guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Not Speedy <>
Subject Re: NLA with Radius/OTP authentication
Date Sat, 15 Dec 2018 20:30:25 GMT
Thanks for the reply.
I'm using OTP for things like vpn and remote access only.  In my
configuration, privacyidea is configured to uses ldap as its source of
truth, and then handles the OTP.  Radius is used by the application (guac
and vpn) against privacy idea to authenticate.  Dropping the first/last N
characters does in fact feel hacky, but I'm unsure how to handle my use
case.  There may be a better way, but "you don't know, what you don't
know"!  I think I saw a post or two that stated Nick uses linotp.  Perhaps
he'll have some insight too.

On Sat, Dec 15, 2018 at 2:18 PM Mike Jumper <> wrote:

> On Sat, Dec 15, 2018, 12:05 Not Speedy < wrote:
>> Hi.
>> I noticed there is a way to pass the username/password through to NLA and
>> RDP connections to create a SSO like experience. It looks like I could
>> use the variables GUAC_USERNAME and  GUAC_PASSWORD. ( or something like
>> that).
>> I'm using PrivacyIdea (fork of linotp) to handle my OTP requirements
>> backed by ldap.  So to signing, Id use username and password+OTP.
>> Looking something like this.  'john.doe' 'secret123456'
>> This would get passed to NLA/RDP as "secret123456", which will not
>> work.  Most radius/otp solutions will allow you to add the OTP at the front
>> or end of the PIN (password).  Is there a way to pass this through while
>> dropping the OTP? Perhaps creating a configuration option that could drop
>> the "front or end by # character"?
> If your RDP server uses the same LDAP for auth, wouldn't dropping the OTP
> still not work since it would require its own OTP added to the password as
> well?
> If LDAP-driven OTP is common, an option for LDAP to split things up may be
> reasonable, but I'm uncertain. An option to drop the first/last N
> characters feels hacky.
> - Mike

View raw message