RE: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

2021-10-28 Thread Angal, Rajeev 
Hello -
Want to request a poll to the community if this feature would be useful?
If there is enough interest , please advise the best way to implement it in the 
near future.

Thanks,
-rajeev

From: Angal, Rajeev 
Sent: Saturday, July 3, 2021 11:37 AM
To: user@guacamole.apache.org
Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP 
(instead of username/password)?

Thanks for your reply, Nick.
On #2:
User workstation -> Guacamole intermediate server -> Target RDP or SSH server

After the initial authentication to Guacamole with SAML/ smartcard/etc,
If the intermediate  server could get a ephemeral certificate (on behalf of the 
authenticated user) from a CA and allow auto login over SSH snd RDP to the 
target server.
This post describes the conceot:

https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/



Get Outlook for 
iOS

From: Nick Couchman mailto:vn...@apache.org>>
Sent: Saturday, July 3, 2021 10:16:35 AM
To: user@guacamole.apache.org 
mailto:user@guacamole.apache.org>>
Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP 
(instead of username/password)?

On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev 
mailto:ran...@visa.com.invalid>> wrote:

Love Guacamole so far!



For remote Windows servers that support only smartcard authentication,  would 
like the following capabilities:

  1.  Smartcard redirection
  2.  Generation of ephemeral certs on the "gateway" for seamless "SSO"



Are these features available or on the roadmap?

The first one is definitely not implemented, yet, and I don't think there's a 
JIRA feature issue for it, either.

For the second one, I'm not entirely sure what you mean. Several SSO platforms 
are supported in Guacamole - CAS, OpenID, and SAML - and within those some of 
them have support for validating logins using various means, including 
certificates between Guacamole and the SSO IdP. I know there was a recent 
e-mail on the list regarding getting SAML to work with certificate validation, 
so there may be some issues with that, and it's worth testing out further.

In the end, doing certificate-based authentication to Guacamole shouldn't 
require too much work - the guacamole-ext framework provides relatively simple 
ways for supporting new authentication mechanisms, and SmartCards are really 
just x509 certificates, so really anything that supports certificate-based 
authentication should work. I know CAS supports x509 authentication, so it 
would probably be reasonably easy to get CAS x509 -> Guacamole authentication 
working without having to modify any code at all.

-Nick

RE: VNC to prompt username

2021-10-28 Thread Nick Khoo 
Hi Nick,

VNC built-in into this product.
ADDERLink ipeps | Adder 
Technology
MAN-AL-IPEPS.pdf 
(amazonaws.com)


Nick

From: Nick Couchman 
Sent: Friday, 29 October 2021 9:39 AM
To: user@guacamole.apache.org
Subject: Re: VNC to prompt username

You don't often get email from vn...@apache.org. Learn 
why this is important
On Thu, Oct 28, 2021 at 9:36 PM Nick Khoo 
mailto:nick.k...@blairfox.com.au.invalid>> 
wrote:
Hi Nick,

I do get a username and password prompt from an installed VNC client on my PC 
requested by the VNC server, but not from Guacamole. There doesn't seem to be 
any setting for 'password-only mode' on that server.
[cid:image001.png@01D7CCAC.2A2D1DC0]

Any ideas?

What VNC server are you using?

-Nick

Re: VNC to prompt username

2021-10-28 Thread Nick Couchman 
On Thu, Oct 28, 2021 at 9:36 PM Nick Khoo 
wrote:

> Hi Nick,
>
>
>
> I do get a username and password prompt from an installed VNC client on my
> PC requested by the VNC server, but not from Guacamole. There doesn’t seem
> to be any setting for ‘password-only mode’ on that server.
>
>
>
> Any ideas?
>

What VNC server are you using?

-Nick

>

RE: VNC to prompt username

2021-10-28 Thread Nick Khoo 
Hi Nick,

I do get a username and password prompt from an installed VNC client on my PC 
requested by the VNC server, but not from Guacamole. There doesn't seem to be 
any setting for 'password-only mode' on that server.
[cid:image001.png@01D7CCA7.EF131950]

Any ideas?

Thanks,
Nick.K

From: Nick Couchman 
Sent: Friday, 29 October 2021 9:18 AM
To: user@guacamole.apache.org
Cc: nick.k...@blairfox.com.au.invalid
Subject: Re: VNC to prompt username

You don't often get email from vn...@apache.org. Learn 
why this is important
On Thu, Oct 28, 2021 at 9:13 PM Nick Khoo 
mailto:nick.k...@blairfox.com.au.invalid>> 
wrote:
Hi Nick

Thanks for replying. Which 'connection properties' are you referring to? If it 
is the guacamole properties, I did leave it blank for both username and 
password, but the connection only prompt for password. And if I entered the 
default VNC account password into the prompt, the connection succeed (without 
any username prompt or having to specify username anywhere within guacamole).


Yes, that's correct. Guacamole also attempts to detect what type of credential 
is requested by the server, so if it is only prompting for a password then it's 
possible that it's negotiating down to a password-only mode with the server.

-Nick

Re: VNC to prompt username

2021-10-28 Thread Nick Couchman 
On Thu, Oct 28, 2021 at 9:13 PM Nick Khoo 
wrote:

> Hi Nick
>
>
>
> Thanks for replying. Which ‘connection properties’ are you referring to?
> If it is the guacamole properties, I did leave it blank for both username
> and password, but the connection only prompt for password. And if I entered
> the default VNC account password into the prompt, the connection succeed
> (without any username prompt or having to specify username anywhere within
> guacamole).
>
>
>

Yes, that's correct. Guacamole also attempts to detect what type of
credential is requested by the server, so if it is only prompting for a
password then it's possible that it's negotiating down to a password-only
mode with the server.

-Nick

>

RE: VNC to prompt username

2021-10-28 Thread Nick Khoo 
Hi Nick

Thanks for replying. Which 'connection properties' are you referring to? If it 
is the guacamole properties, I did leave it blank for both username and 
password, but the connection only prompt for password. And if I entered the 
default VNC account password into the prompt, the connection succeed (without 
any username prompt or having to specify username anywhere within guacamole).

If I entered any other password for any other user account in the VNC server, 
they will fail authentication (again there was no prompting for username)

Thanks
Nick.k

From: Nick Couchman 
Sent: Thursday, 28 October 2021 10:31 PM
To: nick.k...@blairfox.com.au.invalid; user@guacamole.apache.org
Subject: Re: VNC to prompt username

You don't often get email from vn...@apache.org. Learn 
why this is important
On Thu, Oct 28, 2021 at 10:08 AM Nick Khoo 
mailto:nick.k...@blairfox.com.au.invalid>> 
wrote:
Hi,

We have a VNC server with multiple accounts setup. VNC client can login using 
different username and password. The username is enter in the client properties 
and the password is prompted during connection. With guacamole, this doesn't 
look to be possible. The connection will only connect with the password setup 
for the default VNC user account. How can I setup guacamole to allow VNC 
connection other that the default VNC server user account.


No, the prompting in the Guacamole interface is specifically designed such 
that, if you enter a value in the connection properties, it will not allow the 
user to override or change that value. If you want the user to be prompted you 
will need to leave the value blank.

-NIck

Re: VNC to prompt username

2021-10-28 Thread Nick Couchman 
On Thu, Oct 28, 2021 at 10:08 AM Nick Khoo
 wrote:

> Hi,
>
>
>
> We have a VNC server with multiple accounts setup. VNC client can login
> using different username and password. The username is enter in the client
> properties and the password is prompted during connection. With guacamole,
> this doesn’t look to be possible. The connection will only connect with the
> password setup for the default VNC user account. How can I setup guacamole
> to allow VNC connection other that the default VNC server user account.
>
>
>
No, the prompting in the Guacamole interface is specifically designed such
that, if you enter a value in the connection properties, it will not allow
the user to override or change that value. If you want the user to be
prompted you will need to leave the value blank.

-NIck

VNC to prompt username

2021-10-28 Thread Nick Khoo 
Hi,

We have a VNC server with multiple accounts setup. VNC client can login using 
different username and password. The username is enter in the client properties 
and the password is prompted during connection. With guacamole, this doesn't 
look to be possible. The connection will only connect with the password setup 
for the default VNC user account. How can I setup guacamole to allow VNC 
connection other that the default VNC server user account.

Thanks.