Uploaded image for project: 'Guacamole'
  1. Guacamole
  2. GUACAMOLE-1898

Add prompting for SSH and SFTP credentials

    XMLWordPrintableJSON

Details

    • Wish
    • Status: Open
    • Minor
    • Resolution: Unresolved
    • None
    • None
    • SSH
    • None

    Description

      At present, Guacamole supports prompting users for additional connection information  when such information is missing for RDP and VNC connections. I would like to suggest implementing the same for SFTP connections made from the Guacamole Menu, and perhaps for SSH connections generally. This would address usecases where users cannot authenticate the SSH connection with the same credentials as the RDP/VNC connection (one such case would be when using time-based passwords for SSH).

      There are some questions to be considered:

      1) Implement prompting just for SFTP (in an RDP/VNC session) or also for SSH connections generally?

      2) Make prompting configurable by the user (e.g. via a new connection setting `sftp-prompt-password`), or prompt automatically?

      Regarding 1: at present, SSH connections use the terminal to prompt the user for credentials. The advantage of this is that it accommodates any authentication flow, including flows that prompt the user for more than one password (e.g. 2FA, and some SSO solutions that work with custom login shells). So replacing the terminal login prompt with a Guacamole login prompt may be undesirable. By contrast, SFTP connections at present require pre-configured credentials, which makes them far less versatile than SSH connections.

      Regarding 2: using a new configuration option to enable prompting would mean that the user can decide whether to use a Guacamole prompt or the terminal to authenticate normal SSH connections, and thus address 1). But if it is preferred to enable prompts only for SFTP, the user could also be prompted automatically, if and only if: a) no key and no username or password has been supplied b) ssh server supports keyboard-interactive c) login without password fails.

      So in summary, I would suggest to:

      A) prompt for both SSH and SFTP connections if and only if the user has explicitly requested a Guacamole prompt through new configuration options.

      B) prompt only for SFTP connections when credentials are missing (analogous to how RDP/VNC credential prompting currently works).

       

      Attachments

        Activity

          People

            Unassigned Unassigned
            dometto Dawa Ometto
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: