On Mon, Jul 31, 2023 at 2:36 AM Prabha Kiranmai Vasireddy <[email protected]> wrote: > > Hi [email protected], > > Hope you are doing well > > I am reaching out to inquire about creating custom authentication for the > connections that Guacamole generates to the end servers. > > I have been going through the documentation and I believe that the Custom > Authentication detailed in > (https://guacamole.apache.org/doc/gug/custom-auth.html) is to authenticate > users logging in to the guacamole application. > > I am specifically interested in customizing the authentication process for > the connections initiated from Guacamole to the target servers (e.g., RDP, > SSH connections). > > Essentially, after a user has successfully logged in to guacamole UI, and > initiates a RDP connection to Server-A, guacamole-server uses Kerberos to get > a ticket to RDP to Server-A and authenticates with Server-A with the ticket > and starts the RDP session. > > Is it possible to implement custom authentication for the above user case ? > If so, could you provide some guidance or documentation on how to achieve > this? > > Any insights, examples, or pointers to relevant resources would be highly > appreciated.
I believe this would be possible, yes. I don't have any examples, but I can run through a few high-level things you'd need to take into account.. * You'll need to pick a Java Kerberos implementation of some sort as the client for obtaining the kerberos ticket and storing it in a cache. It looks like Java may have a built-in one (com.sun.security.auth.module.Krb5LoginModule), and it also looks like Apache may have one as part of the HTTP Components project (https://hc.apache.org/index.html), which may just be a wrapper around the built-in Java one. There are probably others out there, so you'll have to pick one. * You'll want to be very careful about specifying a separate Kerberbos cache file for each *Guacamole* user who logs in. The reason this is very important is because, by default, most Kerberos clients use a single cache file per Unix UID on the system. Since Tomcat runs under a UID, and would be authenticating all users under its UID, by default all Guacamole users would end up being able to see all other Guacamole users' kerberos tickets in the cache file, which could have some security implications. In recent versions of EL-type Linux (RHEL, et al.), this ticket cache defaults to SSSD. If your custom authentication extension factors this in and creates a separate ticket cache for each user, you'll end up with a much lower risk of users - either accidentally or nefariously - getting access to other users tickets. * In addition to the custom authentication extension, you may have to update the RDP protocol on both guacd and guacamole-client to be able to feed it the location to the kerberos ticket cache - and you'll have to either run guacd and guacamole-client on the same system, or you'll have to share those cache files between the two systems/containers. I'm sure there are other things to take into account, but those are the big ones that come to mind. Should you decide to move forward, feel free to post back, here - and it would be great if you'd be willing to contribute whatever extension you write to the project - I'm sure there are others who could benefit from the functionality you're looking for. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
