If there were an NIS / Unix / Pam authentication module then I'd use
that but I am unwilling to have to have users register yet another password
and I can't get their existing passwords since they are encrypted. And
since all the servers they are going to are already accessible via ssh and
x2go an additional layer of authentication does nothing but inconvenience
the customer. Since it does pass through the real IP in the header, I should
be able to write fail2ban rules to cover brute force password guessing.
-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-
Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
Knowledgeable human assistance, not telephone trees or script readers.
See our web site: http://www.eskimo.com/ (206) 812-0051 or (800) 246-6874.
On Sat, 2 Mar 2019, Nick Couchman wrote:
Date: Sat, 2 Mar 2019 09:03:25 -0500
From: Nick Couchman <[email protected]>
Reply-To: [email protected]
To: [email protected]
Subject: Re: More Fun
On Sat, Mar 2, 2019 at 4:15 AM Robert Dinse <[email protected]> wrote:
I tried to use Zer0CoolX's branding.jar extension but it did not
work as
intended. It did not change the text at all and the logo was very low
contrast
and smaller than the actual image he used. When I tried to substitute my
own
logo it did not display at all.
You'll have to be a little more explicit about what you tried, and
preferably provide the code you're using (Github is your friend).
As an aside, this has been asked enough on the mailing lists that I've
opened up a JIRA issue to add some documentation to the Guacamole Manual on
the branding process. I'll take a stab at documenting it within the manual.
https://issues.apache.org/jira/browse/GUACAMOLE-747
So far sound is not working either with vnc / pulseaudio (and I did
make
the recommended changes to pulse audio conf and the catalina.out log is
showing it connecting to the pulseaudio server, but still no sound, and
also tried with rdp using Xrdp as the server, no sound there either.
I need to give this a shot, too - I've done it before, but it's been a
while, so worth taking another look. Just haven't had a chance, yet.
It would be nice if there were a way to disable the teardown session
function in the home page as I'm using a common login for multiple users
because authentication is either done by ssh or xdmcp on the server. I'd
really like to disable the login as well and just have it login as said
user.
We (the project) have resisted (re-)implementing an authentication
extension that doesn't actually authenticate. There actually used to be
one (noauth) and it was deprecated in 0.9.14 and removed completely in
1.0.0. Within Guacamole Client, *some* form of authentication should be
done - bypassing authentication entirely really isn't a good idea. I'm
definitely sympathetic to your situation, though - I've been there in the
past, where I had Guacamole authenticating with different credentials than
RDP sessions that users were logging into, and I didn't like having my
users required to enter credentials twice. However, there should be some
middle ground - some means by which to authenticate users coming into
Guacamole without requiring them to enter credentials twice. You could do
some sort of certificate-based authentication with the web server (httpd or
nginx) and then use the header module to pass through the authentication to
Guacamole? Not something I've ever actually tried, but I'm just thinking
out loud. Obviously that requires maintaining and distributing
certificates, which is its own challenge, but might be preferable to
bothering users with multiple credential requirements.
-Nick
