guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: Session management for an enterprise / automaticly creating VNC sessions
Date Fri, 25 Jan 2019 16:57:04 GMT
On Fri, Jan 25, 2019, 08:44 Nico Schottelius <

> ... I had a longer discussion off-list today about it and wanted to
> share my thoughts:
> Guacamole already supports VNC and SSH. Thus session management
> ("autostart") could be implement as easy as the following:
> a) Adding support for a generic connection with variable support
> Assuming we could use variables in connections, for instance the
> username, we could implement sessions that *contain* the username in the
> connection string.

The settings driving a connection should be dictated by server-side logic.
It is dangerous/insecure to trust the user to not manipulate something like
a string submitted from the client side.

> All users could have the "same" connection, just different variable parts

You should also look into the extension API. The main reason the extension
API exists is to allow connection details to be driven by completely
arbitrary logic.

b) Adding support for vnc-over-ssh-over-unix-socket
> You probably know that you can easily tunnel vnc through ssh [0].

Until libvncclient has such support, it isn't possible to integrate this
into the VNC support. You will need to accomplish this through other logic,
presumably in an extension.

> If guacamole would support combining ssh with vnc, guacamole could do
> the following:
> ssh user@host "
> if [ ! -f .guacamole.sock ]; then
>   vncserver-on-.guacamole.sock
> fi
> socat - .guacamole.sock"

Guacamole definitely shouldn't attempt to implement this through shell
scripting. If this is to be added as a feature for Guacamole, it would need
to be through leveraging the VNC and SSH libraries available.

You can already do what you're looking to accomplish through leveraging the
extension API, however. You would dynamically derive the connection
parameters based on the user connecting, preparing a temporary SSH tunnel
for that connection as part of that process.

> Obviously this is only sample code and the admin could be able to
> specify custom code.

I definitely don't think executing arbitrary custom shell scripting should
be a standard mechanism built into guac. The extension API is the way to go

- Mike

View raw message