On Wed, May 6, 2026 at 6:17 PM Makarem Dandouna <[email protected]> wrote: > > Hello all, > > Our security team noticed that the connections credentials are stored in > plain text in the Guacamole database (ssh private keys for Linux VM and user > and password for windows VM), we would like to know if there is a possibility > to use a secret manager like vault to store these sensitive informations > instead of the database or at least store them encrypted in the database ? >
Yes, if you store credentials in the database they will be stored in plain text. And, yes, there is currently one option to store credentials and other secrets in a vault, including the various guacamole.properties options. The vault currently supported by Guacamole is Keeper Secrets Manager. See the documentation, here: https://guacamole.apache.org/doc/gug/vault.html There are a couple of open pull requests to support other vaults - Hashi and Openbao - but they are not merged, yet. > > Finally, i want to set a timeout for idle session. I tried the option > api-session-timeout: 10 for test. However, my ssh session still opened in > the browser more than 1 hour till I close it even if I didn't do any > interaction in the browser. I didn't find any relevant information > concerning this issue in the logs. How can I debug this ? > Guacamole is not considered "idle" if there is an active connection running, so the api-session-timeout does not apply. If you want your remote sessions to monitor idle time and log users out automatically you need to enable these options on the remote servers. -Nick --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
