guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mike.jum...@guac-dev.org>
Subject Re: Select User Connection Restricted by Source IP
Date Sun, 13 May 2018 16:57:00 GMT
On Sun, May 13, 2018, 04:49 Suncatcher16 <suncatcher16@outlook.com> wrote:

> Just a matter of taste. Both use-cases require extensions anyway. LAN/WAN
> differentiation seems more important for me.
>
> BTW, how can single user connect from different IPs simultaneously? It's a
> great breach for attacker, which could mask malicious activity. I cannot
> imagine such use-case where that might be needed. Do you?
>

Off the top of my head:

* You step away from the computer and need to check something via your
phone.

* You lock your screen at work without logging out from guac, head home,
and need to log in again.

* You are using an anonymizing service which changes IP occasionally.

etc.

Different IPs means that you provided your user to smb else who connects
> from different location, this is what users were created for, imho.
>

Nope. It might mean that, but this isn't guaranteed (see above).
Regardless, the fact that a user may choose to share their password isn't a
potential breach in the system; it's a poor choice on the user's part.

If you wish to make doubly sure that a user is who they claim to be, that's
exactly the use case behind 2FA.

- Mike

Mime
View raw message