On Thu, Jul 20, 2023 at 5:19 PM Jay Lepore <[email protected]> wrote:
> Hello, > > I am using Apache Guacamole with Mysql and LDAP extensions for > authentication. > > I've noticed that RDP is a fail if I don't click the box ignore-cert [x] > > So my question is two fold: > > 1. How would you put an RDP cert in place (Linux server) so that box > check is not needed? > > The FreeRDP library maintains a list of known/accepted certificate fingerprints, very similar to the OpenSSH known_hosts file, in the .config/freerdp directory, called known_hosts2. It's a text-based file that contains hostname and/or IP, port number, and then some fingerprint values. I did a quick search and my cursory look at the results does not yield a good explanation of the various fields in this file - essentially you need to get the required fingerprints and store them in the file. That said, someone else recently asked about the possibility of adding support for FreeRDP's certificate "tofu" (trust on first use) capability, which would allow Guacamole to connect unconditionally (and FreeRDP would store the certificate) the first time, and then only fail after that. I think this is probably worth implementing, and shouldn't be too bad, minus the checks that might be required for various versions of FreeRDP. > > 1. If that proves to be too complex, is there a global setting that > make the default behavior for all RDP connections to be "ignore-cert: true" > > No, there is no way to set defaults for the settings. In my environment, I created a RDP connection called "Template" with the various default settings that I use across all RDP connections, and I just clone that one and update the values that need to be changed. You could also use some database magic - I'm not as familiar with MySQL, but in PostgreSQL you can run functions based on triggers, so you could put a trigger in place that, every time a row was inserted into the guacamole_connection table, it inserts a row into the guacamole_connection_parameter table with the ignore-cert value. Of course, the security side of me says this is a #BadIdea. -Nick
