[
https://issues.apache.org/jira/browse/GUACAMOLE-2045?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17939047#comment-17939047
]
Per von Zweigbergk commented on GUACAMOLE-2045:
-----------------------------------------------
I've made the following 3 draft PRs to implement this:
[https://github.com/apache/guacamole-server/pull/580]
[https://github.com/apache/guacamole-client/pull/1069]
[https://github.com/apache/guacamole-manual/pull/270]
However:
So I wrote this code with the justification provided in GUACAMOLE-2045.
However, when testing it, I discovered that this is probably entirely
unneccessary, because there seems to be some change in behaviour where FreeRDP
3 already does this by itself. Because of that, I had to test this code against
FreeRDP 2.
I'm putting the code out there because I already wrote it, but I think I need
to figure out what's changed in FreeRDP to change this behaviour first, to see
if this is even an idea that makes any sense.
There may be a different undesired behavioural change here, where it's not
longer possible to get the graphical credential screen on a non-NLA server. I'm
not entirely sure what's going on here yet, something doesn't make sense.
> Add ability to prompt for credentials for non-NLA connections
> -------------------------------------------------------------
>
> Key: GUACAMOLE-2045
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2045
> Project: Guacamole
> Issue Type: Improvement
> Components: RDP
> Affects Versions: 1.5.5
> Reporter: Per von Zweigbergk
> Priority: Minor
>
> In the current version of Guacamole, if no credentials are provided for an
> RDP connection, the default action is to connect the user to a full Windows
> desktop where the user may enter their credentials.
> However, when NLA is enabled, guacd will instead request that
> guacamole-client prompts the user for a password in a web form. This is
> because a username and password is required before establishing a desktop
> connection when NLA is enabled.
> In some ways, this user experience is superior, because it allows for easy
> copy/paste or form filling by password managers, whereas entering a password
> on the desktop does not allow for such an experience.
> For this reason, it would be useful if there would be a way to configure
> Guacamole, so that such prompting happens on all types of connections, even
> if FreeRDP doesn't callback requesting it (such as for NLA).
> I've done a quick survey of the source code as it stands. From my
> understanding the current implementation works like this:
> In guacd, rdp.c, in the function guac_rdp_handle_connection,
> rdp_inst->Authenticate is set to rdp_freerdp_authenticate.
> rdp_freerdp_authenticate (also defined in rdp.c) is called by FreeRDP when
> FreeRDP determines that credential prompting is required. A quick survey of
> the FreeRDP source code seems to indicate that this prompting only happens
> where it's required, in NLA mode. There does not appear to be any way to hook
> FreeRDP to always call this callback.
> My proposed implementation strategy is:
> * Add a user-configurable setting to guacd, named something like a boolean
> in the rdp section named always_prompt_for_credentials.
> * Check this global setting in guac_rdp_handle_connection, and call
> rdp_freerdp_authenticate early in this function if this is set.
> * Update documentation for guacd to reflect the presence of this setting.
> I'm happy to take a stab at patching guacd according to the strategy above,
> if this approach is deemed sufficient.
> (It would probably be even better if it were added as a connection-level
> parameter, but that would require changes across both guacamole-server and
> guacd, and thus increase the scope of work significantly, so I'd rather not
> have to do that if I can get away with a simpler solution.)
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
