[
https://issues.apache.org/jira/browse/GUACAMOLE-1898?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17799855#comment-17799855
]
Nick Couchman commented on GUACAMOLE-1898:
------------------------------------------
[~dometto]: Feel free to work on the PR - contribution guidelines are located
here: https://guacamole.apache.org/open-source/.
> Add prompting for SSH and SFTP credentials
> ------------------------------------------
>
> Key: GUACAMOLE-1898
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1898
> Project: Guacamole
> Issue Type: Wish
> Components: SSH
> Reporter: Dawa Ometto
> Priority: Minor
>
> At present, Guacamole supports prompting users for additional connection
> information when such information is missing for RDP and VNC connections. I
> would like to suggest implementing the same for SFTP connections made from
> the Guacamole Menu, and perhaps for SSH connections generally. This would
> address usecases where users cannot authenticate the SSH connection with the
> same credentials as the RDP/VNC connection (one such case would be when using
> time-based passwords for SSH).
> There are some questions to be considered:
> 1) Implement prompting just for SFTP (in an RDP/VNC session) or also for SSH
> connections generally?
> 2) Make prompting configurable by the user (e.g. via a new connection setting
> `sftp-prompt-password`), or prompt automatically?
> Regarding 1: at present, SSH connections use the terminal to prompt the user
> for credentials. The advantage of this is that it accommodates any
> authentication flow, including flows that prompt the user for more than one
> password (e.g. 2FA, and some SSO solutions that work with custom login
> shells). So replacing the terminal login prompt with a Guacamole login prompt
> may be undesirable. By contrast, SFTP connections at present require
> pre-configured credentials, which makes them far less versatile than SSH
> connections.
> Regarding 2: using a new configuration option to enable prompting would mean
> that the user can decide whether to use a Guacamole prompt or the terminal to
> authenticate normal SSH connections, and thus address 1). But if it is
> preferred to enable prompts only for SFTP, the user could also be prompted
> automatically, if and only if: a) no key and no username or password has been
> supplied b) ssh server supports keyboard-interactive c) login without
> password fails.
> So in summary, I would suggest to:
> A) prompt for both SSH and SFTP connections if and only if the user has
> explicitly requested a Guacamole prompt through new configuration options.
> B) prompt only for SFTP connections when credentials are missing (analogous
> to how RDP/VNC credential prompting currently works).
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
