[ https://issues.apache.org/jira/browse/GUACAMOLE-312?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16753240#comment-16753240 ]
Michael Jumper commented on GUACAMOLE-312: ------------------------------------------ No, it needs to be doable without having to have something actually listen on a new TCP socket on the Guacamole server. Having new ports open would be potentially dangerous (the VNC server that is intended to be protected behind SSH would be temporarily exposed each time a connection is established), and dynamically allocating available ports would probably prove to be brittle. Dynamically creating a UNIX domain socket in some configurable directory in the filesystem would be OK, as access to that socket would be restricted by filesystem permissions and we can lock those down, but taking full control over the transport within the VNC support and keeping it absolutely 100% internal would be best. If someone were to throw this together quickly for their own purposes in an extension (like discussed recently on the mailing list), dynamically allocating temporary SSH port forwards could be reasonable, but I don't think it should be our approach in Guacamole itself. > VNC over SSH > ------------ > > Key: GUACAMOLE-312 > URL: https://issues.apache.org/jira/browse/GUACAMOLE-312 > Project: Guacamole > Issue Type: New Feature > Components: VNC > Reporter: Michael Jumper > Priority: Minor > > {panel:bgColor=#FFFFEE} > *The description of this issue was copied from > [GUAC-223|https://glyptodon.org/jira/browse/GUAC-223], an issue in the JIRA > instance used by the Guacamole project prior to its acceptance into the > Apache Incubator.* > Comments, attachments, related issues, and history from prior to acceptance > *have not been copied* and can be found instead at the original issue. > {panel} > It would be useful to provide access to VNC over SSH as an option. -- This message was sent by Atlassian JIRA (v7.6.3#76005)