guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <mjum...@apache.org>
Subject Re: NLA with Radius/OTP authentication
Date Sat, 15 Dec 2018 20:18:31 GMT
On Sat, Dec 15, 2018, 12:05 Not Speedy <notspeedy01@gmail.com wrote:

> Hi.
> I noticed there is a way to pass the username/password through to NLA and
> RDP connections to create a SSO like experience. It looks like I could
> use the variables GUAC_USERNAME and  GUAC_PASSWORD. ( or something like
> that).
>
> I'm using PrivacyIdea (fork of linotp) to handle my OTP requirements
> backed by ldap.  So to signing, Id use username and password+OTP. Looking
> something like this.  'john.doe' 'secret123456'
>
> This would get passed to NLA/RDP as "secret123456", which will not work.
> Most radius/otp solutions will allow you to add the OTP at the front or end
> of the PIN (password).  Is there a way to pass this through while dropping
> the OTP? Perhaps creating a configuration option that could drop the "front
> or end by # character"?
>

If your RDP server uses the same LDAP for auth, wouldn't dropping the OTP
still not work since it would require its own OTP added to the password as
well?

If LDAP-driven OTP is common, an option for LDAP to split things up may be
reasonable, but I'm uncertain. An option to drop the first/last N
characters feels hacky.

- Mike

Mime
View raw message