You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@guacamole.apache.org by "Mike Jumper (Jira)" <ji...@apache.org> on 2021/04/23 21:30:00 UTC

[jira] [Commented] (GUACAMOLE-1332) [Documentation] rdp connection : undocumented alternative to "Ignore server certificate" and .config/freerdp/known_hosts2

    [ https://issues.apache.org/jira/browse/GUACAMOLE-1332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17331065#comment-17331065 ] 

Mike Jumper commented on GUACAMOLE-1332:
----------------------------------------

{quote}
[Documentation] rdp connection : undocumented alternative to "Ignore server certificate" and .config/freerdp/known_hosts2
{quote}

I think the issue here is not that {{.config/freerdp/}} needs to be documented, but that we should provide an additional RDP connection parameter for specifying the certificate/fingerprint/etc. similar to that provided for SSH via GUACAMOLE-527.

It's a design decision within Guacamole that connection-specific behavior should be determined by the connection parameters alone, with those parameters being fed to guacd by the Guacamole protocol from arbitrary sources/processes that are _opaque_ to guacd. It's this architecture that allows guacd to exist independently of the concerns of the webapp, and allows the webapp to flexibly rely on a file, a database, LDAP, or just about anything an extension author can dream up. Having an option that relies purely on server-side configuration files to determine connection behavior would go against that.

Guacamole is not specifically intended to use {{.config/freerdp/}} at all. In fact, if there were an option to avoid the directory entirely, I think we would jump on that. The way that the FreeRDP library currently depends on successfully creating that directory, even if nothing is going to be written there, results in issues like GUACAMOLE-931.


> [Documentation] rdp connection : undocumented alternative to "Ignore server certificate" and .config/freerdp/known_hosts2
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: GUACAMOLE-1332
>                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1332
>             Project: Guacamole
>          Issue Type: Wish
>          Components: guacd
>         Environment: Debian buster guacamole 1.3.0
>            Reporter: Bastien
>            Priority: Minor
>              Labels: FreeRDP
>         Attachments: guacamole.log
>
>
> Hello,
> I spend whole day to configure a RDP connection without using "Ignore server certificate". I use a xrdp serveur with a self signed certificate (end goal is a signed certificate from PKI). I didn't find how to trust the certificate fingerprint. I got "Certificate validation failed". "certificate not trusted, aborting."
> I discovered that Guacamole use freerdp which is not well documented on the subject. I tried to add the pem certificate with {{update-ca-certificates}}, or in _.config/freerdp/certs_ and get nothing.
> Do I miss some documentation on how to set-up a trusted RDP host on Guacamole ?
> On my Guacamole test server, I install xfce and remina, succeed to connect to the target. It populates the .config/freerdp/known_hosts2 file, then Guacamole connection begin to work. But it is not an option for the production server.
>  
> Thanks you



--
This message was sent by Atlassian Jira
(v8.3.4#803005)