guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <>
Subject Re: Same shared Drive redirected to all users : Privacy and Security breach
Date Sun, 07 Jan 2018 19:17:35 GMT
On Sun, Jan 7, 2018 at 10:09 AM, Amarjeet Singh <>

> Nick, Requirement is not to save username and password anywhere. It should
> be logged in by the user itself.
Yes, I understand and agree.

> That is causing issue to create shared drive with username or

I don't think so.  The ${GUAC_USERNAME} and ${GUAC_PASSWORD} tokens come
from the username and password that the user logs into *Guacamole* with,
not the username/password for the connection.

As an example, if let's say you have Guacamole configured to use LDAP
authentication, and you are storing your connections in JDBC.  Guacamole
LDAP is configured to point to Active Directory, and you have a user,
test_user, and the LDAP/AD password for that user is DoNotCopyMe.  The user
is connecting to a Windows server, via RDP, joined to the same AD domain
where LDAP is configured, server1.  Here's how the flow would work:
- User logs into Guacamole at, with
username test_user and password DoNotCopyMe
- Guacamole, upon successful login, registers ${GUAC_USERNAME} as test_user
and ${GUAC_PASSWORD} as DoNotCopyMe.
- The user starts the connection to server1, which has the username
parameter set to ${GUAC_USERNAME}, the password parameter set to
${GUAC_PASSWORD}, and the Drive Path parameter set to /tmp/${GUAC_USERNAME}.
- The connection automatically logs into the server because the Guacamole
username and password is passed through to the RDP connection through the
- The connection maps the /tmp/test_user directory through to the RDP
connection by resolving the username token.

> ${GUAC_USERNAME} works if Single sign on is there i.e. username and
> password is provided. it fails if username and password is not there.
Well, that depends on what you mean by "Single sign on" and "is [not]
there."  The actual username and password do not have to be saved in the
connection in order to be made available; however, the user has to log in
to be logging in to Guacamole.  So, if you're using some sort of anonymous
Guacamole authentication (the deprecated noauth extension, for example),
then the GUAC_USERNAME and GUAC_PASSWORD tokens will not be available.  If
you're using a SSO login method (OpenID, SAML, CAS without ClearPass), then
the GUAC_USERNAME token will be available while the GUAC_PASSWORD token may
or may not, depending on your configuration.  If you're using LDAP or JDBC,
then both the GUAC_USERNAME and GUAC_PASSWORD token should be available.

How are your users authenticating to Guacamole?


View raw message