El dom, 13 oct 2024 a las 9:52, Nick Couchman (<vn...@apache.org>) escribió: > > On Sun, Oct 13, 2024 at 3:56 AM Cyrus <cyru...@gmail.com> wrote: >> >> Hi!, >> >> I've setup an environment with 1.5.5 where I'm required to >> authenticate via openID. Not having LDAP means I cannot reuse the user >> credentials for SSH and RDP+SFTP. >> >> Reading around, I found that there should be some kind of "credentials >> prompting" facility since 1.3.0,but if I leave credentials blank the >> users are not prompted for them. >> >> Is that supposed to be a web pop-up for the user to input the >> credentials?, or it should just be the destination host regular RDP >> credentials form?. >> >> Am I missing something? >> > > Yes, credential prompting works in many situations, but how it is triggered > depends upon you what protocol you're using and how your remote server is > configured: > * For RDP, the prompt will be web-based, and will trigger if the remote > server requires credentials in order to complete the connection. This is most > common when connecting to Windows servers that have NLA enabled, since the > credentials themselves are part of the connection process. You might want to > try forcing the security mode to a certain type if you're having issues > getting this to work. > * For SFTP connections with RDP, unfortunately I do not believe we have that > prompt enabled, so that likely will not work without pre-populating the > credentials, and the failure of the SFTP connection will also cause a failure > of the entire RDP connection. > * For VNC, the prompt will also be web-based, but depends upon what > credentials the VNC server asks for (password, username + password). > * For SSH, if the credentials are not pre-filled, Guacamole will start the > terminal and the prompt will be shown in the terminal. Please note that SSH > currently only supports a single factor (username + password), so if you have > a SSH server with a multi-factor prompt or something similar, it will likely > fail. > > If you have a server that you think should be working, feel free to share > more details about that configuration (platform, connection configuration, > guacd logs, etc.) and we can try to help you determine why you're not seeing > the prompt(s) you expect. > > -Nick Good afternoon,
* Current situation regarding authentication protocols: Meatware --hands--> workstation-unrelated-to-my-domain --HTTP--> Guacamole 1.5.5 --OIDC--> Keycloak --SAML2(or was it OIDC?)--> AzureAD (user db1) guacd --RDP--> xrdp/Ubuntu 24.04 --LDAP/KRB--> FreeIPA --LDAP/KRB--> Samba4 (user db2) The same person has user XXX in user db1, and user XXY in user db2. Situation is not ideal, but that is what I have to deal with. * OIDC authentication works, can't find a way to return custome metadata to guacamole defining the actual user for RDP/SSH. Nice to have since sometimes conventions are wacky and end user only knows the first user. Workaround: be clear on the actual two users they have to use. * I understood that setting it as NLA forced for the prompt, not that it was negotiated between guacd & xrdp (or real RDP service from MS). Will look into it (maybe xrdp config missing). * If I reach the point of Guacamole prompting for credentials in a web pop-up, does it generate tokens/variables I could reuse for the SFTP part? * Regarding SSH I can work with the user typing the credentials. It's tested and fully functional. * Related question, I cannot find a way for a user to provide his/her private SSH key, is that supported?. It could be useful to provide the key and just ask for the key password once, with Guacamole running an SSH authentication agent maybe?. Regards, CI.- --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org For additional commands, e-mail: user-h...@guacamole.apache.org
