guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Couchman <vn...@apache.org>
Subject Re: Select User Connection Restricted by Source IP
Date Tue, 15 May 2018 11:05:58 GMT
>
>
> > Off the top of my head:
> >
> > * You step away from the computer and need to check something via your
> > phone.
> >
> > * You lock your screen at work without logging out from guac, head home,
> > and need to log in again.
> >
> > * You are using an anonymizing service which changes IP occasionally.
> >
> > - Mike


> Sure, all of the three cases are valid, but regardless of their
> justifiability they are perfect case for attacker to mask his activity.
>

This could be said of many different pieces of functionality, at many
different levels across many different technologies.  The perfectly secure
computer is locked in a safe and completely powered off, but it isn't very
useful.  The perfectly usable computer is accessible to everyone with no
restrictions, but lacks any notion of security.  The rest of the spectrum
is a trade between security and functionality.  Perhaps in your use-case or
environment restricting users to a single IP is a requirement or something
that you strongly desire.  That's great, you're welcome to implement it
that way.  For most of the rest of us, our ability to use the software from
multiple IP addresses concurrently is an acceptable risk with beneficial
functionality, and there are other risks that merit more time and attention
- like multi-factor authentication.


> Whether to enable them or not is a matter of choice and a matter of
> required
> defense grade.
>
>
I agree, and if you'd like to implement a modification or an extension that
restricts users to only log in from a single IP at a time, you are welcome
to - the software is open source, and can fork/modify/contribute to it.
It's how I got started contributing to the project :-).  However, you
should understand that, because many other people don't consider this a
requirement it is unlikely that 1) it will be adopted as a default behavior
of the software, or 2) that other developers will spend time implementing
such a feature in the near-term.

-Nick

Mime
View raw message