[
https://issues.apache.org/jira/browse/GUACAMOLE-2045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17938521#comment-17938521
]
Nick Couchman commented on GUACAMOLE-2045:
------------------------------------------
[~pv2b]: You're more than welcome to take a stab at an implementation and
submit a PR. I think it would be a perfectly acceptable addition.
I do think that a per-connection parameter is the correct way to go - if
implemented correctly in guacd, the only changes required to guacamole-client
would be the addition of the parameter configuration in each of the protocol
.json files and the translation strings for it.
> Add ability to prompt for credentials for non-NLA connections
> -------------------------------------------------------------
>
> Key: GUACAMOLE-2045
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2045
> Project: Guacamole
> Issue Type: Improvement
> Components: RDP
> Affects Versions: 1.5.5
> Reporter: Per von Zweigbergk
> Priority: Minor
>
> In the current version of Guacamole, if no credentials are provided for an
> RDP connection, the default action is to connect the user to a full Windows
> desktop where the user may enter their credentials.
> However, when NLA is enabled, guacd will instead request that
> guacamole-client prompts the user for a password in a web form. This is
> because a username and password is required before establishing a desktop
> connection when NLA is enabled.
> In some ways, this user experience is superior, because it allows for easy
> copy/paste or form filling by password managers, whereas entering a password
> on the desktop does not allow for such an experience.
> For this reason, it would be useful if there would be a way to configure
> Guacamole, so that such prompting happens on all types of connections, even
> if FreeRDP doesn't callback requesting it (such as for NLA).
> I've done a quick survey of the source code as it stands. From my
> understanding the current implementation works like this:
> In guacd, rdp.c, in the function guac_rdp_handle_connection,
> rdp_inst->Authenticate is set to rdp_freerdp_authenticate.
> rdp_freerdp_authenticate (also defined in rdp.c) is called by FreeRDP when
> FreeRDP determines that credential prompting is required. A quick survey of
> the FreeRDP source code seems to indicate that this prompting only happens
> where it's required, in NLA mode. There does not appear to be any way to hook
> FreeRDP to always call this callback.
> My proposed implementation strategy is:
> * Add a user-configurable setting to guacd, named something like a boolean
> in the rdp section named always_prompt_for_credentials.
> * Check this global setting in guac_rdp_handle_connection, and call
> rdp_freerdp_authenticate early in this function if this is set.
> * Update documentation for guacd to reflect the presence of this setting.
> I'm happy to take a stab at patching guacd according to the strategy above,
> if this approach is deemed sufficient.
> (It would probably be even better if it were added as a connection-level
> parameter, but that would require changes across both guacamole-server and
> guacd, and thus increase the scope of work significantly, so I'd rather not
> have to do that if I can get away with a simpler solution.)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
