[
https://issues.apache.org/jira/browse/GUACAMOLE-2138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020791#comment-18020791
]
Trevor Kuhlengel commented on GUACAMOLE-2138:
---------------------------------------------
Thanks for the thoughts! You raise some excellent points about RDP, and for
RDP, AD-based timeouts would be an excellent best approach.
In our use case, we employ Guacamole to provide remote support to any of the
thousands of our deployed product machines in the field. In our case, we use
X11vnc and SSH to provide remote access to those machines. As far as I can
determine, there is no way to terminate either X11vnc or SSH after a set limit,
even if they are deployed on those machines.
Therefore, having something like this in Guacamole would be very valuable to
our use case.
Whether we implement it per-connection (as a connection parameter or part of
the connection template) or globally at the server level (which this PR focuses
on) is something worth discussing and possibly having both mechanisms in place
down the line if there's sufficient interest.
> Add an optional maximum connection timeout
> ------------------------------------------
>
> Key: GUACAMOLE-2138
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2138
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole
> Environment: Any
> Reporter: Trevor Kuhlengel
> Priority: Minor
> Labels: security
> Fix For: 1.7.0
>
>
> In my company's business use case for Guacamole, for security and auditing
> purposes, we need to be able to ensure that any idle user is disconnected and
> logged off within a set period of time of idleness.
> In an *ideal* version of this, we would do the following.
> # Check if user has interacted with connection in last X minutes, or if an
> active SFTP transfer is happening on the connection.
> # If not, terminate the user connection after X minutes of inactivity.
> # If they remain idle, Guacamole idle timer will log them out after the
> pre-configured login idle timout.
> This requires a lot of conditionals and would be more difficult to implement
> and maintain in an on-going project like Guacamole.
> A {*}more practical{*}, yet sufficient, version is:
> # Admin sets a maximum duration of ANY connection, given in minutes.
> # Any connection that exceeds that duration, regardless of activity, is
> terminated, while the user remains logged in. They are free to reconnect if
> the user is still active.
> # The login idle timeout starts when the connection ends.
> This second option would meet our business need, and we would like to share
> it with others.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
