From user-return-4852-archive-asf-public=cust-asf.ponee.io@guacamole.apache.org Sat Dec 15 21:38:50 2018 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by mx-eu-01.ponee.io (Postfix) with SMTP id 9E829180652 for ; Sat, 15 Dec 2018 21:38:49 +0100 (CET) Received: (qmail 82612 invoked by uid 500); 15 Dec 2018 20:38:48 -0000 Mailing-List: contact user-help@guacamole.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@guacamole.apache.org Delivered-To: mailing list user@guacamole.apache.org Received: (qmail 82602 invoked by uid 99); 15 Dec 2018 20:38:48 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 15 Dec 2018 20:38:48 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 0E27218060F for ; Sat, 15 Dec 2018 20:38:48 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 2.336 X-Spam-Level: ** X-Spam-Status: No, score=2.336 tagged_above=-999 required=6.31 tests=[DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, HTML_FONT_FACE_BAD=0.289, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 7LbtgfxLx9sG for ; Sat, 15 Dec 2018 20:38:46 +0000 (UTC) Received: from mail-lf1-f49.google.com (mail-lf1-f49.google.com [209.85.167.49]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 2DE3D5FAEF for ; Sat, 15 Dec 2018 20:30:39 +0000 (UTC) Received: by mail-lf1-f49.google.com with SMTP id f23so6709876lfc.13 for ; Sat, 15 Dec 2018 12:30:39 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=SPjHz9rOqtX2Y6Lqdh9AOBCUhEBwHIX4nofNbwJXRR8=; b=oc/nX1ly/K/tG2R9ze246ye0/2tPssdyBtMMCk5hypoLQrY6RVygu27/HQtXVRebDZ YTwJWxGtJmfhmvrSzp2Z7xWBciSH7VvzCJwq2KqzLidGMIgW+60IgNA/aaw/aeulw4UB rQUeUuO4fn8h4CiM1dLHjAI5tSZFYZQ9+u3SYKN0fNMIbIYYfCslMQitDq/xrYAQ78Sk FStxh9cUIRuVFRtz7uVSdKdUR/32HgFDXVPZ7lgE2LhKiQyL7jkbRh7QQvf25N3j/e7X ttVg/e8HMWLuHH57SairUAZ8QDICQem4YBOGSG7RrPTR2DS50kn+5vvNU1DTy5qEZf78 GXUA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=SPjHz9rOqtX2Y6Lqdh9AOBCUhEBwHIX4nofNbwJXRR8=; b=cnd9hrAYyAffN42jW095Wvfp/bNuqoW7ufjmr5XBHnDlSmU9FWs+ahGpy2kx/c+rEf j0USVrg/VJaSK4B4cCgTwP5WOuVFKDlZx7zGZxyKTbpDSdf5A9FBRt1hTqQS/hccocu7 ANv00WCko5lEfYzmePtMr/LAlJIlvJxDOPcS6MdmhYvnT1m+lyUdlfydAfCWs1nIQzuC FYUcRN/r35G07IHTlgCPzmzQw8bySqsSa20vv5ne5kJKm7w4SwSiuHyjP8RuSdPA1sI1 m0S7Q9iyG6VSIM9vPracDbtO+Pj8sA0E+C0tZeBTyFjpK56vpdqv8Po0bdwZ9l1KlIH3 YKMA== X-Gm-Message-State: AA+aEWZFSLvT0D/8jsU9xOGaSqg7/9+vpRUPDzpr9vHcVkS98fD8a/nX rzbEFr9f30sXGOsriGOg68YRmYk7orao0Bw1xs40zg== X-Google-Smtp-Source: AFSGD/UcDVY3v6wChk1qLhDLxTd40WxHFcP8dpcZwiDqLLnwGiQgTY0hG1QGJVp2S7Ju8xZ7f7PaRYg6P5ppWKiwHcU= X-Received: by 2002:a19:2106:: with SMTP id h6mr4282315lfh.29.1544905837289; Sat, 15 Dec 2018 12:30:37 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Not Speedy Date: Sat, 15 Dec 2018 14:30:25 -0600 Message-ID: Subject: Re: NLA with Radius/OTP authentication To: user@guacamole.apache.org Content-Type: multipart/alternative; boundary="000000000000a4a57d057d156b03" --000000000000a4a57d057d156b03 Content-Type: text/plain; charset="UTF-8" Mike, Thanks for the reply. I'm using OTP for things like vpn and remote access only. In my configuration, privacyidea is configured to uses ldap as its source of truth, and then handles the OTP. Radius is used by the application (guac and vpn) against privacy idea to authenticate. Dropping the first/last N characters does in fact feel hacky, but I'm unsure how to handle my use case. There may be a better way, but "you don't know, what you don't know"! I think I saw a post or two that stated Nick uses linotp. Perhaps he'll have some insight too. Thanks On Sat, Dec 15, 2018 at 2:18 PM Mike Jumper wrote: > On Sat, Dec 15, 2018, 12:05 Not Speedy >> Hi. >> I noticed there is a way to pass the username/password through to NLA and >> RDP connections to create a SSO like experience. It looks like I could >> use the variables GUAC_USERNAME and GUAC_PASSWORD. ( or something like >> that). >> >> I'm using PrivacyIdea (fork of linotp) to handle my OTP requirements >> backed by ldap. So to signing, Id use username and password+OTP. >> Looking something like this. 'john.doe' 'secret123456' >> >> This would get passed to NLA/RDP as "secret123456", which will not >> work. Most radius/otp solutions will allow you to add the OTP at the front >> or end of the PIN (password). Is there a way to pass this through while >> dropping the OTP? Perhaps creating a configuration option that could drop >> the "front or end by # character"? >> > > If your RDP server uses the same LDAP for auth, wouldn't dropping the OTP > still not work since it would require its own OTP added to the password as > well? > > If LDAP-driven OTP is common, an option for LDAP to split things up may be > reasonable, but I'm uncertain. An option to drop the first/last N > characters feels hacky. > > - Mike > > --000000000000a4a57d057d156b03 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Mike,
Thanks for the reply. =C2=A0
I'm u= sing OTP for things like vpn and remote access only.=C2=A0 In my configurat= ion, privacyidea is configured to uses ldap as its source of truth, and the= n handles the OTP.=C2=A0 Radius is used by the application (guac and vpn) a= gainst privacy idea to authenticate.=C2=A0 Dropping the first/last N charac= ters does in fact feel hacky, but I'm unsure how to handle my use case.= =C2=A0 There may be a better way, but "you don't know, what you do= n't know"!=C2=A0 I think I saw a post or two that stated Nick uses= linotp.=C2=A0 Perhaps he'll have some insight too.
Thanks = =C2=A0

On Sat, D= ec 15, 2018 at 2:18 PM Mike Jumper <mjumper@apache.org> wrote:
On Sat, Dec 15, 2018,= 12:05 Not Speedy <notspeedy01@gmail.com wrote:
Hi.=C2=A0
I notic= ed there is a way to pass the username/password through to NLA and RDP conn= ections to create a SSO=C2= =A0like=C2=A0experience. It looks like I could use the variables GUAC_USERNAME and =C2=A0GUAC_PASSWORD. ( or something like that).

I'm using PrivacyIdea (fork of=C2=A0linotp) to handle my OTP requirements backed by ldap.=C2=A0 So to= =C2=A0signing, Id use username and pa= ssword+OTP. Looking something like this. =C2=A0'john.doe' 'secret123456'

This would get passed to NLA/RDP as &quo= t;secret123456", which will not work.=C2=A0 Most radius/otp solutions will allow= you to add the OTP at the front or end of the PIN (password).=C2=A0 Is the= re a way to pass this through while dropping the OTP? Perhaps creating a co= nfiguration option that could drop the "front or end by #=C2=A0charact= er"?

If your RDP server uses the same LDAP= for auth, wouldn't dropping the OTP still not work since it would requ= ire its own OTP added to the password as well?

<= /div>
If LDAP-driven OTP is common, an option for LDAP to = split things up may be reasonable, but I'm uncertain. An option to drop= the first/last N characters feels hacky.

=
- Mike

--000000000000a4a57d057d156b03--