Per von Zweigbergk created GUACAMOLE-2045:
---------------------------------------------
Summary: Add ability to prompt for credentials for non-NLA
connections
Key: GUACAMOLE-2045
URL: https://issues.apache.org/jira/browse/GUACAMOLE-2045
Project: Guacamole
Issue Type: Improvement
Components: RDP
Affects Versions: 1.5.5
Reporter: Per von Zweigbergk
In the current version of Guacamole, if no credentials are provided for an RDP
connection, the default action is to connect the user to a full Windows desktop
where the user may enter their credentials.
However, when NLA is enabled, guacd will instead request that guacamole-client
prompts the user for a password in a web form. This is because a username and
password is required before establishing a desktop connection when NLA is
enabled.
In some ways, this user experience is superior, because it allows for easy
copy/paste or form filling by password managers, whereas entering a password on
the desktop does not allow for such an experience.
For this reason, it would be useful if there would be a way to configure
Guacamole, so that such prompting happens on all types of connections, even if
FreeRDP doesn't callback requesting it (such as for NLA).
I've done a quick survey of the source code as it stands. From my understanding
the current implementation works like this:
In guacd, rdp.c, in the function guac_rdp_handle_connection,
rdp_inst->Authenticate is set to rdp_freerdp_authenticate.
rdp_freerdp_authenticate (also defined in rdp.c) is called by FreeRDP when
FreeRDP determines that credential prompting is required. A quick survey of the
FreeRDP source code seems to indicate that this prompting only happens where
it's required, in NLA mode. There does not appear to be any way to hook FreeRDP
to always call this callback.
My proposed implementation strategy is:
* Add a user-configurable setting to guacd, named something like a boolean in
the rdp section named always_prompt_for_credentials.
* Check this global setting in guac_rdp_handle_connection, and call
rdp_freerdp_authenticate early in this function if this is set.
* Update documentation for guacd to reflect the presence of this setting.
I'm happy to take a stab at patching guacd according to the strategy above, if
this approach is deemed sufficient.
(It would probably be even better if it were added as a connection-level
parameter, but that would require changes across both guacamole-server and
guacd, and thus increase the scope of work significantly, so I'd rather not
have to do that if I can get away with a simpler solution.)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
