On Thu, Mar 4, 2021 at 19:54 Dave Neeley <[email protected]> wrote:
> There was a pull request two years ago that would have added support for > the x509Vnc protocol in guacd. There was some discussion about storing the > certificates on disk on the guacd server rather than in-memory, and the > code was pulled. > > GUACAMOLE-514: Implement additional VNC authentication support by > necouchman · Pull Request #232 · apache/guacamole-server (github.com) > <https://github.com/apache/guacamole-server/pull/232/commits/51ae8a41a138ff7a2a5b7e81b9647b7cd49ebdab> > > Oops, looks like I missed some documentation for those parameters... I would have assumed the certificates most definitely had to be stored on > disk _somewhere_, is that not correct? Say the guacamole web client was > running in one docker container, and guacd was running in a second > container. How would certificates be passed in-memory between these two? > Yes, the parameters referenced in the pull request would, most likely, point to the location of a file, accessible by guacd, that contains the certificate, key, CA, and crl data, respectively. So, even though the parameters are configured client-side, the client itself (both browser and client container for the Java code) need not have any access to or knowledge of the contents of the files. > Has anyone found a way to implement x509Vnc support? > To be clear, support is implemented, already. Whether it works consistently or not, or behaves as you expect it to, is another story. For example, if you’re looking for an implementation where the user can have a certificate and key pair locally available to their browser that then gets passed through transparently to guacd to use for the VNC connection, that definitely will not work as currently implemented, and would take some (significant) additional work to make happen. -Nick
