[
https://issues.apache.org/jira/browse/GUACAMOLE-2138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020823#comment-18020823
]
Nick Couchman commented on GUACAMOLE-2138:
------------------------------------------
[~tkuhlengel] With SSH I know there are several ways to set idle time limits:
[https://linuxhandbook.com/auto-logout-linux/]
For X11vnc, I would think it would be similar to xrdp where you'd have to do it
in the Window Manager (xfce, Gnome, etc.), but that may not be universally
available.
Anyway, I think having it in Guacamole and setting it on a per-connection basis
is a valid way to do it. A couple of other things to think about:
* If you do it the way you're proposing it in the pull request, completely on
the client-side, then this would need to be a connection _attribute_ rather
than a connection {_}parameter{_}. Guacamole makes a distinction between those
- attributes being things that do not get passed on to guacd as part of the
connection process, and parameters the items that do get passed on to guacd.
* This could probably, instead, be done on the guacd side, using a connection
_parameter_ and have guacd measure and manage the idle time. The major reason I
can see for doing it this way would be that it would allow implementations that
do not use the stock Guacamole Client to benefit from that capability, and it
may be a bit cleaner in terms of managing the connection state between guacd
and the remote system.
* Either way, it might be nice to make sure there is some sort of signalling
between the client and guacd components to make sure that one isn't left
waiting for the other - that is, if the Java side shuts it down an idle tunnel,
make sure that it is signalling guacd to close the connection (assuming that is
the last remaining tunnel); if it is the guacd side closing it down, make sure
that it is sending the correct closure code back to the tunnel to indicate that
it has been closed.
> Add an optional maximum connection timeout
> ------------------------------------------
>
> Key: GUACAMOLE-2138
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2138
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole
> Environment: Any
> Reporter: Trevor Kuhlengel
> Priority: Minor
> Labels: security
> Fix For: 1.7.0
>
>
> In my company's business use case for Guacamole, for security and auditing
> purposes, we need to be able to ensure that any idle user is disconnected and
> logged off within a set period of time of idleness.
> In an *ideal* version of this, we would do the following.
> # Check if user has interacted with connection in last X minutes, or if an
> active SFTP transfer is happening on the connection.
> # If not, terminate the user connection after X minutes of inactivity.
> # If they remain idle, Guacamole idle timer will log them out after the
> pre-configured login idle timout.
> This requires a lot of conditionals and would be more difficult to implement
> and maintain in an on-going project like Guacamole.
> A {*}more practical{*}, yet sufficient, version is:
> # Admin sets a maximum duration of ANY connection, given in minutes.
> # Any connection that exceeds that duration, regardless of activity, is
> terminated, while the user remains logged in. They are free to reconnect if
> the user is still active.
> # The login idle timeout starts when the connection ends.
> This second option would meet our business need, and we would like to share
> it with others.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
