guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Dinse <>
Subject Re: More Fun
Date Sat, 02 Mar 2019 20:50:01 GMT

      If there were an NIS / Unix / Pam authentication module then I'd use
that but I am unwilling to have to have users register yet another password
and I can't get their existing passwords since they are encrypted.  And
since all the servers they are going to are already accessible via ssh and
x2go an additional layer of authentication does nothing but inconvenience
the customer.  Since it does pass through the real IP in the header, I should
be able to write fail2ban rules to cover brute force password guessing.

  Eskimo North Linux Friendly Internet Access, Shell Accounts, and Hosting.
    Knowledgeable human assistance, not telephone trees or script readers.
  See our web site: (206) 812-0051 or (800) 246-6874.

On Sat, 2 Mar 2019, Nick Couchman wrote:

> Date: Sat, 2 Mar 2019 09:03:25 -0500
> From: Nick Couchman <>
> Reply-To:
> To:
> Subject: Re: More Fun
> On Sat, Mar 2, 2019 at 4:15 AM Robert Dinse <> wrote:
>>       I tried to use Zer0CoolX's branding.jar extension but it did not
>> work as
>> intended.  It did not change the text at all and the logo was very low
>> contrast
>> and smaller than the actual image he used.  When I tried to substitute my
>> own
>> logo it did not display at all.
> You'll have to be a little more explicit about what you tried, and
> preferably provide the code you're using (Github is your friend).
> As an aside, this has been asked enough on the mailing lists that I've
> opened up a JIRA issue to add some documentation to the Guacamole Manual on
> the branding process.  I'll take a stab at documenting it within the manual.
>>       So far sound is not working either with vnc / pulseaudio (and I did
>> make
>> the recommended changes to pulse audio conf and the catalina.out log is
>> showing it connecting to the pulseaudio server, but still no sound, and
>> also tried with rdp using Xrdp as the server, no sound there either.
> I need to give this a shot, too - I've done it before, but it's been a
> while, so worth taking another look.  Just haven't had a chance, yet.
>>       It would be nice if there were a way to disable the teardown session
>> function in the home page as I'm using a common login for multiple users
>> because authentication is either done by ssh or xdmcp on the server.  I'd
>> really like to disable the login as well and just have it login as said
>> user.
> We (the project) have resisted (re-)implementing an authentication
> extension that doesn't actually authenticate.  There actually used to be
> one (noauth) and it was deprecated in 0.9.14 and removed completely in
> 1.0.0.  Within Guacamole Client, *some* form of authentication should be
> done - bypassing authentication entirely really isn't a good idea.  I'm
> definitely sympathetic to your situation, though - I've been there in the
> past, where I had Guacamole authenticating with different credentials than
> RDP sessions that users were logging into, and I didn't like having my
> users required to enter credentials twice.  However, there should be some
> middle ground - some means by which to authenticate users coming into
> Guacamole without requiring them to enter credentials twice.  You could do
> some sort of certificate-based authentication with the web server (httpd or
> nginx) and then use the header module to pass through the authentication to
> Guacamole?  Not something I've ever actually tried, but I'm just thinking
> out loud.  Obviously that requires maintaining and distributing
> certificates, which is its own challenge, but might be preferable to
> bothering users with multiple credential requirements.
> -Nick

View raw message