You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@vcl.apache.org by Dmitri Chebotarov <dc...@gmu.edu> on 2012/05/25 17:25:00 UTC

"Preferred Password" under User Preferences ?

Hi 

Would it be possible, and is it good idea in general due to possible security risks, to add "Preferred Password" field on User Preferences page (under RDP File Preferences or Personal Information?) to allow user to provide a password for all his/her reservations? 

Then VCL would use this password (if it's there) for reservations instead of auto-generated password. 

This is not an auto-connect option, but at least it will make it easier to use VCL.
For the last couple days I've been using VCL for some testing and it would be nice to have the same password for all my reservations.

--
Thank you,

Dmitri Chebotarov
Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
223 Aquia Building, Ffx, MSN: 1B5
Phone: (703) 993-6175
Fax: (703) 993-3404

Re: "Preferred Password" under User Preferences ?

Posted by Dmitri Chebotarov <dc...@gmu.edu>.

Hi

There seems to be an issue with pGina and VCL. 
One of the reservation steps for Windows image is to auto-login user 'root' on 1st boot to configure SSHD service.
Current version of pGina (3.0.12.1) doesn't support auto-login, so reservation fails.

I've contacted pGina developers about auto-login option - it will be added to the pGina 3.1 (next release, no due date). pGina 3.1.2.0 BETA doesn't have the auto-login option yet.

Thanks.

On Jul 3, 2012, at 15:15 , Dmitri Chebotarov wrote:

> Hi
> 
> Would LDAP authentication be better choice? In this case password policy already enforced by central LDAP server.
> Users would login to reservations using the same credentials as for VCL front-end (which uses LDAP auth) 
> 
> Linux already has built-in support for LDAP authentication. 
> 
> pGina works well for Windows images. I've not used pGina for extended period of time, done some tests and it looks good. 
> 
> 
> Thanks.
> 
> On May 30, 2012, at 12:11 , Josh Thompson wrote:
> 
>> Dmitri,
>> 
>> I like this idea as well.  I think to do it right, there should be password 
>> strength enforcing criteria in place to make sure users have strong passwords.  
>> I also agree with others that it should be a configurable options.  Can you go 
>> ahead and create a JIRA issue for this?
>> 
>> Thanks,
>> Josh
>> 
>> On Friday, May 25, 2012 11:25:00 AM Dmitri Chebotarov wrote:
>>> Hi
>>> 
>>> Would it be possible, and is it good idea in general due to possible
>>> security risks, to add "Preferred Password" field on User Preferences page
>>> (under RDP File Preferences or Personal Information?) to allow user to
>>> provide a password for all his/her reservations?
>>> 
>>> Then VCL would use this password (if it's there) for reservations instead of
>>> auto-generated password.
>>> 
>>> This is not an auto-connect option, but at least it will make it easier to
>>> use VCL. For the last couple days I've been using VCL for some testing and
>>> it would be nice to have the same password for all my reservations.
>>> 
>>> --
>>> Thank you,
>>> 
>>> Dmitri Chebotarov
>>> Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
>>> 223 Aquia Building, Ffx, MSN: 1B5
>>> Phone: (703) 993-6175
>>> Fax: (703) 993-3404
>> - -- 
>> - -------------------------------
>> Josh Thompson
>> VCL Developer
>> North Carolina State University
>> 
>> my GPG/PGP key can be found at pgp.mit.edu
>> 
>> All electronic mail messages in connection with State business which
>> are sent to or received by this account are subject to the NC Public
>> Records Law and may be disclosed to third parties.
> 
> 
> 
> --
> Thank you,
> 
> Dmitri Chebotarov
> Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
> 223 Aquia Building, Ffx, MSN: 1B5
> Phone: (703) 993-6175
> Fax: (703) 993-3404
> 



--
Thank you,

Dmitri Chebotarov
Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
223 Aquia Building, Ffx, MSN: 1B5
Phone: (703) 993-6175
Fax: (703) 993-3404

Re: "Preferred Password" under User Preferences ?

Posted by Josh Thompson <jo...@ncsu.edu>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think it falls under the security vs. convenience category.  Ideally, 
everyone would use a different multi-word pass phrase for every account they 
deal with.  However, that's not very convenient.  I like having the option to 
allow sites to set up using the same password for the end nodes as for the web 
site.  What I like even better is being able to generate long random passwords 
for each reservation with a way to pass that on to the remote viewer client 
(RDP, ssh, VNC, etc), but we haven't been able to solve that one yet (some 
good ideas though).

Josh

On Thursday, July 05, 2012 2:52:57 PM Henry Schaffer wrote:
> On Tue, Jul 3, 2012 at 3:15 PM, Dmitri Chebotarov <dc...@gmu.edu> wrote:
> > Hi
> > 
> > Would LDAP authentication be better choice? In this case password policy
> > already enforced by central LDAP server. Users would login to
> > reservations using the same credentials as for VCL front-end (which uses
> > LDAP auth) ...
> 
>   I was under the impression that having two separate passwords - the
> user's own which is used to login in to the front end (often using
> LDAP), and then the one-time password used to log into a reservation
> enhanced security by tying together the web front-end session with the
> image reservation.
> 
>   If this is correct, then perhaps using the same LDAP credentials is
> a step backwards.
> 
> --henry schaffer
- -- 
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University

my GPG/PGP key can be found at pgp.mit.edu

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAk/17dIACgkQV/LQcNdtPQOZjACff+z7iktyL933Bucz1lUBvpMV
DcoAnj46kYk/i4v7QjIZ0dJMsR6GVHQ6
=0rev
-----END PGP SIGNATURE-----

Re: "Preferred Password" under User Preferences ?

Posted by Henry Schaffer <he...@ncsu.edu>.

On Tue, Jul 3, 2012 at 3:15 PM, Dmitri Chebotarov <dc...@gmu.edu> wrote:
> Hi
>
> Would LDAP authentication be better choice? In this case password policy already enforced by central LDAP server.
> Users would login to reservations using the same credentials as for VCL front-end (which uses LDAP auth)
> ...

  I was under the impression that having two separate passwords - the
user's own which is used to login in to the front end (often using
LDAP), and then the one-time password used to log into a reservation
enhanced security by tying together the web front-end session with the
image reservation.

  If this is correct, then perhaps using the same LDAP credentials is
a step backwards.

--henry schaffer

Re: "Preferred Password" under User Preferences ?

Posted by Dmitri Chebotarov <dc...@gmu.edu>.

Hi

Would LDAP authentication be better choice? In this case password policy already enforced by central LDAP server.
Users would login to reservations using the same credentials as for VCL front-end (which uses LDAP auth) 

Linux already has built-in support for LDAP authentication. 

pGina works well for Windows images. I've not used pGina for extended period of time, done some tests and it looks good. 


Thanks.

On May 30, 2012, at 12:11 , Josh Thompson wrote:

> Dmitri,
> 
> I like this idea as well.  I think to do it right, there should be password 
> strength enforcing criteria in place to make sure users have strong passwords.  
> I also agree with others that it should be a configurable options.  Can you go 
> ahead and create a JIRA issue for this?
> 
> Thanks,
> Josh
> 
> On Friday, May 25, 2012 11:25:00 AM Dmitri Chebotarov wrote:
> > Hi
> > 
> > Would it be possible, and is it good idea in general due to possible
> > security risks, to add "Preferred Password" field on User Preferences page
> > (under RDP File Preferences or Personal Information?) to allow user to
> > provide a password for all his/her reservations?
> > 
> > Then VCL would use this password (if it's there) for reservations instead of
> > auto-generated password.
> > 
> > This is not an auto-connect option, but at least it will make it easier to
> > use VCL. For the last couple days I've been using VCL for some testing and
> > it would be nice to have the same password for all my reservations.
> > 
> > --
> > Thank you,
> > 
> > Dmitri Chebotarov
> > Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
> > 223 Aquia Building, Ffx, MSN: 1B5
> > Phone: (703) 993-6175
> > Fax: (703) 993-3404
> - -- 
> - -------------------------------
> Josh Thompson
> VCL Developer
> North Carolina State University
> 
> my GPG/PGP key can be found at pgp.mit.edu
> 
> All electronic mail messages in connection with State business which
> are sent to or received by this account are subject to the NC Public
> Records Law and may be disclosed to third parties.



--
Thank you,

Dmitri Chebotarov
Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
223 Aquia Building, Ffx, MSN: 1B5
Phone: (703) 993-6175
Fax: (703) 993-3404

Re: "Preferred Password" under User Preferences ?

Posted by Josh Thompson <jo...@ncsu.edu>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dmitri,

I like this idea as well.  I think to do it right, there should be password 
strength enforcing criteria in place to make sure users have strong passwords.  
I also agree with others that it should be a configurable options.  Can you go 
ahead and create a JIRA issue for this?

Thanks,
Josh

On Friday, May 25, 2012 11:25:00 AM Dmitri Chebotarov wrote:
> Hi
> 
> Would it be possible, and is it good idea in general due to possible
> security risks, to add "Preferred Password" field on User Preferences page
> (under RDP File Preferences or Personal Information?) to allow user to
> provide a password for all his/her reservations?
> 
> Then VCL would use this password (if it's there) for reservations instead of
> auto-generated password.
> 
> This is not an auto-connect option, but at least it will make it easier to
> use VCL. For the last couple days I've been using VCL for some testing and
> it would be nice to have the same password for all my reservations.
> 
> --
> Thank you,
> 
> Dmitri Chebotarov
> Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
> 223 Aquia Building, Ffx, MSN: 1B5
> Phone: (703) 993-6175
> Fax: (703) 993-3404
- -- 
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University

my GPG/PGP key can be found at pgp.mit.edu

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)

iEYEARECAAYFAk/GRp0ACgkQV/LQcNdtPQMNwQCfc6eygldzh2ASim2a0A4T/Oqk
5+cAn3kB8TWE5w9s9sSCzqVduoxu/aQT
=6oH3
-----END PGP SIGNATURE-----

Re: "Preferred Password" under User Preferences ?

Posted by Aaron Coburn <ac...@amherst.edu>.

I agree with Mark for the same reasons.

I would add, though, that there are ways to make "auto-connect" work.

We have a single-click, auto-connect system working in our VCL installation. The basic principal is to define a protocol handler and format the URI so that it is understandable to the target RDP application.

There are trade-offs (of course) with this approach, but it makes the VCL much more user-friendly while retaining the security of randomized credentials. Basically, I wrote some front-end web code so that when a user lands on the "Connect to your reservation" page, he or she can select the desired screen size (the default is set in user preferences) and click on "Connect".

(A screen shot is below.)

That action generates a URI such as the following:

rdp://{username}:{password}@{host}?forwardDisks=yes&forwardPrinters=yes... (and so on with all the appropriate parameters)

The first time a browser encounters an unknown protocol such as rdp://, it will prompt the user for a 'default application' to associate with that. The user can select an application to use and then the login happens immediately.

The next question is which applications can handle URIs using the rdp protocol?

For OS X, the answer is easy: CoRD. You can just request that users install that application. CoRD doesn't handle sound, so if that is necessary, your users can still use MS Remote Desktop Client; they will just have to manually enter their credentials.

For Linux users, RDesktop can be started from the command line with a supplied username and password. So I simply wrote a perl script that parses the rdp:// URI and translates it into an appropriate command.

For Windows, it is a bit trickier. Basically, the protocol handlers are defined in the system registry, and Windows' built-in RDP client doesn't accept passwords from the command line. So in order to solve both issues, I wrote a .NET application that, upon installation defines the appropriate protocol handler in the registry and installs an application that can parse it. The application is really just a thin wrapper around Microsoft's terminal services library. I don't believe I can distribute the code for this, but I can certainly give you some pointers on how to write something similar yourself.

Obviously, this doesn't work for iOS devices.

Best regards,
Aaron

[cid:6835B418-4B53-486C-8956-6A0DD26C1F70]

--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu<ma...@amherst.edu>

On May 25, 2012, at 11:35 AM, Mark Gardner wrote:

In general, I would rather keep things as they are. But if that
capability is added, I would prefer to have it be an option as the
current one-time random password is much more secure. (Our experience
is that users generally pick poor passwords. Perhaps this can be a
development-only option?)

Mark

On Fri, May 25, 2012 at 11:25 AM, Dmitri Chebotarov <dc...@gmu.edu>> wrote:
Hi

Would it be possible, and is it good idea in general due to possible security risks, to add "Preferred Password" field on User Preferences page (under RDP File Preferences or Personal Information?) to allow user to provide a password for all his/her reservations?

Then VCL would use this password (if it's there) for reservations instead of auto-generated password.

This is not an auto-connect option, but at least it will make it easier to use VCL.
For the last couple days I've been using VCL for some testing and it would be nice to have the same password for all my reservations.

--
Thank you,

Dmitri Chebotarov
Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
223 Aquia Building, Ffx, MSN: 1B5
Phone: (703) 993-6175
Fax: (703) 993-3404

--
Mark Gardner
--

Re: "Preferred Password" under User Preferences ?

Posted by Aaron Coburn <ac...@amherst.edu>.

I agree with Mark for the same reasons.

I would add, though, that there are ways to make "auto-connect" work.

(A screen shot is below.)

That action generates a URI such as the following:

rdp://{username}:{password}@{host}?forwardDisks=yes&forwardPrinters=yes... (and so on with all the appropriate parameters)

The next question is which applications can handle URIs using the rdp protocol?

Obviously, this doesn't work for iOS devices.

Best regards,
Aaron

[cid:6835B418-4B53-486C-8956-6A0DD26C1F70]

--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu<ma...@amherst.edu>

On May 25, 2012, at 11:35 AM, Mark Gardner wrote:

Mark

On Fri, May 25, 2012 at 11:25 AM, Dmitri Chebotarov <dc...@gmu.edu>> wrote:
Hi

Then VCL would use this password (if it's there) for reservations instead of auto-generated password.

--
Thank you,

Dmitri Chebotarov
Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
223 Aquia Building, Ffx, MSN: 1B5
Phone: (703) 993-6175
Fax: (703) 993-3404

--
Mark Gardner
--

Re: "Preferred Password" under User Preferences ?

Posted by Mark Gardner <mk...@vt.edu>.

In general, I would rather keep things as they are. But if that
capability is added, I would prefer to have it be an option as the
current one-time random password is much more secure. (Our experience
is that users generally pick poor passwords. Perhaps this can be a
development-only option?)

Mark

On Fri, May 25, 2012 at 11:25 AM, Dmitri Chebotarov <dc...@gmu.edu> wrote:
> Hi
>
> Would it be possible, and is it good idea in general due to possible security risks, to add "Preferred Password" field on User Preferences page (under RDP File Preferences or Personal Information?) to allow user to provide a password for all his/her reservations?
>
> Then VCL would use this password (if it's there) for reservations instead of auto-generated password.
>
> This is not an auto-connect option, but at least it will make it easier to use VCL.
> For the last couple days I've been using VCL for some testing and it would be nice to have the same password for all my reservations.
>
> --
> Thank you,
>
> Dmitri Chebotarov
> Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
> 223 Aquia Building, Ffx, MSN: 1B5
> Phone: (703) 993-6175
> Fax: (703) 993-3404
>



-- 
Mark Gardner
--

Re: "Preferred Password" under User Preferences ?

Posted by Mark Gardner <mk...@vt.edu>.

In general, I would rather keep things as they are. But if that
capability is added, I would prefer to have it be an option as the
current one-time random password is much more secure. (Our experience
is that users generally pick poor passwords. Perhaps this can be a
development-only option?)

Mark

On Fri, May 25, 2012 at 11:25 AM, Dmitri Chebotarov <dc...@gmu.edu> wrote:
> Hi
>
> Would it be possible, and is it good idea in general due to possible security risks, to add "Preferred Password" field on User Preferences page (under RDP File Preferences or Personal Information?) to allow user to provide a password for all his/her reservations?
>
> Then VCL would use this password (if it's there) for reservations instead of auto-generated password.
>
> This is not an auto-connect option, but at least it will make it easier to use VCL.
> For the last couple days I've been using VCL for some testing and it would be nice to have the same password for all my reservations.
>
> --
> Thank you,
>
> Dmitri Chebotarov
> Virtual Computing Lab Systems Engineer, TSD - Ent Servers & Messaging
> 223 Aquia Building, Ffx, MSN: 1B5
> Phone: (703) 993-6175
> Fax: (703) 993-3404
>



-- 
Mark Gardner
--