On Wed, Oct 23, 2024 at 10:26 PM Barnhart, Steven <barnhart....@osu.edu> wrote:
> Yes I believe it’ll be in 1.6. > > https://issues.apache.org/jira/browse/GUACAMOLE-1855 > > In addition to this feature, which lets you enable/disable based on the source IP address of the user, there is also a feature that will allow you to control it based on group membership: https://issues.apache.org/jira/browse/GUACAMOLE-1219 Sean's point in his reply is worth consideration, though. I'm not sure I would agree that you should never implement either of these; however, you should be very careful when implementing anything that relies on source IP addresses that you've correctly configured upstream equipment (routers, firewalls, load balancers, proxies, etc.) to correct forward through the IP address of the client, that you're not trusting the client itself to tell you its IP address, and that your restrictions "fail safe" in the case that something cannot be trusted. The IP-based feature was implemented with the idea that some organizations may want to have a single Guacamole instance that services users both inside an existing corporate network or firewall and outside, and may want to enforce MFA for one set of users but not for another. In these cases, there are ways to safely determine which network boundaries a user is traversing in order to determine how many layers of authentication to put the user through. But, again, it should be done with care, trusting only the equipment and configurations you can control to make that determination. -Nick >
