If you want SSH to close you need to do this from the sshd_config file,
which sends a keep alive, the api for guacamole is browser session only
, so if you refresh the screen you have to authenticate again if token
is expired, if the token session time is valid then you do not have to
re-authenticate.
For the database you should be using openssl 3.0.x for FIPS 140-3 and
make sure the database is in FIPS 140-2 mode not hard to do this. You
can also have a tripwire on the guacamole.properties and or also use
*secret.key* file which is read by the Guacd only *DB_PASS=$(cat
/paath/to/secret.key) *inside the guacamole.properties or use keyctl use
a command like *keyctl pipe $(keyctl search @s user dbpass) *other is go
direct to /systemd/ *LoadCredential=dbpass:/etc/secure/dbpass*
Hope this helps!
*Thank You*
Sean Hulbert
On 5/6/2026 3:16 PM, Makarem Dandouna wrote:
Hello all,
Our security team noticed that the connections credentials are stored
in plain text in the Guacamole database (ssh private keys for Linux
VM and user and password for windows VM), we would like to know if
there is a possibility to use a secret manager like vault to store
these sensitive informations instead of the database or at least store
them encrypted in the database ?
The same security issue is noticed for the postgres sql user and
password that should be stored in the configuration file
guacamole.properties ...
Finally, i want to set a timeout for idle session. I tried the option
api-session-timeout: 10 for test. However, my ssh session still
opened in the browser more than 1 hour till I close it even if I
didn't do any interaction in the browser. I didn't find any relevant
information concerning this issue in the logs. How can I debug this ?
Thank you in advance for your help
Best regards
Makarem
