Sorry, lost original message I was replying to. This regarding guacamole_noauth.
Ok, try to clarify, if my users could use same login and passwords as they do for the hosts, email, ftp, basically everything else, that would make it easier for them and me, I don't want to try to keep two separate user databases in sync, and I especially can't see making that script work for 500 users.
In theory I could do this with one of the mod external modules for apache except there is a weird conflict with mod_suphp and mod_su_cgi which I use to cause php and cgi code to be run with the user ID of the owner of said code rather than a generic httpd or apache2 or www-data or some such. The reason for this is that it takes away the need for publicly writable directories for upload, and if one users code has a flaw that allows an attacker to gain a shell, that shell has the permissions of that user and thus can't trash everyone else's website.
I do not know why but if I compile those in with mod_auth_external, which I use with a little short program to authenticate against the system authentication system (pam). This used to work in the old days and I used it to wrap php_mysqladmin because it's got some exploits, but in recent days the modules will compile in but the server won't start with them both in.
But I could work around this by compiling a separate instance and just have it listen to a different port just for running guac.
However trying to understand how the header auth extension works so far I have not gotten it to function just sending static usernames to the header to test so not sure how to make this work.
I am unfortunately not very fluent in many interpretive languages, I know C, some assembly languages, a smigin of Javascript, and that's about it, python, perl, java, all languages I do not grock well. About the only interpretive language I knew well was actionscript and adobe stabbed me in the back there.
The other advantage to having the web server handle authentication as opposed to guacamole, is that I can log auth failures with IP's and have fail2ban lock them out when they're being used to brute force password attack. Guacamole only has the IP of the web server so not very useful in that regard. MITM proxy, (man in the middle?), not familiar with how that works.
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
