
could potentially be used by people to brute force the VNC password
(that was our original motivation for this some years ago).
c) Combining (a) and (b)
If we combine both approaches, we have a very cheap and easy to use
session management with added security.
What do you think about this approach?
Best,
Nico
[0]
https://www.nico.schottelius.org/blog/tunneling-qemu-kvm-unix-socket-via-ssh/
If we could add the following
Nico Schottelius <[email protected]> writes:
> Hello Guacamole users,
>
> we are evaluating guacamole for a bigger environment. We have seen
> support for LDAP and 2FA in Guacamole, which is great.
>
> We would like to use guacamole for a big number of users, who should not
> create their VNC ("backend") sessions manually and were wondering, if
> anyone has solved the problem of "creating backend [VNC]" sessions
> automatically already?
>
> We are comparing Guacamole to nomachine/x2go at the moment and the
> feature to be "just able to create a new session" is very interesting
> from a management point of view, as you don't have do manually manage
> the sessions.
>
> Any pointer in this direction is appreciated.
>
> Best,
>
> Nico
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
