guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Berndt <erikber...@superiorpaving.net>
Subject Re: Plaintext passwords in guacamole.properties
Date Thu, 12 Jul 2018 16:36:56 GMT
 >Your best option is to set filesystem permissions appropriately such that
only Guacamole can read guacamole.properties.

I had a similar thought a few months ago and this is your best best. Yes,
the password is stored in plain text on a publicly available server, but
it's not being transmitted externally, so locking it down should be
sufficient. We use smtp relay on a couple of servers and have the config
files storing the credentials set to 644. I just checked and
guacamole.properties is set to 604, which from what I can recall was the
most restrictive mode without the service becoming inaccessible.

Erik Berndt / Systems Administrator
5551 Wellington Rd, Gainesville, VA 20155
703.631.0004 x520 (Phone) / 703.257.1725 (Fax)
http://www.superiorpaving.net

Need to open an IT support ticket?
http://FixIT.superiorpaving.net/portal or FixIT@superiorpaving.net

On Thu, Jul 12, 2018 at 4:19 AM, Mike Jumper <mike.jumper@guac-dev.org>
wrote:

> On Thu, Jul 12, 2018, 01:07 smoke <nikola@wikieye.com> wrote:
>
>>     Hello!
>>
>> I am a little put off by the unhashed password in
>> ldap-search-bind-password
>> (guacamole.properties). Is there a way to use the hash instead of the
>> visible pass? The same thing goes for the postgresql-password.
>>
>
> No - they're not that kind of password.
>
> Hashing only makes sense for passwords which will be verified by Guacamole
> - passwords which Guacamole does not need to know verbatim. In this case,
> those passwords must be sent by Guacamole to the LDAP or PostgreSQL server
> to authenticate, thus it must have the actual raw password, not a hash.
>
> Your best option is to set filesystem permissions appropriately such that
> only Guacamole can read guacamole.properties.
>
> - Mike
>
>

-- 


This
 e-mail and any files transmitted with it are confidential and are 

intended solely for the use of the individual or entity to whom they are
 
addressed.  If you are not the intended recipient or the person 

responsible for delivering the e-mail to the intended recipient, be 

advised that you have received this e-mail in error and that any use, 

dissemination, forwarding, printing or copying of this e-mail is 
strictly 
prohibited.  If you have received this e-mail in error, please 
immediately 
notify Superior Paving Corp. by telephone at (703) 
631-0004.  You will be 
reimbursed for reasonable costs incurred in 
notifying us.

Mime
View raw message