[
https://issues.apache.org/jira/browse/GUACAMOLE-2138?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18020749#comment-18020749
]
Nick Couchman commented on GUACAMOLE-2138:
------------------------------------------
A couple of thoughts, here - not that I'm opposed to doing something in
Guacamole related to this, just thinking through this:
* It's generally left up to the remote computers to enforce connection
timeouts. This can be done on most RDP servers (Windows GPO handles it well for
RDP to Windows, and, depending on your Desktop/Window manager for xrdp on
Linux, there are some options for idle logout/timeout), and most of the modern
Linux/UNIX shells have idle timeout options. While I understand that Guacamole
is a convenient central point to enforce that if you're using it to manage
Privileged Access and/or Jump/Bastion host-type stuff, is there any reason
outside of convenience not to do it on the remote side?
* Guacamole does have idle logout timers for the API/Web UI, so that should
already be in place - however, "idle" in that context means no open/active
connections and no API activity.
> Add an optional maximum connection timeout
> ------------------------------------------
>
> Key: GUACAMOLE-2138
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-2138
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole
> Affects Versions: 1.6.0
> Environment: Any
> Reporter: Trevor Kuhlengel
> Priority: Minor
> Labels: security
>
> In my company's business use case for Guacamole, for security and auditing
> purposes, we need to be able to ensure that any idle user is disconnected and
> logged off within a set period of time of idleness.
> In an *ideal* version of this, we would do the following.
> # Check if user has interacted with connection in last X minutes, or if an
> active SFTP transfer is happening on the connection.
> # If not, terminate the user connection after X minutes of inactivity.
> # If they remain idle, Guacamole idle timer will log them out after the
> pre-configured login idle timout.
> This requires a lot of conditionals and would be more difficult to implement
> and maintain in an on-going project like Guacamole.
> A {*}more practical{*}, yet sufficient, version is:
> # Admin sets a maximum duration of ANY connection, given in minutes.
> # Any connection that exceeds that duration, regardless of activity, is
> terminated, while the user remains logged in. They are free to reconnect if
> the user is still active.
> # The login idle timeout starts when the connection ends.
> This second option would meet our business need, and we would like to share
> it with others.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
