Dawa Ometto created GUACAMOLE-1898:
--------------------------------------
Summary: Add prompting for SSH and SFTP credentials
Key: GUACAMOLE-1898
URL: https://issues.apache.org/jira/browse/GUACAMOLE-1898
Project: Guacamole
Issue Type: New Feature
Components: SSH
Reporter: Dawa Ometto
At present, Guacamole supports prompting users for additional connection
information when such information is missing for RDP and VNC connections. I
would like to suggest implementing the same for SFTP connections made from the
Guacamole Menu, and perhaps for SSH connections generally. This would address
usecases where users cannot authenticate the SSH connection with the same
credentials as the RDP/VNC connection (one such case would be when using
time-based passwords for SSH).
There are some questions to be considered:
1) Implement prompting just for SFTP or for all SSH connections?
2) Make prompting configurable by the user (e.g. via a new connection setting
`sftp-prompt-password`), or prompt automatically?
Regarding 1: at present, SSH connections use the terminal to prompt the user
for credentials. The advantage of this is that it accommodates any
authentication flow, including flows that prompt the user for more than one
password (e.g. 2FA, and some SSO solutions that work with custom login shells).
So replacing the terminal login prompt with a Guacamole login prompt may be
undesirable. By contrast, SFTP connections at present require pre-configured
credentials, which makes them far less versatile than SSH connections.
Regarding 2: using a new configuration option to enable prompting would mean
that the user can decide whether to use a Guacamole prompt or the terminal to
authenticate normal SSH connections, and thus address 1). But if it is
preferred to enable prompts only for SFTP, the user could also be prompted
automatically, if and only if: a) no key and no username or password has been
supplied b) ssh server supports keyboard-interactive c) login without password
fails.
So in summary, I would suggest to:
A) prompt for both SSH and SFTP connections if and only if the user has
explicitly requested a Guacamole prompt through new configuration options.
B) prompt only for SFTP connections when credentials are missing (analogous to
how RDP/VNC credential prompting currently works).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
