guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: NLA with Radius/OTP authentication
Date Sat, 15 Dec 2018 20:18:31 GMT
On Sat, Dec 15, 2018, 12:05 Not Speedy < wrote:

> Hi.
> I noticed there is a way to pass the username/password through to NLA and
> RDP connections to create a SSO like experience. It looks like I could
> use the variables GUAC_USERNAME and  GUAC_PASSWORD. ( or something like
> that).
> I'm using PrivacyIdea (fork of linotp) to handle my OTP requirements
> backed by ldap.  So to signing, Id use username and password+OTP. Looking
> something like this.  'john.doe' 'secret123456'
> This would get passed to NLA/RDP as "secret123456", which will not work.
> Most radius/otp solutions will allow you to add the OTP at the front or end
> of the PIN (password).  Is there a way to pass this through while dropping
> the OTP? Perhaps creating a configuration option that could drop the "front
> or end by # character"?

If your RDP server uses the same LDAP for auth, wouldn't dropping the OTP
still not work since it would require its own OTP added to the password as

If LDAP-driven OTP is common, an option for LDAP to split things up may be
reasonable, but I'm uncertain. An option to drop the first/last N
characters feels hacky.

- Mike

View raw message