On Wed, Apr 8, 2020 at 1:17 PM WhiteTiger <whitetiger_it...@yahoo.it.invalid>
wrote:
> Forgive me, but I still don't understand.
> I understand that on *my PC* the brower is enough for me and that Guacamole
> will correctly manage the routing protocol.
>
Sorry, I misunderstood that when you said the "client PCs" you meant the
systems accessing Guacamole.
> But what is there *on the user's PC* that I want to control remotely?
> If I want to connect to a Windows PC with RDP, I have to enable it in the
> Windows settings *of that PC*.
>
Correct.
> If I want to connect to a Linux PC via SSH, I have to enable the SSH
> server*
> on that PC*.
>
Yes
> I therefore believe that if I want to connect via VNC I still have to
> install or activate something on that PC.
>
Yes, if you want to connect to a system using the VNC protocol, you need a
VNC server of some sort on that system. This will vary widely based on
what your target system is. For example, Mac OS X has a VNC server built
into it that you just need to activate in the System Preferences area (I
think they call it Remote Control or something like that). For Windows,
you would need to install a VNC server (UltraVNC or RealVNC, for example).
For Linux, there are several different options for VNC depending on what
you're trying to accomplish.
In short, there's not really any one answer to this - the steps to activate
VNC on a target system ("server") depend upon the target.
> On my no, but on others?
> This is the question.
>
>
Makes, sense, now.
> Linked to this question there is a second one.
> How do I manage access to that PC?
> Because I would like to get there on that PC only if I know the credentials
> of that PC, it is not enough for me to know that of Guacamole.
>
In my idea, Guacamole will have multiple users and each of these will see
> *only* a list of PCs on which he can access.
> Every time a user connects to Guacamole, he will have to type his username
> and password to see a list of PCs then appear.
> Multiple users can access the same PC, only if all these users are
> authorized.
>
>
Yes, Guacamole is already set up to do this - particularly if you use the
JDBC module, you can set up connections and provide users and/or groups
with access to certain systems. You can also either store the credentials
or pass through the username and password tokens from the Guacamole login
to the remote system. The LDAP authentication extension also provides ways
to use the security built-in to LDAP to control what connections users can
see and access. Please start by looking at the manual and familiarizing
yourself with the configuration of those modules:
http://guacamole.apache.org/doc/gug/
> But then, once the user takes remote control on a PC, for example named
> PC01, he will have to use his credentials *on that PC*.
> In other words, JSMith and Administrator users can access PC01.
> But the JSmith user will not be able to do the same things as
> Administrator.
> For this, when logging in, each of the two will have to enter their
> username
> and password.
>
> VNC, if I remember correctly, does not allow access to the PC with
> credentials.
> If I am at the login screen of the PC, then I have to type them.
> But if a user is already active on the PC, who takes remote control is
> already inside the PC, even if Administrator is active on the PC, but who
> takes remote control is JSmith.
>
>
I think I see what you're saying - basically, VNC is just mirroring the
remote screen, it does not provide any method of controlling authorization
to a particular user session if someone connects over the VNC protocol,
where as RDP performs both the authentication (allowing the user to connect
with the correct credentials) and the authorization (only giving the user
who logs in access to the resources that belong to them).
Unfortunately, this isn't something that Guacamole can necessarily solve
for you - this is really more a function of how VNC operates as a
protocol. In order to "solve' this with VNC you would need to provide each
user that logs into Guacamole with a separate VNC connection that is unique
to them, and make sure that Guacamole only allows each user to access his
or her own connection. There may be some VNC implementations that
work-around this - I think the Mac VNC implementation tries to do this by
"locking" the screen after each connection drops so that a user has to log
in with VNC and then log on to the desktop, but it isn't part of the
standard VNC protocol or implementation.
-Nick
