Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Remote connection protocols supported by Keeper Connection Manager
Keeper Connection Manager and Apache Guacamole support multiple protocols through a common, centralized gateway. The "guacd" service sits between the Guacamole web application and the remote desktops and dynamically translates between low-level remote desktop protocols and the Guacamole protocol, applying additional optimization and compression in the process.
Within Keeper Connection Manager, support for each protocol is provided via separate packages. Only the packages for protocols that you will be using need be installed:
When using any particular connection, the package providing support for that connection's underlying protocol must already be installed on the server running the guacd service. If support for the underlying protocol has not been installed, users attempting to use the connection will see an error message, and system administrators will see a message like the following within the systemd journal:
If a needed package was not installed and a message like that above is logged, installing the needed package will solve the problem. If using , all protocol support is already installed. If using the @kcm-guacamole package group, as described within , protocol support for HTTPS, VNC, RDP, and SSH is installed.
When using one of the supported databases, administrators can define new connections using Guacamole's web interface, selecting the protocol to be used for that connection from a dropdown menu labeled "Protocol":
If defining a connection through a mechanism which does not leverage one of the supported databases, such as via /etc/guacamole/user-mapping.xml,, or, the protocol will must be specified using the unique, internal name for that protocol:
kcm-libguac-client-kubernetes
kcm-libguac-client-mysql
kcm-libguac-client-postgres
kcm-libguac-client-sql-server
kubernetes
mysql
postgresql
sql-server
kcm-libguac-client-http
kcm-libguac-client-vnc
kcm-libguac-client-rdp
kcm-libguac-client-ssh
kcm-libguac-client-telnet
http
vnc
rdp
ssh
telnet
guacd[8]: WARNING: Support for protocol "rdp" is not installed
Data can be imported to a MySQL connection from a file on your machine, or exported and downloaded to you machine.
Import data from a file on your machine into the MySQL connection.
To import data from a csv file, is the LOAD DATA MySQL command:
LOAD DATA LOCAL INFILE "input.csv" INTO TABLE <table> FIELDS
TERMINATED BY ',' ENCLOSED BY '"' LINES TERMINATED BY '\r\n'In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.
After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.
Data from the connected MySQL database can be exported to a file on your machine. To do this, use the following query:
The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.
Connecting from the Docker container to the KCM host instance
In a Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.
To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:
Update the docker environment for the change to take effect.
Then, from within Keeper Connection Manager, you can create a new connection which simply references the Hostname of host.docker.internal.
For more information, see the below helpful article:
Data can be imported to a PostgreSQL connection from a file on your machine, or exported and downloaded to you machine.
Import data from a file on your machine into the PostgreSQL connection.
To import data from a csv file, is the COPY command:
In the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.
Connecting to an environment without ingress connections
It may be necessary to create a connection into a target system which blocks ingress connections or is behind a firewall, particularly if you cannot install Keeper Connection Manager on a device within the target network.
For this use case, Keeper Connection Manager supports the use of reverse SSH tunnels. This guide provides a method of setting up a reverse SSH tunnel to access a system that is otherwise inaccessible due to inbound network restrictions.
This guide covers reverse SSH tunnels using the Auto Docker Install method and a target endpoint. Once the tunnel and configuration is complete, Keeper Connection Manager can establish a connection to the remote endpoint through the tunnel. You can use any supported connection within the tunnel, one established.
SELECT <query> INTO LOCAL OUTFILE "<name>.csv"Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:
The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.
\COPY <table> FROM "input.csv" With CSV \COPY (<query>) TO "<name>.csv" With CSV HEADERKeeper's cloud-based product called KeeperPAM provides zero-trust encrypted connections through the Keeper vault. This eliminates the need for reverse SSH tunnels.
guacd:
image: keeper/guacd:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
volumes:
- "common-storage:/var/lib/guacamole:rw"
extra_hosts:
- "host.docker.internal:host-gateway"
sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgrade
Data can be imported to a SQL Server connection from a file on your machine, or exported and downloaded to you machine.
Import data from a file on your machine into the SQL Server connection.
To import data from a csv file, is the COPY command:
BULK INSERT <table> FROM LOCAL FILEIn the example above, "<table>" should be replaced with the SQL table to import data into. The other parts of the command are required for CSV-formatted files. If your uploaded file uses different termination characters update the query accordingly.
After running the query, Keeper Connection Manager will prompt you to supply the data file. To upload the file, simply drag and drop it from your machine onto the browser window.
Data from the connected PostgreSQL database can be exported to a file on your machine. To do this, use the following query:
The result of the given <query> will be put into a CSV file with the given name and downloaded from the browser to your machine.
SELECT <query> INTO LOCAL OUTFILE "<name>.csv"Connecting to an environment without ingress connections
KCM Server: The instance running Keeper Connection Manager.
Remote Endpoint: A target Windows instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.
Good news, Windows now comes with OpenSSH! However, it may not be installed by default. We recommend Installing both the OpenSSH Client and the OpenSSH Server.
OpenSSH can be found in "Optional Features" in Windows 10+ and Windows Server 2019+. You can install it from Settings > Apps > Optional Features > Add Feature > Open SSH Client / Server.
Microsoft's instructions for installing OpenSSH are here:
The instructions below outline how to establish a connection from a KCM Server in the cloud, to a Remote Endpoint without network ingress.
(1) Allow inbound SSH on KCM Server
On the KCM Server, ensure that inbound SSH port 22 connections are open from the Remote Server to the KCM instance. We will be establishing an outbound connection from the Remote Server to the KCM instance to set up the reverse tunnel.
(2) Generate SSH Keys on the Remote Endpoint
On the Windows Remote Endpoint, create an SSH key pair which will be used to establish an outbound connection from the Endpoint to the KCM Server. Enter the following into an elevated command prompt:
This will create two files, a private key and a public key. Leave the private key in place.
Next, we will copy the public key file (.pub) from the windows endpoint to the KCM Server.
You can copy the .pub file using any method you choose
If you have outbound traffic allowed, you can use the following command in PowerShell as Administrator:
(3) Verify SSH Connectivity from Remote Endpoint to KCM Server
You should now be able to SSH from the remote server into the KCM server, without any prompt.
(4) Establish the ssh tunnel
Make sure that you have a firewall in place to block inbound connections on all ports except what is needed (HTTP/HTTPS/SSH). And/or change the 0.0.0.0 in the following command to the IP of your KCM server.
To create a persistent session, we will utilize a batch file with an ssh command, and the windows task scheduler. First, open notepad and copy in the following command:
Edit the command with the values that correspond to your path, desired port, and URL, and save the file as a .bat file.
Open Windows Task Scheduler, create a new task with a trigger set to "on startup" and an action to run the .bat file that you created.
(5) Update GatewayPorts setting on KCM Server
On the KCM Server, the SSH process (sshd) must be modified to permit remote hosts (e.g. the guacd Docker container) to be allowed to connect to forwarded ports. By default, sshd binds remote port forwards to the loopback address. Setting the value of GatewayPorts to "clientspecified" allows the client to select the address to which the forwarded port is bound.
Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:
Restart sshd
The reverse tunnel is now established between the Remote Server and the KCM Server.
(6) Update docker-compose to reference the host
In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.
To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:
Update the docker environment for the change to take effect.
(7) Create Connection to the target Remote Server
Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.
Create a new RDP connection with the hostname of host.docker.internal and the port of 9000 (or your chosen port).
As usual, ensure that the proper Authentication parameters are populated in the connection for the remote server. In this case, the remote server is being accessed via the established reverse SSH tunnel.
Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.
If you would like to establish more connections using reverse SSH tunneling, repeat Step 4 of this guide on a different port (e.g. 9001, 9002, etc...). Then create a connection with the specified port number when creating Connections inside Keeper Connection Manager.
Several references and guides posted online contain helpful information about this configuration.
Connecting to an environment without ingress connections
KCM Server: The instance running Keeper Connection Manager.
Remote Endpoint: A target Linux instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.
If you have not set up a Keeper Connection Manager instance, follow the instructions on any instance within any cloud environment. This service will be your KCM Server.
The instructions below outline how to establish a connection from a KCM Server in the cloud, to an internal Remote Endpoint without network ingress.
(1) Allow inbound SSH on KCM Server
On the KCM Server, ensure that inbound SSH port 22 connections are open from the Remote Server to the KCM instance. We will be establishing an outbound connection from the Remote Server to the KCM instance to set up the reverse tunnel.
(2) Generate SSH Key on the Remote Endpoint
On the Remote Endpoint, create an SSH key pair which will be used to establish an outbound connection from the Endpoint to the KCM Server.
This will create two files, a private key and a public key. Leave the private key as is, and copy only the .pub file to your KCM Server.
Now we need to add the contents of the public key file into a special file in your KCM server directory. Check your <home>/.ssh directory and if it doesn't already have a file called "authorized_keys" then create the file. Take the text from the public key file id_ed25519.pub and put the text into the the file~/.ssh/authorized_keys on the KCM server.
The text should have the following format:
Save the authorized_keys file as ~/.ssh/authorized_keys
(3) Verify SSH Connectivity from Remote Endpoint to KCM Server
You should now be able to SSH from the remote server into the KCM server, without any password prompt (using the keys).
(4) Install autossh on the Remote Endpoint
The Linux program autossh is a helper utility for creating a persistent SSH tunnel. Installation of autossh depends on the platform, but a typical command to install it would be:
Or, to build from source, follow these steps (for example, on an Amazon Linux 2 AMI):
(5) Update GatewayPorts setting on KCM Server
On the KCM Server, the SSH process (sshd) must be modified to permit remote hosts (e.g. the guacd Docker container) to be allowed to connect to forwarded ports. By default, sshd binds remote port forwards to the loopback address. Setting the value of GatewayPorts to "clientspecified" allows the client to select the address to which the forwarded port is bound.
Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:
Restart sshd
(6) Command to Create Persistent Reverse SSH Tunnel
In order to establish an SSH connection from the KCM Server to the Remote Server, we need to first create a persistent reverse tunnel, initiated from the Remote Server.
On the Remote Endpoint, execute autossh in the background, using parameters similar to below. Note that the full path to the private SSH key is provided. Autossh will then run in the background and the tunnel will remain active as long as the instance is running.
Make sure that you have a firewall in place to block inbound connections on all ports except what is needed (HTTP/HTTPS/SSH). And/or change the 0.0.0.0 in the following command to the IP of your KCM server.
The reverse tunnel is now established between the Remote Server and the KCM Server.
To verify connectivity, you can now establish an SSH session from the KCM Server to the Remote Server over localhost on the port defined by the tunnel (in this case, port 9000).
From the KCM Server this can be tested using the command below:
(7) Update docker-compose to reference the host
In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.
To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:
Update the docker environment for the change to take effect.
(8) Create Connection to the target Remote Server
Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.
For this example, you can create a new connection which simply references the Hostname of host.docker.internal and the port of 9000.
As usual, ensure that the proper Authentication parameters are populated in the connection for the remote server. In this case, the remote server is being accessed via the established reverse SSH tunnel.
Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.
If you would like to establish more connections using reverse SSH tunneling, repeat Step 6 of this guide on a different port (e.g. 9001, 9002, etc...). Then reference host.docker.internal with the specified port number when creating Connections inside Keeper Connection Manager.
Several references and guides posted online contain helpful information about this configuration.
Connecting to an environment without ingress connections
If you prefer to run autossh as a windows service, you can follow these steps.
KCM Server: The instance running Keeper Connection Manager.
Remote Endpoint: A target Windows instance in a protected network without data ingress which cannot yet be accessed directly by the KCM Server.
On the remote endpoint, install Cygwin from . The direct download link is .
After it's installed, we will select both the openssh and the autossh packages to download and install.
Click Next > Install from Internet > All Users > Next > Next > Next > Choose any mirror > Next (as shown below).
At the "Select Packages" screen, change the view from Pending to Full and then enter "ssh" in the search box. Select the down arrow on autossh, choose latest version. Select the down arrow on openssh, choose the latest version (shown below).
The instructions below outline how to establish a connection from a KCM Server in the cloud, to a Remote Endpoint without network ingress.
(1) Allow inbound SSH on KCM Server
On the KCM Server, ensure that inbound SSH port 22 connections are open from the Remote Server to the KCM instance. We will be establishing an outbound connection from the Remote Server to the KCM instance to set up the reverse tunnel.
(2) Generate SSH Keys on the Remote Endpoint
On the Windows Remote Endpoint, using Cygwin Terminal create an SSH key pair which will be used to establish an outbound connection from the Endpoint to the KCM Server. Enter the following into the Cygwin Terminal:
It will ask where you want to save the key, you can just press enter to take the default and continue.
This will create two files, a private key and a public key. Leave the private key in place. We will copy the public key from the target endpoint onto the KCM server.
Next, we will copy the public key file (.pub) from the windows endpoint to the KCM Server in ~/.ssh/authorized_keys.
You can transfer the .pub file by any method that you choose.
You can transfer the .pub file by any method that you choose. If you have outbound traffic allowed on the windows target endpoint, you can use the following command in the Cygwin Terminal:
(3) Verify SSH Connectivity from Remote Endpoint to KCM Server
You should now be able to SSH from the remote server into the KCM server without any password prompt.
(4) Establish the persistent SSH tunnel
To create the persistent tunnel, enter the following two commands into the windows command prompt or PowerShell (not in the Cygwin Terminal):
Make sure that you have a firewall in place to block inbound connections on all ports except what is needed (HTTP/HTTPS/SSH). And/or change the 0.0.0.0 in the following command to the IP of your KCM server.
Choose any open port to use, in this example we use port 9000.
(5) Configure the Windows Service
Open Services and look for the new service called "AutoSSH" and open it, but don't start it just yet.
We will set an automatic delayed start and logon by the Administrator account. These will help allow the service to start properly.
On the Log On tab, click browser and enter the administrator object name and click "Check Names". Make sure to put the password for the administrator account into both fields.
Now we are ready to start the AutoSSH Service (shown below).
Start the AutoSSH service and confirm that it is running.
(6) Update GatewayPorts setting on KCM Server
On the KCM Server, the SSH process (sshd) must be modified to permit remote hosts (e.g. the guacd Docker container) to be allowed to connect to forwarded ports. By default, sshd binds remote port forwards to the loopback address. Setting the value of GatewayPorts to "clientspecified" allows the client to select the address to which the forwarded port is bound.
Edit the file /etc/ssh/sshd_config
Update the GatewayPorts line to this:
Restart sshd
The reverse tunnel is now established between the Remote Server and the KCM Server.
(7) Update docker-compose to reference the host
In the Docker install environment, it's possible to establish a connection to the Keeper Connection Manager host instance using a special host name called host.docker.internal.
To configure this, update the file /etc/kcm-setup/docker-compose.yml guacd section to include the "extra_hosts" parameter, as seen below:
Update the docker environment for the change to take effect.
(8) Create Connection to the target Remote Server
Now that the reverse SSH tunnel is set up, and the docker container is able to access the reverse tunnel, you can now simply create a connection from the Keeper Connection Manager interface.
Create a new RDP connection with the hostname of host.docker.internal and the port of 9000 (or your chosen port).
As usual, ensure that the proper Authentication parameters are populated in the connection for the remote server. In this case, the remote server is being accessed via the established reverse SSH tunnel.
Save the connection, navigate back to the "My Connections" or "Home" screen, and then click on the connection you just created to verify the routing was successful.
If you would like to establish more connections using reverse SSH tunneling, repeat Step 5 of this guide on a different available port (e.g. 9001, 9002, etc...). Then create a connection with the specified port number when creating Connections inside Keeper Connection Manager.
Several references and guides posted online contain helpful information about this configuration.
Keeper Connection Manager PostgreSQL connections utilize EMACS-like commands for more powerful text editing. In order to utilize all of these commands, shortcuts are bound to specific Commands.
Note that some shortcuts may be captured by your browser, browser extensions, operating system, or other applications
Keeper Connection Manager MySQL connections utilize EMACS-like commands for more powerful text editing. In order to utilize all of these commands, shortcuts are bound to specific Commands.
Note that some shortcuts may be captured by your browser, browser extensions, operating system, or other applications
# Install the OpenSSH Client
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
# Install the OpenSSH Server
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0ssh-keygen -t ed25519PS C:\Users\Administrator\.ssh> scp id_ed25519.pub [email protected]:~/.ssh/authorized_keysC:\Users\Administrator> ssh [email protected]
Last login: Mon Jul 4 20:28:10 2022 from ip-10-0-1-7.my.remotessh -fN -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -R 0.0.0.0:9000:localhost:3389 -i C:\path\to\.ssh\privkey [email protected]GatewayPorts clientspecifiedsudo service sshd restart guacd:
image: keeper/guacd:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
volumes:
- "common-storage:/var/lib/guacamole:rw"
extra_hosts:
- "host.docker.internal:host-gateway"sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgradessh-keygen -t ed25519ssh-ed25519 AAAAC3NzaC1lZDI1nScLLwc3wsBH localuser@localhost$ ssh [email protected]
Last login: Mon Jul 4 20:28:10 2022 from ip-10-0-1-7.my.remote
[[email protected] ~]$ exitsudo yum install autossh$ sudo yum install gcc
$ wget http://www.harding.motd.ca/autossh/autossh-1.4e.tgz
$ tar -xf autossh-1.4e.tgz
$ cd autossh-1.4e
$ ./configure
$ make
$ sudo make installGatewayPorts clientspecifiedsudo service sshd restartautossh -f -M 0 -N -o "ServerAliveInterval 30" \
-o "ServerAliveCountMax 3" \
-R 0.0.0.0:9000:localhost:22 \
-i /home/ec2-user/.ssh/id_ed25519 \
[email protected]ssh -i /path/to/key -p 9000 username@localhost guacd:
image: keeper/guacd:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
volumes:
- "common-storage:/var/lib/guacamole:rw"
extra_hosts:
- "host.docker.internal:host-gateway"sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgradeTo copy a region of text, first you need to select the text. The easiest way to do this is to highlight the text using your mouse curser.
The copy command is Ctrl-c or Meta-w
Hold the Ctrl key and press the c key or press and release the ESC key then press and release the w key.
The Paste command is sometimes referred to as 'Yank' and is activated with Ctrl-v or Ctrl-Y
Hold the Ctrl key and press the v key or press and hold Ctrl the click the y key.
The cursor can be moved to the beginning or the end of the current line.
This command is done with Ctrl-A or the Home key
Click Home or hold the Ctrl key and hit the a key
This command is done with Ctrl-E or the End key
Click End or hold the Ctrl key and hit the e key
See the complete list of available commands and shortcuts below.
Shortcut
Editor Command
Ctrl-@, NUL
set cursor where the mouse is located
Ctrl-A
move cursor to beginning of line
Ctrl-B
move cursor back one character
Ctrl-C
clear the terminal
Ctrl-D
close the current connection
To copy a region of text, first you need to select the text. The easiest way to do this is to highlight the text using your mouse curser.
The copy command is Ctrl-c or Meta-w
Hold the Ctrl key and press the c key or press and release the ESC key then press and release the w key.
The Paste command is sometimes referred to as 'Yank' and is activated with Ctrl-v or Ctrl-Y
Hold the Ctrl key and press the v key or press and hold Ctrl the click the y key.
The cursor can be moved to the beginning or the end of the current line.
This command is done with Ctrl-A or the Home key
Click Home or hold the Ctrl key and hit the a key
This command is done with Ctrl-E or the End key
Click End or hold the Ctrl key and hit the e key
See the complete list of available commands and shortcuts below.
Shortcut
Editor Command
Ctrl-@, NUL
set cursor where the mouse is located
Ctrl-A
move cursor to beginning of line
Ctrl-B
move cursor back one character
Ctrl-C
clear the terminal
Ctrl-D
close the current connection
Keeper Connection Manager PostgreSQL connections utilize EMACS-like commands for more powerful text editing. In order to utilize all of these commands, shortcuts are bound to specific Commands.
Note that some shortcuts may be captured by your browser, browser extensions, operating system, or other applications
To copy a region of text, first you need to select the text. The easiest way to do this is to highlight the text using your mouse curser.
The copy command is Ctrl-c or Meta-w
Hold the Ctrl key and press the c key or press and release the ESC key then press and release the w key.
The Paste command is sometimes referred to as 'Yank' and is activated with Ctrl-v or Ctrl-Y
Hold the Ctrl key and press the v key or press and hold Ctrl the click the y key.
The cursor can be moved to the beginning or the end of the current line.
This command is done with Ctrl-A or the Home key
Click Home or hold the Ctrl key and hit the a key
This command is done with Ctrl-E or the End key
Click End or hold the Ctrl key and hit the e key
See the complete list of available commands and shortcuts below.
ssh-keygen -t ed25519cd .ssh
ssh-copy-id [email protected]ssh [email protected]
Last login: Mon Jul 4 20:28:10 2022 from ip-10-0-1-7.my.remotecd C:\cygwin64\bincygrunsrv -I AutoSSH -p /usr/bin/autossh -a "-M 20000 -R 0.0.0.0:9000:localhost:3389 username@hostenameORipaddress" -e AUTOSSH_NTSERVICE=yesGatewayPorts clientspecifiedsudo service sshd restart guacd:
image: keeper/guacd:2
restart: unless-stopped
environment:
ACCEPT_EULA: "Y"
volumes:
- "common-storage:/var/lib/guacamole:rw"
extra_hosts:
- "host.docker.internal:host-gateway"sudo ./kcm-setup.run stop
sudo ./kcm-setup.run upgradeCtrl-E
move cursor to end of line
Ctrl-F
move cursor one character forward
Ctrl-H, Backspace
delete previous character
Ctrl-J, LF
newline
Ctrl-K
cut line
Ctrl-L, FF
clear screen
Ctrl-M, CR
newline
Ctrl-N
next history
Ctrl-O
tty flush output
Ctrl-P
previous history
Ctrl-Q
tty start output
Ctrl-R
redisplay
Ctrl-S
tty stop output
Ctrl-T
transpose characters
Ctrl-U
cut line
Ctrl-V
quoted insert
Ctrl-W
cut highlighted region
Ctrl-X
sequence lead in
Ctrl-Y
yank (paste)
Ctrl-Z, TSTP
tty sigtstp
Ctrl-[, ESC
move cursor forward
Ctrl-\, QUIT
tty sigquit
Ctrl-]
tty dsusp
Ctrl-?, DEL
delete previous character
Ctrl-Meta-H
delete previous word
Ctrl-Meta-L
clear screen
Ctrl-Meta-_
copy the previous word
Meta-0 to Meta-9
argument digit
Meta-B
previous word
Meta-C
use capitol case
Meta-D
delete next word
Meta-F
move to next word
Meta-L
lower case
Meta-N
search next history
Meta-O
sequence lead in
Meta-P
search previous history
Meta-U
upper case
Meta-W
copy highlighted region
Meta-X
command
Meta-[
sequence lead in
Meta-p
search previous history
Ctrl-Meta-?
delete previous word
Ctrl-E
move cursor to end of line
Ctrl-F
move cursor one character forward
Ctrl-H, Backspace
delete previous character
Ctrl-J, LF
newline
Ctrl-K
cut line
Ctrl-L, FF
clear screen
Ctrl-M, CR
newline
Ctrl-N
next history
Ctrl-O
tty flush output
Ctrl-P
previous history
Ctrl-Q
tty start output
Ctrl-R
redisplay
Ctrl-S
tty stop output
Ctrl-T
transpose characters
Ctrl-U
cut line
Ctrl-V
quoted insert
Ctrl-W
cut highlighted region
Ctrl-X
sequence lead in
Ctrl-Y
yank (paste)
Ctrl-Z, TSTP
tty sigtstp
Ctrl-[, ESC
move cursor forward
Ctrl-\, QUIT
tty sigquit
Ctrl-]
tty dsusp
Ctrl-?, DEL
delete previous character
Ctrl-Meta-H
delete previous word
Ctrl-Meta-L
clear screen
Ctrl-Meta-_
copy the previous word
Meta-0 to Meta-9
argument digit
Meta-B
previous word
Meta-C
use capitol case
Meta-D
delete next word
Meta-F
move to next word
Meta-L
lower case
Meta-N
search next history
Meta-O
sequence lead in
Meta-P
search previous history
Meta-U
upper case
Meta-W
copy highlighted region
Meta-X
command
Meta-[
sequence lead in
Meta-p
search previous history
Ctrl-Meta-?
delete previous word
move cursor to end of line
Ctrl-F
move cursor one character forward
Ctrl-H, Backspace
delete previous character
Ctrl-J, LF
newline
Ctrl-K
cut line
Ctrl-L, FF
clear screen
Ctrl-M, CR
newline
Ctrl-N
next history
Ctrl-O
tty flush output
Ctrl-P
previous history
Ctrl-Q
tty start output
Ctrl-R
redisplay
Ctrl-S
tty stop output
Ctrl-T
transpose characters
Ctrl-U
cut line
Ctrl-V
quoted insert
Ctrl-W
cut highlighted region
Ctrl-X
sequence lead in
Ctrl-Y
yank (paste)
Ctrl-Z, TSTP
tty sigtstp
Ctrl-[, ESC
move cursor forward
Ctrl-\, QUIT
tty sigquit
Ctrl-]
tty dsusp
Ctrl-?, DEL
delete previous character
Ctrl-Meta-H
delete previous word
Ctrl-Meta-L
clear screen
Ctrl-Meta-_
copy the previous word
Meta-0 to Meta-9
argument digit
Meta-B
previous word
Meta-C
use capitol case
Meta-D
delete next word
Meta-F
move to next word
Meta-L
lower case
Meta-N
search next history
Meta-O
sequence lead in
Meta-P
search previous history
Meta-U
upper case
Meta-W
copy highlighted region
Meta-X
command
Meta-[
sequence lead in
Meta-p
search previous history
Ctrl-Meta-?
delete previous word
Shortcut
Editor Command
Ctrl-@, NUL
set cursor where the mouse is located
Ctrl-A
move cursor to beginning of line
Ctrl-B
move cursor back one character
Ctrl-C
clear the terminal
Ctrl-D
close the current connection
Ctrl-E
Advanced configuration of MySQL connection type
The MySQL implementation in Keeper Connection Manager utilizes the MySQL client library as well as an internal terminal library which renders the user interface. Guacamole's MySQL support emulates a terminal on the server side, and draws the screen of this terminal remotely on the client.
This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.
MySQL connections are established over TCP to a specific port and a specific hostname or IP address. The hostname/address must be specified for all MySQL connections, but you only need to specify a port if you are not using the standard MySQL port (3306).
Keeper Connection manager supports MySQL authentication through username and password parameters. Both fields are required to establish a connection.
The default database can be specified when establishing the connection. You can also disable the ability to perform CSV import and export of data.
Guacamole's MySQL support provides a display, but not in the same sense as a remote desktop protocol like VNC or RDP. The display is a terminal emulator, and thus provides options for configuring the font used and its size.
If selecting a different font for a MySQL connection, the chosen font must be installed on the server running guacd. It is the server that will handle rendering of characters to the terminal display, not the client.
Custom color schemes may be provided for the terminal emulator used by MySQL connections. Custom schemes mimic the format used by Xterm and consist of a semicolon-separated series of name-value pairs. Each name-value pair is separated by a colon and assigns a value to a color in the terminal emulator palette.
For example, to use blue text on white background by default, and change the red color to a purple shade, you would specify:
Legal color names are:
"foreground" - the default foreground color.
"background" - the default background color.
"colorN" - the color at index N within the Xterm 256-color palette. For example, "color9" refers to the color at palette index 9, normally red.
Legal color values are:
"rgb:RR/GG/BB" - a color in RGB format, with each component in hexadecimal. For example, "rgb:ff/00/00" specifies the color red. Each hexadecimal component may be one to four digits, but the effective values are always zero-extended or truncated to two digits; for example, "rgb:f/8/0", "rgb:f0/80/00", and "rgb:f0f/808/00f" all refer to the same effective color.
"colorN" - the color currently assigned to index N within the Xterm 256-color palette. For example, "color9
Guacamole provides bidirectional access to the clipboard by default for MySQL connections. This behavior can be overridden on a per-connection basis, restricting access to the clipboard.
The full, raw text content of MySQL sessions, including timing information, can be recorded automatically to a specified directory. This recording, also known as a "typescript", will be written to two files within the directory specified: one file contains the raw text data, and the other contains timing information. Where "NAME" is the value provided for the typescript name, these files will be named "NAME" and "NAME.timing" respectively.
This format is compatible with the format used by the standard UNIX script command, and can be replayed using scriptreplay (if installed). For example, to replay a typescript called "NAME", you would run:
MySQL sessions can be recorded graphically. These recordings take the form of Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the hosted at (or using a local deployment of this application).
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Glyptodon Enterprise Session Recording Player can be found on GitHub, along with instructions for local deployment:
Advanced configuration of PostgreSQL / Redshift connection type
The PostgreSQL implementation in Keeper Connection Manager utilizes the PostgreSQL client library as well as an internal terminal library which renders the user interface. Guacamole's PostgreSQL support emulates a terminal on the server side, and draws the screen of this terminal remotely on the client.
This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.
Advanced configuration of Microsoft SQL Server connection type
The SQL Server implementation in Keeper Connection Manager utilizes the SQL Server client library as well as an internal terminal library which renders the user interface. Guacamole's SQL Server support emulates a terminal on the server side, and draws the screen of this terminal remotely on the client.
This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.
Advanced configuration of Kubernetes connection type
Keeper's Kubernetes support takes the form of a protocol implementation which allows Keeper to attach to the consoles of Kubernetes containers using Kubernetes' REST API. As with SSH and telnet, Keeper's Kubernetes support emulates a terminal on the server side which renders to the Keeper Connection Manager client's display.
Support for attaching to Kubernetes containers is controlled through the use of several parameters. When a database like MySQL or PostgreSQL is used, these parameters are presented in a convenient web interface. If defining connections through another mechanism, such as through or, parameters are specified using their internal parameter names.
scrollback
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only:
read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
"NAME" - the color with human-readable name "NAME", where "NAME" is one of the standard color names supported by X11. These names generally correspond to the names standardized by the W3C for CSS.
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the Multiple Vaults Integration screen for more information.
Hostname
hostname
REQUIRED: The hostname or IP address of the MySQL server Guacamole should connect to.
Port
port
The port the MySQL server is listening on. By default, the standard MySQL port of 3306 will be used.
Unix Socket
unix-socket
The socket name used for MySQL connections when running using the unix socket method. This is used if the host field is empty.
Username
username
REQUIRED: The username to authenticate as when connecting to the specified MySQL server.
Password
password
REQUIRED: The password to use when authenticating with the specified MySQL server.
Default Database
database
The database schema selected when connecting to the specified MySQL server.
Disable CSV Export
disable-csv-export
Set this value to "true" to disable CSV export of data when using the SQL statement "select ... into local outfile"
Disable CSV Import
disable-csv-import
Set this value to "true" to disable CSV import of data when using the SQL statement "load data local infile ... into table"
Theme
color-scheme
The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black-white" - Black text over a white background
"gray-black" - Gray text over a black background (the default)
"green-black" - Green text over a black background
"white-black" - White text over a black background
A (as described below)
By default, Guacamole will render text as gray over a black background.
Font name
font-name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Font size
font-size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Disable copying from terminal:
disable-copy
If set to "true", text copied within the MySQL session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.
Disable pasting from client:
disable-paste
If set to "true", text copied at the browser side of the Guacamole session will not be accessible within the MySQL session. By default, the user will be able to paste data from outside the browser within the MySQL session.
Typescript path
typescript-path
The directory in which typescript files should be created. If a typescript needs to be recorded, then this parameter is required. Specifying this parameter enables typescript recording. If this parameter is omitted, no typescript will be recorded.
Typescript name
typescript-name
The base filename to use for any created recordings. If omitted, the base filename "typescript" will be used.
Guacamole will never overwrite an existing typescript. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the base filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Automatically create typescript path
create-typescript-path
If set to "true", the final directory within the specified typescript path will automatically be created if it does not yet exist. By default, no part of the typescript path will be automatically created, and any attempt to use a non-existent directory will result in the typescript not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Recording path
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Guacamole will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Maximum scrollback size:
Exclude mouse
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the screen for more information.
PostgreSQL connections are established over TCP to a specific port and a specific hostname or IP address. The hostname/address must be specified for all PostgreSQL connections, but you only need to specify a port if you are not using the standard port (5432).
Hostname
hostname
REQUIRED: The hostname or IP address of the PostgreSQL server Guacamole should connect to.
Port
port
The port the PostgreSQL server is listening on. By default, the standard port of 5432 will be used.
Keeper Connection manager supports PostgreSQL authentication through username and password parameters. Both fields are required to establish a connection.
Username
username
REQUIRED: The username to authenticate as when connecting to the specified PostgreSQL server.
Password
password
REQUIRED: The password to use when authenticating with the specified PostgreSQL server.
The default database can be specified when establishing the connection. You can also disable the ability to perform CSV import and export of data.
Default Database
database
The database schema selected when connecting to the specified PostgreSQL server.
Disable CSV Export
disable-csv-export
Set this value to "true" to disable CSV export of data when using the SQL export statement "COPY..."
Disable CSV Import
disable-csv-import
Set this value to "true" to disable CSV import of data when using the SQL import statement "COPY..."
Guacamole's PostgreSQL support provides a display, but not in the same sense as a remote desktop protocol like VNC or RDP. The display is a terminal emulator, and thus provides options for configuring the font used and its size.
If selecting a different font for a PostgreSQL connection, the chosen font must be installed on the server running guacd. It is the server that will handle rendering of characters to the terminal display, not the client.
Theme
color-scheme
The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black-white" - Black text over a white background
"gray-black" - Gray text over a black background (the default)
Font name
font-name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Font size
font-size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Custom color schemes may be provided for the terminal emulator used by PostgreSQL connections. Custom schemes mimic the format used by Xterm and consist of a semicolon-separated series of name-value pairs. Each name-value pair is separated by a colon and assigns a value to a color in the terminal emulator palette.
For example, to use blue text on white background by default, and change the red color to a purple shade, you would specify:
Legal color names are:
"foreground" - the default foreground color.
"background" - the default background color.
"colorN" - the color at index N within the Xterm 256-color palette. For example, "color9" refers to the color at palette index 9, normally red.
Legal color values are:
"rgb:RR/GG/BB" - a color in RGB format, with each component in hexadecimal. For example, "rgb:ff/00/00" specifies the color red. Each hexadecimal component may be one to four digits, but the effective values are always zero-extended or truncated to two digits; for example, "rgb:f/8/0", "rgb:f0/80/00", and "rgb:f0f/808/00f" all refer to the same effective color.
"colorN" - the color currently assigned to index N within the Xterm 256-color palette. For example, "color9" specifies the color currently assigned to palette index 9. Note that the current color value is used rather than a reference to that color. If the referenced color is changed later in the color scheme configuration, that new color value will not be reflected in this assignment.
"NAME" - the color with human-readable name "NAME", where "NAME" is one of the . These names generally correspond to the names standardized by the W3C for CSS.
Guacamole provides bidirectional access to the clipboard by default for PostgreSQL connections. This behavior can be overridden on a per-connection basis, restricting access to the clipboard.
Disable copying from terminal:
disable-copy
If set to "true", text copied within the PostgreSQL session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.
Disable pasting from client:
disable-paste
If set to "true", text copied at the browser side of the Guacamole session will not be accessible within the PostgreSQL session. By default, the user will be able to paste data from outside the browser within the PostgreSQL session.
The full, raw text content of PostgreSQL sessions, including timing information, can be recorded automatically to a specified directory. This recording, also known as a "typescript", will be written to two files within the directory specified: one file contains the raw text data, and the other contains timing information. Where "NAME" is the value provided for the typescript name, these files will be named "NAME" and "NAME.timing" respectively.
This format is compatible with the format used by the standard UNIX script command, and can be replayed using scriptreplay (if installed). For example, to replay a typescript called "NAME", you would run:
Typescript path
typescript-path
The directory in which typescript files should be created. If a typescript needs to be recorded, then this parameter is required. Specifying this parameter enables typescript recording. If this parameter is omitted, no typescript will be recorded.
Typescript name
typescript-name
The base filename to use for any created recordings. If omitted, the base filename "typescript" will be used.
Guacamole will never overwrite an existing typescript. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the base filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Automatically create typescript path
create-typescript-path
If set to "true", the final directory within the specified typescript path will automatically be created if it does not yet exist. By default, no part of the typescript path will be automatically created, and any attempt to use a non-existent directory will result in the typescript not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
PostgreSQL sessions can be recorded graphically. These recordings take the form of Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the Glyptodon Enterprise Session Recording Player application hosted at player.glyptodon.com (or using a local deployment of this application).
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Glyptodon Enterprise Session Recording Player can be found on GitHub, along with instructions for local deployment: https://github.com/glyptodon/glyptodon-enterprise-player
Recording path
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Guacamole will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the screen for more information.
SQL Server connections are established over TCP to a specific port and a specific hostname or IP address. The hostname/address must be specified for all connections, but you only need to specify a port if you are not using the standard port (1433).
Hostname
hostname
REQUIRED: The hostname or IP address of the SQL server Guacamole should connect to.
Port
port
The port the SQL Server is listening on. By default, the standard port of 1433 will be used.
Keeper Connection manager supports SQL Server authentication through username and password parameters. Both fields are required to establish a connection.
Username
username
REQUIRED: The username to authenticate as when connecting to the specified SQL server.
Password
password
REQUIRED: The password to use when authenticating with the specified SQL server.
The default database can be specified when establishing the connection. You can also disable the ability to perform CSV import and export of data.
Default Database
database
The database schema selected when connecting to the specified SQL server.
Disable CSV Export
disable-csv-export
Set this value to "true" to disable CSV export of data when using the SQL statement "SELECT INTO LOCAL OUTFILE"
Disable CSV Import
disable-csv-import
Set this value to "true" to disable CSV import of data when using the SQL statement "BULK INSERT..."
Guacamole's SQL Server support provides a display, but not in the same sense as a remote desktop protocol like VNC or RDP. The display is a terminal emulator, and thus provides options for configuring the font used and its size.
If selecting a different font for a SQL Server connection, the chosen font must be installed on the server running guacd. It is the server that will handle rendering of characters to the terminal display, not the client.
Theme
color-scheme
The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black-white" - Black text over a white background
"gray-black" - Gray text over a black background (the default)
Font name
font-name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Font size
font-size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Custom color schemes may be provided for the terminal emulator used by SQL Server connections. Custom schemes mimic the format used by Xterm and consist of a semicolon-separated series of name-value pairs. Each name-value pair is separated by a colon and assigns a value to a color in the terminal emulator palette.
For example, to use blue text on white background by default, and change the red color to a purple shade, you would specify:
Legal color names are:
"foreground" - the default foreground color.
"background" - the default background color.
"colorN" - the color at index N within the Xterm 256-color palette. For example, "color9" refers to the color at palette index 9, normally red.
Legal color values are:
"rgb:RR/GG/BB" - a color in RGB format, with each component in hexadecimal. For example, "rgb:ff/00/00" specifies the color red. Each hexadecimal component may be one to four digits, but the effective values are always zero-extended or truncated to two digits; for example, "rgb:f/8/0", "rgb:f0/80/00", and "rgb:f0f/808/00f" all refer to the same effective color.
"colorN" - the color currently assigned to index N within the Xterm 256-color palette. For example, "color9" specifies the color currently assigned to palette index 9. Note that the current color value is used rather than a reference to that color. If the referenced color is changed later in the color scheme configuration, that new color value will not be reflected in this assignment.
"NAME" - the color with human-readable name "NAME", where "NAME" is one of the . These names generally correspond to the names standardized by the W3C for CSS.
Guacamole provides bidirectional access to the clipboard by default for SQL Server connections. This behavior can be overridden on a per-connection basis, restricting access to the clipboard.
Disable copying from terminal:
disable-copy
If set to "true", text copied within the SQL Server session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.
Disable pasting from client:
disable-paste
If set to "true", text copied at the browser side of the Guacamole session will not be accessible within the session. By default, the user will be able to paste data from outside the browser within the SQL Server session.
The full, raw text content of SQL Server sessions, including timing information, can be recorded automatically to a specified directory. This recording, also known as a "typescript", will be written to two files within the directory specified: one file contains the raw text data, and the other contains timing information. Where "NAME" is the value provided for the typescript name, these files will be named "NAME" and "NAME.timing" respectively.
This format is compatible with the format used by the standard UNIX script command, and can be replayed using scriptreplay (if installed). For example, to replay a typescript called "NAME", you would run:
Typescript path
typescript-path
The directory in which typescript files should be created. If a typescript needs to be recorded, then this parameter is required. Specifying this parameter enables typescript recording. If this parameter is omitted, no typescript will be recorded.
Typescript name
typescript-name
The base filename to use for any created recordings. If omitted, the base filename "typescript" will be used.
Guacamole will never overwrite an existing typescript. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the base filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Automatically create typescript path
create-typescript-path
If set to "true", the final directory within the specified typescript path will automatically be created if it does not yet exist. By default, no part of the typescript path will be automatically created, and any attempt to use a non-existent directory will result in the typescript not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
SQL Server sessions can be recorded graphically. These recordings take the form of Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the Glyptodon Enterprise Session Recording Player application hosted at player.glyptodon.com (or using a local deployment of this application).
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Glyptodon Enterprise Session Recording Player can be found on GitHub, along with instructions for local deployment: https://github.com/glyptodon/glyptodon-enterprise-player
Recording path
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Guacamole will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the screen for more information.
Connecting to a Kubernetes server in order to attach to a container involves establishing a WebSocket connection with that server, and requires the server's hostname or IP address. Depending on the Kubernetes server, SSL/TLS may also be required for the connection.
Hostname:
hostname
REQUIRED: The hostname or IP address of the Kubernetes server Guacamole should connect to.
Port:
port
The port the Kubernetes server is listening on. By default, port 8080 will be used.
Use SSL/TLS:
use-ssl
If set to "true", SSL/TLS will be used to connect to the Kubernetes server. By default, SSL/TLS will not be used.
Attaching to a particular Kubernetes container naturally required the name of the pod containing the container in question. By default, Guacamole will attach to the first container in the pod. If there are multiple containers in the pod, you may wish to also specify the container name.
Namespace:
namespace
The name of the Kubernetes namespace of the pod containing the container being attached to. If omitted, the namespace "default" will be used.
Pod name:
pod
REQUIRED: The name of the Kubernetes pod with the container being attached to.
Container name:
container
The name of the container to attach to. If omitted, the first container in the pod will be used.
If enabled, Kubernetes uses SSL/TLS for both encryption and authentication. Standard SSL/TLS client authentication requires both a client certificate and client key, which Guacamole will use to identify itself to the Kubernetes server.
Client certificate:
client-cert
The certificate to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. If omitted, SSL client authentication will not be performed.
Client key:
client-key
The key to use if performing SSL/TLS client authentication to authenticate with the Kubernetes server, in PEM format. If omitted, SSL client authentication will not be performed.
Keeper Connection Manager's Kubernetes support provides a display, but not in the same sense as a remote desktop protocol like VNC or RDP. The display is a terminal emulator, and thus provides options for configuring the font used and its size.
If selecting a different font for a Kubernetes connection, the chosen font must be installed on the server running guacd. It is the server that will handle rendering of characters to the terminal display, not the client.
Color scheme:
color-scheme
The color scheme to use for the terminal emulator used by Kubernetes connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black-white" - Black text over a white background
"gray-black" - Gray text over a black background (the default)
Font name:
font-name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Font size:
font-size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Custom color schemes may be provided for the terminal emulator used by Kubernetes connections. Custom schemes mimic the format used by Xterm and consist of a semicolon-separated series of name-value pairs. Each name-value pair is separated by a colon and assigns a value to a color in the terminal emulator palette.
For example, to use blue text on white background by default, and change the red color to a purple shade, you would specify:
Legal color names are:
"foreground" - the default foreground color.
"background" - the default background color.
"colorN" - the color at index N within the Xterm 256-color palette. For example, "color9" refers to the color at palette index 9, normally red.
Legal color values are:
"rgb:RR/GG/BB" - a color in RGB format, with each component in hexadecimal. For example, "rgb:ff/00/00" specifies the color red. Each hexadecimal component may be one to four digits, but the effective values are always zero-extended or truncated to two digits; for example, "rgb:f/8/0", "rgb:f0/80/00", and "rgb:f0f/808/00f" all refer to the same effective color.
"colorN" - the color currently assigned to index N within the Xterm 256-color palette. For example, "color9" specifies the color currently assigned to palette index 9. Note that the current color value is used rather than a reference to that color. If the referenced color is changed later in the color scheme configuration, that new color value will not be reflected in this assignment.
"NAME" - the color with human-readable name "NAME", where "NAME" is one of the . These names generally correspond to the names standardized by the W3C for CSS.
In most cases, the default behavior of the Guacamole terminal emulator works without modification. However, when connecting to certain systems, the terminal behavior may need to be tweaked to allow it to operate properly. Guacamole's Kubernetes support provides parameters for controlling the control code sent for backspace.
Backspace key sends:
backspace
The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent.
The full, raw text content of Kubernetes sessions, including timing information, can be recorded automatically to a specified directory. This recording, also known as a "typescript", will be written to two files within the directory specified: one file contains the raw text data, and the other contains timing information. Where "NAME" is the value provided for the typescript name, these files will be named "NAME" and "NAME.timing" respectively.
This format is compatible with the format used by the standard UNIX script command, and can be replayed using scriptreplay (if installed). For example, to replay a typescript called "NAME", you would run:
Typescript path:
typescript-path
The directory in which typescript files should be created. If a typescript needs to be recorded, then this parameter is required. Specifying this parameter enables typescript recording. If this parameter is omitted, no typescript will be recorded.
Typescript name:
typescript-name
The base filename to use for any created recordings. If omitted, the base filename "typescript" will be used.
Guacamole will never overwrite an existing typescript. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the base filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Automatically create typescript path:
create-typescript-path
If set to "true", the final directory within the specified typescript path will automatically be created if it does not yet exist. By default, no part of the typescript path will be automatically created, and any attempt to use a non-existent directory will result in the typescript not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Kubernetes sessions can be recorded graphically. These recordings take the form of Apache Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the Glyptodon Enterprise Session Recording Player application hosted at player.glyptodon.com (or using a local deployment of this application).
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Glyptodon Enterprise Session Recording Player can be found on GitHub, along with instructions for local deployment: https://github.com/glyptodon/glyptodon-enterprise-player
Recording path:
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name:
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Guacamole will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams:
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Advanced configuration of Telnet connection type
Telnet is a text protocol and provides similar functionality to. By nature, it is not encrypted, and does not provide support for file transfer. As far as graphics are concerned, Guacamole's telnet support works in the same manner as : it emulates a terminal on the server side which renders to the Guacamole client's display.
Keeper's support for the telnet protocol is controlled through the use of several parameters. When a database like or is used, these parameters are presented in a convenient web interface. If defining connections through another mechanism, such as through
foreground: rgb:00/00/ff;
background: rgb:ff/ff/ff;
color9: rgb:80/00/80$ scriptreplay NAME.timing NAMEforeground: rgb:00/00/ff;
background: rgb:ff/ff/ff;
color9: rgb:80/00/80$ scriptreplay NAME.timing NAMEforeground: rgb:00/00/ff;
background: rgb:ff/ff/ff;
color9: rgb:80/00/80$ scriptreplay NAME.timing NAMEforeground: rgb:00/00/ff;
background: rgb:ff/ff/ff;
color9: rgb:80/00/80$ scriptreplay NAME.timing NAMEgreen-black" - Green text over a black background"white-black" - White text over a black background
A custom color scheme (as described below)
By default, Guacamole will render text as gray over a black background.
Maximum scrollback size:
scrollback
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only:
read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
Exclude mouse
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
green-black" - Green text over a black background"white-black" - White text over a black background
A custom color scheme (as described below)
By default, Guacamole will render text as gray over a black background.
Maximum scrollback size:
scrollback
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only:
read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
Exclude mouse
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
green-black" - Green text over a black background"white-black" - White text over a black background
A custom color scheme (as described below)
By default, Guacamole will render text as gray over a black background.
Ignore server certificate:
ignore-cert
If set to "true", the validity of the SSL/TLS certificate used by the Kubernetes server will be ignored if it cannot be validated. By default, SSL/TLS certificates are validated.
Certificate authority certificate:
ca-cert
The certificate of the certificate authority that signed the certificate of the Kubernetes server, in PEM format. If omitted, verification of the Kubernetes server certificate will use only system-wide certificate authorities.
Command (exec)
command
The "exec" command passed to the container. For example, /bin/sh
Maximum scrollback size:
scrollback
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only:
read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
Exclude mouse:
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events:
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path:
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the screen for more information.
Telnet connections are established over TCP to a specific port and a specific hostname or IP address. The hostname/address must be specified for all telnet connections, but you only need to specify a port if you are not using the standard telnet port (23).
Hostname:
hostname
REQUIRED: The hostname or IP address of the telnet server Guacamole should connect to.
Port:
port
The port the telnet server is listening on. By default, the standard telnet port of 23 will be used.
Telnet does not actually provide any standard means of authentication. Authentication over telnet depends entirely on the login process running on the server and is interactive. To cope with this, Guacamole provides non-standard mechanisms for automatically passing the username and entering password. Whether these mechanisms work depends on specific login process used by your telnet server.
The de-facto method for passing the username automatically via telnet is to submit it via the USER environment variable, sent using telnet's "NEW-ENVIRON" option. This is the mechanism used by most telnet clients, typically by specifying -l on the command line.
Passwords cannot typically be sent automatically - at least not as reliably as the username. There is no PASSWORD environment variable, nor any similar mechanism for passing the password to the telnet login process, and most telnet clients provide no built-in support for automatically entering the password. The best that can be done is to heuristically detect the password prompt and type the password on behalf of the user if/when the prompt appears. The prescribed method for doing this with a traditional command-line telnet is to use a utility like expect. Guacamole provides similar functionality by searching for the password prompt with a regular expression. This same regular expression mechanism is also implemented as an option for handling the username prompt (if "NEW-ENVIRON" is unavailable), as well as for detecting login success/failure.
Username:
username
The username to use to authenticate, if any. If not specified, or not supported by the telnet server, the login process on the telnet server will prompt you for your credentials. For this to work, your telnet server must either support the "NEW-ENVIRON" option (and pay attention to the USER environment variable) or provide a prompt which can be matched against a regular expression. Most telnet servers satisfy this criteria.
Password:
password
The password to use when attempting authentication, if any. If specified, your password will be typed on your behalf when the password prompt is detected.
Username regular expression:
username-regex
The regular expression to use to detect the username prompt when the username cannot be provided using "NEW-ENVIRON". If not specified, a reasonable default built into Guacamole will be used. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Guacamole's telnet support provides a display, but not in the same sense as a remote desktop protocol like VNC or RDP. The display is a terminal emulator, and thus provides options for configuring the font used and its size.
If selecting a different font for a telnet connection, the chosen font must be installed on the server running guacd. It is the server that will handle rendering of characters to the terminal display, not the client.
Color scheme:
color-scheme
The color scheme to use for the terminal emulator used by telnet connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black-white" - Black text over a white background
"gray-black" - Gray text over a black background (the default)
Font name:
font-name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Font size:
font-size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Custom color schemes may be provided for the terminal emulator used by telnet connections. Custom schemes mimic the format used by Xterm and consist of a semicolon-separated series of name-value pairs. Each name-value pair is separated by a colon and assigns a value to a color in the terminal emulator palette.
For example, to use blue text on white background by default, and change the red color to a purple shade, you would specify:
Legal color names are:
"foreground" - the default foreground color.
"background" - the default background color.
"colorN" - the color at index N within the Xterm 256-color palette. For example, "color9" refers to the color at palette index 9, normally red.
Legal color values are:
"rgb:RR/GG/BB" - a color in RGB format, with each component in hexadecimal. For example, "rgb:ff/00/00" specifies the color red. Each hexadecimal component may be one to four digits, but the effective values are always zero-extended or truncated to two digits; for example, "rgb:f/8/0", "rgb:f0/80/00", and "rgb:f0f/808/00f" all refer to the same effective color.
"colorN" - the color currently assigned to index N within the Xterm 256-color palette. For example, "color9" specifies the color currently assigned to palette index 9. Note that the current color value is used rather than a reference to that color. If the referenced color is changed later in the color scheme configuration, that new color value will not be reflected in this assignment.
"NAME" - the color with human-readable name "NAME", where "NAME" is one of the . These names generally correspond to the names standardized by the W3C for CSS.
Guacamole provides bidirectional access to the clipboard by default for telnet connections. This behavior can be overridden on a per-connection basis, restricting access to the clipboard.
Disable copying from terminal:
disable-copy
If set to "true", text copied within the telnet session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.
Disable pasting from client:
disable-paste
If set to "true", text copied at the browser side of the Guacamole session will not be accessible within the telnet session. By default, the user will be able to paste data from outside the browser within the telnet session.
In most cases, the default behavior of the Guacamole terminal emulator works without modification. However, when connecting to certain systems (particularly operating systems other than Linux), the terminal behavior may need to be tweaked to allow it to operate properly. Guacamole's telnet support provides parameters for controlling the control code sent for backspace, as well as the terminal type claimed via the TERM environment variable.
Backspace key sends:
backspace
The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent.
Terminal type:
terminal-type
The terminal type string that should be passed to the telnet server. This value will typically be exposed within the telnet session as the TERM environment variable and will affect the control characters sent by applications. By default, the terminal type string "linux" is used.
The full, raw text content of telnet sessions, including timing information, can be recorded automatically to a specified directory. This recording, also known as a "typescript", will be written to two files within the directory specified: one file contains the raw text data, and the other contains timing information. Where "NAME" is the value provided for the typescript name, these files will be named "NAME" and "NAME.timing" respectively.
This format is compatible with the format used by the standard UNIX script command, and can be replayed using scriptreplay (if installed). For example, to replay a typescript called "NAME", you would run:
Typescript path:
typescript-path
The directory in which typescript files should be created. If a typescript needs to be recorded, then this parameter is required. Specifying this parameter enables typescript recording. If this parameter is omitted, no typescript will be recorded.
Typescript name:
typescript-name
The base filename to use for any created recordings. If omitted, the base filename "typescript" will be used.
Guacamole will never overwrite an existing typescript. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the base filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Automatically create typescript path:
create-typescript-path
If set to "true", the final directory within the specified typescript path will automatically be created if it does not yet exist. By default, no part of the typescript path will be automatically created, and any attempt to use a non-existent directory will result in the typescript not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Telnet sessions can be recorded graphically. These recordings take the form of Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the Keeper Connection Manager Session Recording Player application hosted at player.glyptodon.com (or using a local deployment of this application).
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Keeper Connection Manager Session Recording Player can be found on GitHub, along with instructions for local deployment: https://github.com/glyptodon/glyptodon-enterprise-player
Recording path:
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name:
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Guacamole will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams:
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Advanced configuration of VNC Protocol connection type
Keeper's support for the VNC protocol is controlled through the use of several parameters. When a database like MySQL or PostgreSQL is used, these parameters are presented in a convenient web interface. If defining connections through another mechanism, such as through encrypted JSON or LDAP schema modifications, parameters are specified using their internal parameter names.
This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.
Some features provided by Keeper's VNC support are implemented through additional protocols like SFTP and PulseAudio. This is done transparently. While additional network connections may be used between guacd and the remote desktop servers, everything between the user and Keeper will still use only a single connection.
VNC connections are established over TCP to a specific port and a specific hostname or IP address. In general, each VNC server is associated with a display number, from which the appropriate port number is derived, though most VNC servers provide a means of overriding this default behavior. Both the hostname and port are required parameters for all VNC connections.
The VNC standard defines only password based authentication, with other authentication mechanisms being non-standard or proprietary. Keeper Connection Manager currently supports only the password method.
VNC servers do not allow the client to request particular display sizes, so you are at the mercy of your VNC server with respect to display width and height. However, to reduce bandwidth usage, you may request that the VNC server reduce its color depth. Keeper will automatically detect 256-color images, but this can be guaranteed for absolutely all graphics sent over the connection by forcing the color depth to 8-bit. Color depth is otherwise dictated by the VNC server.
If you are noticing problems with your VNC display, such as the lack of a mouse cursor, the presence of multiple mouse cursors, or strange colors (such as blue colors appearing more like orange or red), these are typically the result of bugs or limitations within the VNC server, and additional parameters are available to work around such issues.
Keeper Connection Manager provides bidirectional access to the clipboard by default for VNC connections, and will automatically translate clipboard data from its native UTF-8 format into the ISO 8859-1 encoding required by the VNC standard. This behavior can be overridden on a per-connection basis, restricting access to the clipboard and/or forcing Keeper to assume that the VNC server uses a non-standard encoding.
The only clipboard encoding guaranteed to be supported by VNC servers is ISO 8859-1. You should only override the clipboard encoding if you are absolutely positive that the VNC server supports and expects a different encoding.
There exist VNC repeaters, such as UltraVNC Repeater, which act as intermediaries or proxies, providing a single logical VNC connection which is then routed to another VNC server elsewhere. Additional parameters are required to select which VNC host behind the repeater will receive the connection.
VNC sessions can be recorded graphically. These recordings take the form of Apache Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the web interface or Enterprise Session Recording Player application hosted at (or using a local deployment of this application).
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Glyptodon Enterprise Session Recording Player can be found on GitHub, along with instructions for local deployment:
VNC does not normally support file transfer, but Keeper Connection Manager can provide file transfer over SFTP even when the remote desktop is otherwise being accessed through VNC and not SSH.
VNC does not provide its own support for audio, but Keeper Connection Manager's VNC support can obtain audio through a secondary network connection to a PulseAudio server running on the same machine as the VNC server.
Most Linux systems provide audio through a service called PulseAudio. This service is capable of communicating over the network, and if PulseAudio is configured to allow TCP connections, Keeper can connect to your PulseAudio server and combine its audio with the graphics coming over VNC.
The following parameters are available for configuring the audio support for VNC:
For PulseAudio to accept network connections, its TCP module must be loaded. The TCP module is not typically loaded by default, and must be manually loaded through an additional line within the PulseAudio configuration file (usually /etc/pulse/default.pa). The options specified for the module dictate exactly where these connections are allowed from, providing a degree of security. For example, to allow connections from only the 10.0.0.0/8 subnet:
It is also possible to allow connections from absolutely anywhere, but beware that you should only do so if the nature of your network prevents unauthorized access:
Once the PulseAudio configuration file has been modified appropriately, restart the PulseAudio service. PulseAudio should then begin listening on port 4713 (the default PulseAudio port) for incoming TCP connections. You can verify this using a utility like netstat:
In all cases, the auth-anonymous=1 parameter is strictly required. Keeper Connection Manager does not currently support the cookie-based authentication used by PulseAudio for non-anonymous connections. If this parameter is omitted, Keeper will not be able to connect to PulseAudio.
foreground: rgb:00/00/ff;
background: rgb:ff/ff/ff;
color9: rgb:80/00/80$ scriptreplay NAME.timing NAME
color-depth
The color depth to request, in bits per pixel. Legal values are 8, 16, 24, or 32. Note that, regardless of what value is chosen here, Keeper will always attempt to optimize image transmission, automatically using fewer bits per pixel if doing so will not visibly alter image quality.
Force lossless compression:
force-lossless
Whether this connection should use lossless compression only. If set to "true", all graphical updates will use lossless compression algorithms. By default, lossy compression will automatically be used when Keeper detects that doing so would likely outperform lossless compression.
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events:
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path:
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
sftp-host-key
The known hosts entry for the SSH server providing SFTP, in the same format as would be specified within an OpenSSH known_hosts file. If not provided, no verification of host identity will be performed.
Username:
sftp-username
The username to authenticate as when connecting to the specified SSH server for SFTP. This parameter is required if SFTP is enabled.
Password:
sftp-password
The password to use when authenticating with the specified SSH server for SFTP.
Private key:
sftp-private-key
The entire contents of the private key to use for public key authentication. If this parameter is not specified, public key authentication will not be used. The private key must be in OpenSSH format, as would be generated by the OpenSSH ssh-keygen utility.
Passphrase:
sftp-passphrase
The passphrase to use to decrypt the private key for use in public key authentication. This parameter is not needed if the private key does not require a passphrase.
File browser root directory:
sftp-root-directory
The directory to expose to connected users via Guacamole's file browser. If omitted, the root directory will be used by default.
Default upload directory:
sftp-directory
The directory to upload files to if they are simply dragged and dropped, and thus otherwise lack a specific upload location. If omitted, the default upload location of the SSH server providing SFTP will be used.
SFTP keepalive interval:
sftp-server-alive-interval
The interval in seconds between which keepalive packets should be sent to the SSH server for the SFTP connection, where "0" indicates that no keepalive packets should be sent at all (the default behavior). The minimum legal value is "2".
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the Multiple Vaults Integration screen for more information.
Hostname:
hostname
REQUIRED: The hostname or IP address of the VNC server that Keeper should connect to.
Port:
port
REQUIRED: The TCP port that the VNC server is listening on.
This value is typically 5900 or 5900 + display number. For example, if your VNC server is serving display number 1 (sometimes written as ":1"), your port number here would be 5901.
Password:
password
The password to use when attempting authentication, if any.
Read-only:
read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will only see the desktop and whatever other users using that same desktop are doing.
Swap red/blue components:
swap-red-blue
If the colors of your display appear wrong (blues appear orange or red, etc.), it may be that your VNC server is sending image data incorrectly, and the red and blue components of each color are swapped. If this is the case, set this parameter to "true" to work around the problem.
Cursor:
cursor
If set to "remote", the mouse pointer will be rendered remotely, and the local position of the mouse pointer will be indicated by a small dot. A remote mouse cursor will feel slower than a local cursor, but may be necessary if the VNC server does not support sending the cursor image to the client.
Encoding:
clipboard-encoding
The encoding to assume for the VNC clipboard. By default, the standard encoding ISO 8859-1 will be used. Only use this parameter if you are sure your VNC server expects a different, non-standard encoding.
Possible values are:
"ISO8859-1" - The clipboard encoding mandated by the VNC standard.
"UTF-8"
"UTF-16"
"CP1252" - Code page 1252, a Windows-specific encoding for Latin characters which is mostly a superset of ISO 8859-1.
Disable copying from remote desktop:
disable-copy
If set to "true", text copied within the VNC session will not be accessible by the user at the browser side of the session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.
Disable pasting from client:
disable-paste
If set to "true", text copied at the browser side of the session will not be accessible within the VNC session. By default, the user will be able to paste data from outside the browser within the VNC session.
Destination host:
dest-host
The destination host to request when connecting to a VNC proxy such as UltraVNC Repeater. This is only necessary if the VNC proxy in use requires the connecting user to specify which VNC server to connect to. If the VNC proxy automatically connects to a specific server, this parameter is not necessary.
Destination port:
dest-port
The destination port to request when connecting to a VNC proxy such as UltraVNC Repeater. This is only necessary if the VNC proxy in use requires the connecting user to specify which VNC server to connect to. If the VNC proxy automatically connects to a specific server, this parameter is not necessary.
Recording path:
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name:
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Keeper will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams:
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Enable SFTP:
enable-sftp
Whether file transfer should be enabled. If set to "true", the user will be allowed to upload or download files from the specified server using SFTP. If omitted, SFTP will be disabled.
Hostname:
sftp-hostname
The hostname or IP address of the server hosting SFTP. If omitted, the specified hostname or address of the VNC server will be used.
Port:
sftp-port
The port the SSH server providing SFTP is listening on, usually 22. If omitted, the standard port of 22 will be used.
Enable audio:
enable-audio
If set to "true", audio support will be enabled, and a second connection for PulseAudio will be made in addition to the VNC connection. By default, audio support within VNC is disabled.
Audio server name:
audio-servername
The name of the PulseAudio server to connect to. This will be the hostname or address of the computer providing audio for your connection via PulseAudio, most likely the same as the hostname/address of the VNC server.
If this parameter is omitted, the default PulseAudio device will be used, which will be the PulseAudio server running on the same machine as guacd.
Color depth:
Exclude mouse:
Public host key (Base64):
green-black" - Green text over a black background"white-black" - White text over a black background
A custom color scheme (as described below)
By default, Guacamole will render text as gray over a black background.
Password regular expression:
password-regex
The regular expression to use to detect the password prompt. If not specified, a reasonable default built into Guacamole will be used. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Login success regular expression:
login-success-regex
The regular expression to use when detecting that the login attempt has succeeded. If specified, the terminal display will not be shown to the user until text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Login failure regular expression:
login-failure-regex
The regular expression to use when detecting that the login attempt has failed. If specified, the connection will be closed with an explicit login failure error if text matching this regular expression has been received from the telnet server. Any regular expression provided must be written in the standard POSIX ERE dialect (the dialect used by egrep).
Maximum scrollback size:
scrollback
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only:
read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
Exclude mouse:
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events:
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path:
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Advanced configuration of SSH Protocol connection type
Unlike or, SSH is a text protocol. Its implementation in Keeper Connection Manager is actually a combination of a terminal emulator and SSH client, because the SSH protocol isn't inherently graphical. Keeper's SSH support emulates a terminal on the server side, and draws the screen of this terminal remotely on the client.
Keeper's support for the SSH protocol is controlled through the use of several parameters. When a database like MySQL or PostgreSQL is used, these parameters are presented in a convenient web interface. If defining connections through another mechanism, such as throughor, parameters are specified using their internal parameter names.
Advanced configuration of HTTP/HTTPS Remote Browser Isolation connection type
The Remote Browser Isolation connection type provides secure access to web-based applications through a rendered, isolated browser experience. The website's code and DOM never executes locally on the user's device, so the user is immune to many different types of attack vectors. There are other major security benefits to this technology which protect the asset from local device attacks, since the web browser session is not running on the local environment.
load-module module-native-protocol-tcp auth-ip-acl=10.0.0.0/8 auth-anonymous=1load-module module-native-protocol-tcp auth-anonymous=1$ netstat -ln | grep 4713
tcp 0 0 0.0.0.0:4713 0.0.0.0:* LISTEN
tcp6 0 0 :::4713 :::* LISTEN
$This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the screen for more information.
SSH connections are established over TCP to a specific port and a specific hostname or IP address. The hostname/address must be specified for all SSH connections, but you only need to specify a port if you are not using the standard SSH port (22).
Hostname:
hostname
REQUIRED: The hostname or IP address of the SSH server Keeper should connect to.
Port:
port
The port the SSH server is listening on. By default, the standard SSH port of 22 will be used.
Public host key (Base64):
host-key
The known hosts entry for the SSH server, in the same format as would be specified within an OpenSSH known_hosts file. If not provided, no verification of host identity will be performed.
Keeper Connection Manager supports keyboard-interactive, password, and public key authentication with SSH servers. To use public key authentication, it must have access to the private key and, if applicable, its passphrase. If the private key requires a passphrase, but no passphrase is provided, the user will be prompted for the passphrase upon connecting.
Username:
username
The username to authenticate as when connecting to the specified SSH server. If not provided, the user will be prompted to provide a username upon connecting.
Password:
password
The password to use when authenticating with the specified SSH server. If not provided, and no private key is used, the user will be prompted to provide a password upon connecting.
Private key:
private-key
The entire contents of the private key to use for public key authentication. If this parameter is not specified, public key authentication will not be used. The private key must be in OpenSSH format, as would be generated by the OpenSSH ssh-keygen utility.
Keeper's SSH support provides a display, but not in the same sense as a remote desktop protocol like VNC or RDP. The display is a terminal emulator, and thus provides options for configuring the font used and its size.
If selecting a different font for an SSH connection, the chosen font must be installed on the server running guacd. It is the server that will handle rendering of characters to the terminal display, not the client.
Color scheme:
color-scheme
The color scheme to use for the terminal emulator used by SSH connections. Each color scheme dictates the default foreground and background color for the terminal. Programs which specify colors when printing text will override these defaults. Legal values are:
"black-white" - Black text over a white background
"gray-black" - Gray text over a black background (the default)
Font name:
font-name
The name of the font to use. If not specified, the default of "monospace" will be used instead. This must be the name of a font installed on the server running guacd, and should be a monospaced font. If a non-monospaced font is used, individual glyphs may render incorrectly.
Font size:
font-size
The size of the font to use, in points. By default, the size of rendered text will be 12 point.
Custom color schemes may be provided for the terminal emulator used by SSH connections. Custom schemes mimic the format used by Xterm and consist of a semicolon-separated series of name-value pairs. Each name-value pair is separated by a colon and assigns a value to a color in the terminal emulator palette.
For example, to use blue text on white background by default, and change the red color to a purple shade, you would specify:
Legal color names are:
"foreground" - the default foreground color.
"background" - the default background color.
"colorN" - the color at index N within the Xterm 256-color palette. For example, "color9" refers to the color at palette index 9, normally red.
Legal color values are:
"rgb:RR/GG/BB" - a color in RGB format, with each component in hexadecimal. For example, "rgb:ff/00/00" specifies the color red. Each hexadecimal component may be one to four digits, but the effective values are always zero-extended or truncated to two digits; for example, "rgb:f/8/0", "rgb:f0/80/00", and "rgb:f0f/808/00f" all refer to the same effective color.
"colorN" - the color currently assigned to index N within the Xterm 256-color palette. For example, "color9" specifies the color currently assigned to palette index 9. Note that the current color value is used rather than a reference to that color. If the referenced color is changed later in the color scheme configuration, that new color value will not be reflected in this assignment.
"NAME" - the color with human-readable name "NAME", where "NAME" is one of the . These names generally correspond to the names standardized by the W3C for CSS.
Keeper Connection Manager provides bidirectional access to the clipboard by default for SSH connections. This behavior can be overridden on a per-connection basis, restricting access to the clipboard.
Disable copying from terminal:
disable-copy
If set to "true", text copied within the SSH session will not be accessible by the user at the browser side of the session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.
Disable pasting from client:
disable-paste
If set to "true", text copied at the browser side of the session will not be accessible within the SSH session. By default, the user will be able to paste data from outside the browser within the SSH session.
By default, SSH sessions will start an interactive shell. The shell which will be used is determined by the SSH server, normally by reading the user's default shell previously set with chsh or within /etc/passwd. If you wish to override this and instead run a specific command, you can do so by specifying that command in the configuration of the SSH connection.
Execute command:
command
The command to execute over the SSH session, if any. If not specified, the SSH session will use the user's default shell.
Language/Locale ($LANG):
locale
The specific locale to request for the SSH session. This may be any value accepted by the LANG environment variable of the SSH server. If not specified, the SSH server's default locale will be used.
As this parameter is sent to the SSH server using the LANG environment variable, the parameter will only have an effect if the SSH server allows the LANG environment variable to be set by SSH clients.
Time zone ($TZ):
timezone
The time zone to request for the SSH session. This may be any value accepted by the TZ environment variable of the SSH server, typically the standard names defined by the IANA time zone database. If not specified, the SSH server's default time zone will be used.
As this parameter is sent to the SSH server using the TZ environment variable, the parameter will only have an effect if the SSH server allows the TZ environment variable to be set by SSH clients.
In most cases, the default behavior of the Keeper Connection Manager terminal emulator works without modification. However, when connecting to certain systems (particularly operating systems other than Linux), the terminal behavior may need to be tweaked to allow it to operate properly. Keeper's SSH support provides parameters for controlling the control code sent for backspace, as well as the terminal type claimed via the TERM environment variable.
Backspace key sends:
backspace
The integer value of the terminal control code that should be sent when backspace is pressed. Under most circumstances this should not need to be adjusted; however, if, when pressing the backspace key, you see control characters (often either ^? or ^H) instead of seeing the text erased, you may need to adjust this parameter. By default, the control code 127 (Delete) is sent.
Terminal type:
terminal-type
The terminal type string that should be passed to the SSH server. This value will typically be exposed within the SSH session as the TERM environment variable and will affect the control characters sent by applications. By default, the terminal type string "linux" is used.
The full, raw text content of SSH sessions, including timing information, can be recorded automatically to a specified directory. This recording, also known as a "typescript", will be written to two files within the directory specified: one file contains the raw text data, and the other contains timing information. Where "NAME" is the value provided for the typescript name, these files will be named "NAME" and "NAME.timing" respectively.
This format is compatible with the format used by the standard UNIX script command, and can be replayed using scriptreplay (if installed). For example, to replay a typescript called "NAME", you would run:
Typescript path:
typescript-path
The directory in which typescript files should be created. If a typescript needs to be recorded, then this parameter is required. Specifying this parameter enables typescript recording. If this parameter is omitted, no typescript will be recorded.
Typescript name:
typescript-name
The base filename to use for any created recordings. If omitted, the base filename "typescript" will be used.
Keeper will never overwrite an existing typescript. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the base filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
Automatically create typescript path:
create-typescript-path
If set to "true", the final directory within the specified typescript path will automatically be created if it does not yet exist. By default, no part of the typescript path will be automatically created, and any attempt to use a non-existent directory will result in the typescript not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the typescript will not be recorded, and an error will be logged.
This parameter only has an effect if typescript recording is enabled, which is controlled by specifying a typescript path. If the typescript path is not specified, recording of typescripts will not be enabled, and this parameter will be ignored.
SSH sessions can be recorded graphically. These recordings take the form of Apache Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the Glyptodon Enterprise Session Recording Player application hosted at player.glyptodon.com (or using a local deployment of this application).
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Glyptodon Enterprise Session Recording Player can be found on GitHub, along with instructions for local deployment: https://github.com/glyptodon/glyptodon-enterprise-player
Recording path:
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name:
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Keeper will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams:
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Keeper Connection Manager provides support for file transfer over SSH using SFTP, the file transfer protocol built into most SSH servers. If SFTP is enabled on a Guacamole SSH connection, users will be able to upload and download files through that connection.
Enable SFTP:
enable-sftp
Whether file transfer should be enabled. If set to "true", the user will be allowed to upload or download files from the SSH server using SFTP.
File browser root directory:
sftp-root-directory
The directory to expose to connected users via Guacamole's file browser. If omitted, the root directory will be used by default.
Replaces the need for VPNs, ZTNAs or other ad-hoc networking solutions By simply publishing a Keeper Connection Manager container to any target environment, access to web-based resources can be restricted, monitored and controlled.
Zero Knowledge Architecture The customer is in full control of all network communications between the user's device and the target websites and applications. Powered by the Chromium Engine Keeper Remote Browser Isolation is projecting a virtualized instance of the latest version of the Chromium browser from the Keeper Connection Manager container through the user's device, without transmitting any confidential or sensitive data.
Session Recording Just like other Keeper Connection Manager protocols, browser isolation sessions can be shared, recorded and monitored for compliance and security reasons.
Credential Autofill Keeper's remote browser isolation protocol can automatically inject credentials, submit forms and control the target web application without ever sending the credentials to the user's device.
Keeper's support for Remote Browser Isolation is controlled through the use of several parameters. When a database like MySQL or PostgreSQL is used in the deployment of the container, these parameters are stored in the database and presented in the web interface. If defining connections through another mechanism, such as through encrypted JSON or LDAP schema modifications, parameters are specified using their internal parameter names.
This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.
This setting allows users to integrate their own Keeper Secrets Manager application for credential autofill.
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the screen for more information.
Remote Browser Isolation connections are established through a rendered chromium browser experience. In general, each connection is associated with a specific web app, but can be configured to allow broad web browsing as well.
By default, every new Remote Browser Isolation session is the equivalent of an "incognito" window, where the local storage is cleared. This supports multiple simultaneous concurrent users to perform RBI sessions without any retention of data.
If you provide a "Browser Profile Storage Directory" value, the browser session data is retained within the KCM guacamole container. As an example, using a path constructed like below will retain the browser session on a per-user basis:
In this example, the connection profiles will be stored in the this-site folder under a subfolder according to the logged-in user.
Note: The same browser profile storage directory cannot be used concurrently from multiple sessions.
Allow navigation via direct URL manipulation
allow-url-manipulation
Whether the user should be allowed to edit the current URL, navigate backward and forward, etc. as they would in a traditional browser. If checked (set to true), the user will be presented with navigation bar when they open the connection.
By default, users are not allowed to manually edit the current URL, and can navigate only through interacting with the current page.
URL
url
The URL of the page that should be initially loaded when a user connects.
Allowed URL Patterns
allowed-url-patterns
The patterns of all URLs that the user should be allowed to visit, regardless of whether via manual navigation (URL bar) or interacting with the current page. Multiple patterns may be specified, separated by newlines.
If specified, only pages matching patterns in the list are permitted.
By default, all URLs are permitted.
Allowed Resource URL Patterns
The format of the URL patterns accepted by the “Allowed URL Patterns” and “Allowed Resource URL Patterns” parameters is identical to any URL and dictates exactly which URLs are allowed to be used. They are enforced according to the following criteria:
Any aspect of the URL that is omitted from the pattern is ignored (not enforced as a requirement), except that standard port numbers are considered to have been specified if a scheme is specified.
A *. wildcard prefix may be used for domain names to indicate "any subdomain of a particular domain".
A * wildcard may be used in place of a path to more visibly and explicitly note that any value is allowed.
A * wildcard may be used at the end of a path to indicate that any subpath of that path is allowed.
A * wildcard may be used in place of a port number to indicate that any port is allowed.
For example:
Pattern
Meaning
accounts.google.com
Allow requests to the domain accounts.google.com involving any protocol and any path. Requests must be made to the standard port for whatever protocol is involved.
*.youtube.com
Allow requests to any subdomain of youtube.com involving any protocol and any path. Requests must be made to the standard port for whatever protocol is involved.
http://10.10.10.10:8080
Allow requests to 10.10.10.10 on port 8080 using strictly HTTP (not HTTPS) and any path.
10.10.10.10:*
Allow requests to 10.10.10.10 on any port using any protocol and any path.
https://example.net/foo
Allow requests to example.net using strictly HTTPS (not HTTP) and the path “/foo”. Requests must be made to the standard port for HTTPS.
https://example.net/foo/*
Allow requests to example.net using strictly HTTPS (not HTTP) and any path beneath “/foo”. Requests must be made to the standard port for HTTPS.
Keeper Connection Manager provides the capability of autofilling a username and password into a target website login screen. The username and password can be supplied directly in the user interface, or it can be provided as a reference to a record from the Keeper vault.
The autofill rules used by KCM are a JSON/YAML array of objects, where each object specifies at least the following property:
page - The URL pattern of the page that the autofill rule applies to. The patterns accepted here are identical to the patterns accepted by the navigation/resource rules.
and one or more of the following properties:
username-field - A CSS selector that matches the field that should receive the filled username. The value filled will be the value of the username parameter for the connection.
password-field - A CSS selector that matches the field that should receive the filled password. The value filled will be the value of the password parameter for the connection.
totp-code-field - A CSS selector or XPath expression that matches the unique DOM element of the input field that should receive the current TOTP code. If using XPath, the expression must start with a leading slash to clearly differentiate XPath from CSS.
submit - A CSS selector for an element that should be clicked once all applicable username/password fields have been populated. This should only be specified if necessary (ie: if the login page in question does not actually use a proper HTML <form>). When omitted, KCM will attempt to submit the login form as if the user pressed "Enter".
cannot-submit - A CSS selector to tell KCM not to automatically submit the form as long as any matching element is present
Basic Example: A single page web application with a Login and Password field:
Some login flows will require multiple rules. For example, the Microsoft Azure Portal login flow would be an example of this.
Here's a YAML example of the autofill rules that would be necessary for Microsoft Azure:
Here's the equivalent, formatted as JSON:
A common example where you would not want Keeper automatically submitting is when there's a captcha on the page. An example of this is below:
For unusually complex pages where CSS is not sufficient, XPath expressions may be used instead. Any such XPath expression must be constructed with a leading /.
Remote Browser Isolation will fill credentials based on the specific field elements defined in the JSON or YAML code. Form field selectors can be found by inspecting the content of the page and locating the specific field element.
Inspect the Page: Open the developer tools by right-clicking on the webpage and selecting "Inspect."
Select the Field: Use the element selector tool to click on the form field you want to identify.
Read the Attributes: Look at the highlighted HTML code to find attributes like autocomplete, type, name, id, or other identifiers.
Example 1: Using autocomplete
HTML Code: <input type="password" autocomplete="current-password" ...>
Explanation: The password field can be identified by the autocomplete attribute set to current-password.
Example 2: Using type
HTML Code: <input type="password" ...>
Explanation: The password field can be identified by the type attribute set to password.
Example 3: Using name
HTML Code: <input type="password" name="some_name_xyz" ...>
Explanation: The password field can be identified by the name attribute set to some_name_xyz.
Example 4: Using id
HTML Code: <input type="password" id="some_id_1234" ...>
Explanation: The password field can be identified by the id attribute set to some_id_1234.
From your Chrome browser, open the developer tools and visit the Console tab.
To test the form field identification, use the document.querySelector() javascript command.
For example, type the below and press <enter>:
If the field is found, the DOM element will be displayed. Otherwise, an error will be displayed.
For RBI to be able to generate TOTP codes, the TOTP secret must be provided ahead of time, along with any required details like the hash algorithm and the number of digits in each generated code:
Below is the detailed parameter information related to TOTP Autofill.
Two-Factor Code Algorithm
totp-algorithm
SHA1
The hash algorithm that should be used to generate TOTP codes. Possible values are SHA1, SHA256, and SHA512.
Digits in Two-Factor Code
totp-digits
6
The number of digits which should be included in each generated TOTP code. Legal values are 6, 7, or 8.
Two-Factor Code Period (Seconds)
totp-period
30
Additional ${*_TOTP_SECRET} tokens are provided to allow the TOTP secret to be dynamically retrieved from the Keeper Vault using KSM. For example, to pull the TOTP code for the user account associated with an RBI connection, you would use the ${KEEPER_USER_TOTP_SECRET} parameter token.
Parameter Token
Description
${KEEPER_SERVER_TOTP_SECRET}
Retrieves: The TOTP secret associated with the record.
Matches: Record with hostname / IP address matching the value of the hostname / IP address in the “url” connection parameter.
${KEEPER_USER_TOTP_SECRET}
Retrieves: The TOTP secret associated with the record.
Matches: Record with login matching the “username” connection parameter
The following tokens are technically also defined, but do not currently have any practical use (there is no TOTP code generation needed for RDP):
Parameter Token
Description
${KEEPER_GATEWAY_TOTP_SECRET}
Retrieves: The TOTP secret associated with the record.
Matches: Record with hostname / IP address matching the value of the “gateway-hostname” connection parameter.
${KEEPER_GATEWAY_USER_TOTP_SECRET}
Retrieves: The TOTP secret associated with the record.
Matches: Record with login matching the “gateway-username” connection parameter.
The guacd container can be modified to include a file that contains autofill rules. Using this file, you don't need to load the same rules for all connections. The rules are appended to any rules that appear for a specific connection.
Modify your docker-compose.yml file to include a mapping of autofill-rules.yml as see below:
Example autofill-rules.yml file:
The Username and Password information can also be retrieved directly from the Keeper Vault using the Keeper Secrets Manager integration. For example, logging into Jenkins with a Username and Password from the Keeper Vault will perform a lookup based on a custom field called "Hostname".
The Keeper Vault record is stored with a format as seen below:
Field header (web interface)
Parameter name
Default Value
Description
Disable Audio
disable-audio
false
If checked (set to true), audio will not be forwarded within the RBI session. Pages will still be able to attempt to play audio; the audio will simply be ignored.
Channels
audio-channels
2
The number of separate audio channels that should be used for audio data sent through KCM. Valid values are:
1 (monaural audio with only a single, center channel, more commonly called ("mono")
2 (stereophonic audio with left and right channels, more commonly called "stereo").
Bit Depth
audio-bps
16
Valid values are:
8 (8-bit audio, a relatively low quality)
16 (16-bit audio, a standard level of quality)
Remote Browser Isolation sessions can be recorded graphically. These recordings take the form of Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be played back in the Connection Manager user interface or the files can be played in the open source player.
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Keeper Connection Manager Session Recording Player can be found on GitHub, along with instructions for local deployment: https://github.com/glyptodon/glyptodon-enterprise-player
Recording path:
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name:
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Guacamole will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams:
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
If your target web application uses self-signed or custom CA certificates, populate the CA_CERTIFICATES environment variable in the Docker Compose to allow those certs. See the guacd parameter documentation at this link for an example.
The next version of Keeper Connection Manager will provide an option to ignore self-signed certificates.
Yes, Remote Browser Isolation is an add-on for Keeper Connection Manager.
No, Remote Browser Isolation has been created with a range of use cases in mind. End-users can now be provided access to internal web-based applications without the requirement of a VPN or ZTNA product. Remote Browser Isolation also does not require the need for a local agent on their device.
No, Remote Browser Isolation works across Windows, Mac, Linux, Android and iOS.
Keeper Connection Manager is deployed as docker containers which can be used as the runtime in a Kubernetes deployment.
Keeper Connection Manager can be stretched across multiple screens and if users would prefer an individual window for each monitor, additional browsers with KCM opened can be used.
Yes, users can log into any web application or website through Remote Browser Isolation for secure, recorded sessions.
Yes, as long as it is not disabled by the admin. There are browsers that do not support that level of clipboard integration.
Yes, Remote Browser Isolation with Keeper Connection Manager can replace the need for VPNs to access an internal web application or specific cloud-based apps.
Not currently. We are researching this capability to potentially add it to the roadmap.
Yes, all activity happens in the RBI sandbox, preventing phishing or malicious actors from attacking your local device.
Remote browser isolation sessions require that the machine hosting the KCM container can query DNS and make web requests to the target websites and applications. If the targets are not accessible from your KCM instance, please contact support to review your configuration.
Recordings are stored in the KCM container, so there are no charges associated from the Keeper side. The size of the recordings will depend on the length and volume of UI interaction.
Currently, downloading and uploading files is blocked. In a future update of KCM, the ability to control both file upload and file download will be available in the connection settings.
Yes, KeeperPAM provides password and passkey management, secrets management and connections management to provide a full zero-trust approach to privileged access management. To learn how Keeper compares to CyberArk and many other competitors please visit: https://www.keepersecurity.com/vs/competitors/
Keeper utilizes FIPS 140-2 validated encryption modules to address rigorous government and public sector security requirements. Keeper’s encryption has been certified by NIST Cryptographic Module Validation Program (CMVP) and validated to the FIPS 140 standard by accredited third-party laboratories. Keeper has been issued certificate #3976 under the NIST CMVP. To learn more about Keeper’s security, encryption and compliance, please visit: https://www.keepersecurity.com/security
Advanced configuration of Remote Desktop Protocol connection type
Keeper's support for the RDP protocol is controlled through the use of several parameters. When a database like MySQL or PostgreSQL is used, these parameters are presented through the web interface. If defining connections through another mechanism, such as through or parameters are specified using their internal parameter names.
This document is intended to cover all supported parameters, grouped in the same way they are grouped within the web interface. The field headings which would appear in the web interface are provided for each parameter, along with each parameter's internal name and a thorough description of the behavior and legal values for that parameter.
foreground: rgb:00/00/ff;
background: rgb:ff/ff/ff;
color9: rgb:80/00/80$ scriptreplay NAME.timing NAME/var/lib/guacamole/rbi-profiles/this-site/${GUAC_USERNAME}- page: "http://172.31.8.134:8080/login"
username-field: "input[name='j_username']"
password-field: "input[name='j_password']"- page: "login.microsoftonline.com"
username-field: "input[autocomplete='username webauthn']"
- page: "login.live.com"
password-field: "input[autocomplete='current-password']"[
{
"page": "login.microsoftonline.com",
"username-field": "input[autocomplete='username webauthn']"
},
{
"page": "login.live.com",
"password-field": "input[autocomplete='current-password']"
}
]- page: "https://dash.cloudflare.com/login"
username-field: "input[id='email']"
password-field: "input[id='password']"
cannot-submit: "div[data-testid=challenge-widget-container]"document.querySelector("input[type='password']") guacd:
image: keeper/guacd:2
restart: unless-stopped
shm_size: 2000822k
security_opt:
- "seccomp:/etc/kcm-setup/guacd-docker-seccomp.json"
environment:
ACCEPT_EULA: "Y"
volumes:
- "common-storage:/var/lib/guacamole:rw"
- "/etc/kcm-setup/autofill-rules.yml:/etc/guacamole/autofill-rules.yml:ro"- page: "https://dash.cloudflare.com/login"
username-field: "input[id='email']"
password-field: "input[id='password']"
cannot-submit: "div[data-testid=challenge-widget-container]"
- page: "login.microsoftonline.com"
username-field: "input[autocomplete='username']"
- page: "login.live.com"
password-field: "input[autocomplete='current-password']"
- page: "http://172.31.8.134:8080/login"
username-field: "input[name='j_username']"
password-field: "input[name='j_password']"
green-black" - Green text over a black background"white-black" - White text over a black background
A custom color scheme (as described below)
By default, Keeper Connection Manager will render text as gray over a black background.
Passphrase:
passphrase
The passphrase to use to decrypt the private key for use in public key authentication. This parameter is not needed if the private key does not require a passphrase.
Maximum scrollback size:
scrollback
The maximum number of rows to allow within the terminal scrollback buffer. By default, the scrollback buffer will be limited to a maximum of 1000 rows.
Read-only:
read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the terminal (or the application running within the terminal) but will be unable to interact.
Server keepalive interval:
server-alive-interval
The interval in seconds between which keepalive packets should be sent to the SSH server, where "0" indicates that no keepalive packets should be sent at all (the default behavior). The minimum legal value is "2".
Exclude mouse:
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events:
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path:
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Allow user-provided KSM configuration:
ksm-user-config-enabled
If set to "true", each Keeper Connection Manager user profile can be assigned to a Keeper Secrets Manager configuration for any connection. See the screen for more information.
RDP connections are established over TCP to a specific port and a specific hostname or IP address. The hostname/address must be specified for all RDP connections, but you only need to specify a port if you are not using the standard RDP port (3389).
Hostname:
hostname
REQUIRED: The hostname or IP address of the RDP server Keeper Connection Manager should connect to.
Port:
port
The port the RDP server is listening on. If this is not specified, the standard port for RDP (3389) or Hyper-V's default port for VMConnect (2179) will be used, depending on the security mode selected.
RDP provides authentication through the use of a username, password, and optional domain. All RDP connections are encrypted, with higher-grade encryption available in the form of TLS.
Username:
username
The username to use to authenticate, if any.
Password:
password
The password to use when attempting authentication, if any.
Domain:
domain
The domain to use when attempting authentication, if any.
Microsoft's remote desktop server provides an additional gateway service which allows external connections to be forwarded to internal RDP servers which are otherwise not accessible. If you will be using Guacamole to connect through such a gateway, you will need to provide additional parameters describing the connection to that gateway, as well as any required credentials.
Hostname:
gateway-hostname
The hostname of the remote desktop gateway that should be used as an intermediary for the remote desktop connection. If omitted, a gateway will not be used.
Port:
gateway-port
The port of the remote desktop gateway that should be used as an intermediary for the remote desktop connection. By default, port 443 will be used.
Username:
gateway-username
The username of the user authenticating with the remote desktop gateway, if a gateway is being used. This is not necessarily the same as the user actually using the remote desktop connection.
RDP sessions will typically involve the full desktop environment of a normal user. Alternatively, you can manually specify a program to use instead of the RDP server's default shell, or connect to the administrative console.
Although Guacamole is independent of keyboard layout, RDP is not. This is because Guacamole represents keys based on their identity ("press the Enter key"), while RDP uses identifiers based on the key's location ("press the rightmost key in the second row"). To translate between a Guacamole key event and an RDP key event, Guacamole must know ahead of time the keyboard layout of the RDP server.
By default, the US English qwerty keyboard will be used. If this does not match the keyboard layout of your RDP server, keys will not be properly translated, and you will need to explicitly choose a different layout in your connection settings. If your keyboard layout is not supported, please notify us by opening a support ticket through your account.
Initial program:
initial-program
The full path to the program to run immediately upon connecting.
Client name:
client-name
When connecting to the RDP server, Guacamole will normally provide its own hostname as the name of the client. If this parameter is specified, Guacamole will use its value instead.
On Windows RDP servers, this value is exposed within the session as the CLIENTNAME environment variable.
Keyboard layout:
server-layout
The keyboard layout that the RDP server will be using. Legal values are:
"da-dk-qwerty" - Danish
"de-ch-qwertz" - Swiss German
"de-de-qwertz
Guacamole will automatically choose an appropriate display size for RDP connections based on the size of the browser window and the DPI of the device. The size of the display can be forced by specifying explicit width or height values. To reduce bandwidth usage, you may also request that the server reduce its color depth.
Width:
width
The width of the display to request, in pixels. If this value is not specified, the width of the connecting client display will be used instead.
Height:
height
The height of the display to request, in pixels. If this value is not specified, the height of the connecting client display will be used instead.
Resolution (DPI):
dpi
The desired effective resolution of the client display, in DPI. If this value is not specified, the resolution and size of the client display will be used together to determine, heuristically, an appropriate resolution for the RDP session.
Guacamole provides bidirectional access to the clipboard by default for RDP connections. This behavior can be overridden on a per-connection basis, restricting access to the clipboard.
Disable copying from remote desktop:
disable-copy
If set to "true", text copied within the RDP session will not be accessible by the user at the browser side of the Guacamole session, and will be usable only within the remote desktop. By default, the user will be given access to the copied text.
Disable pasting from client:
disable-paste
If set to "true", text copied at the browser side of the Guacamole session will not be accessible within the RDP session. By default, the user will be able to paste data from outside the browser within the RDP session.
Device redirection refers to the use of non-display devices over RDP. Guacamole's RDP support currently allows redirection of audio (both output and input), printing, and disk access, some of which require additional configuration in order to function properly:
Audio output is always enabled by default. Configuration changes for audio output need only be made if this should be disabled.
Audio input, if enabled, allows users to make use of their local microphone within the remote desktop session. Enabling this typically also requires additional configuration within Windows, as group policy is often configured to disable this. Older versions of Windows may lack support for audio input via remote desktop entirely.
Printing, if enabled, allows users to print arbitrary documents directly to PDF. When documents are printed to the redirected printer, the user will receive a PDF download of that document within their web browser.
File transfer, if enabled, is provided by emulating a virtual disk drive. This drive will persist on the Guacamole server, confined within the drive path specified.
Support audio in console:
console-audio
If set to "true", audio will be explicitly enabled in the console (admin) session of the RDP server. Setting this option to "true" only makes sense if the console parameter is also set to "true".
Disable audio:
disable-audio
Audio output is always enabled by default. If you are concerned about bandwidth usage, or audio is causing problems, you can explicitly disable audio output by setting this parameter to "true".
Enable audio input (microphone):
enable-audio-input
If set to "true", audio input support (microphone) will be enabled, leveraging the standard "AUDIO_INPUT" channel of RDP. By default, audio input support within RDP is disabled.
RDP provides several flags which control the availability of features that decrease performance and increase bandwidth for the sake of aesthetics, such as wallpaper, window theming, menu effects, and smooth fonts. These features are all disabled by default within Guacamole such that bandwidth usage is minimized, but you can manually re-enable them on a per-connection basis if desired.
Enable wallpaper:
enable-wallpaper
If set to "true", enables rendering of the desktop wallpaper. By default, wallpaper will be disabled, such that unnecessary bandwidth need not be spent redrawing the desktop.
Enable theming:
enable-theming
If set to "true", enables use of theming of windows and controls. By default, theming within RDP sessions is disabled.
Enable font smoothing (ClearType):
enable-font-smoothing
If set to "true", text will be rendered with smooth edges. Text over RDP is rendered with rough edges by default, as this reduces the number of colors used by text, and thus reduces the bandwidth required for the connection.
Windows Server provides a feature called RemoteApp which allows individual applications to be used over RDP, without providing access to the full desktop environment, through the Remote Desktop Services (RDS) role. If your Windows Server has this feature enabled and configured OR you have RemoteApp configured and enabled in a different manner, you can configure Keeper Connection Manager to use those individual applications.
Key Benefits of using KCM On-Prem to access RemoteApps.
Centralized management: Admins control apps, updates and permissions from a single pane.
Seamless user experience: RemoteApps run in the browser and feel native to users.
Cost efficiency: No per-endpoint installs or plugins; reduces desktop software deployment/maintenance and security.
Enhanced security: Data/apps stay on the secured server; supports RBAC, MFA and session recording.
Cross-platform access: Users on macOS, Linux and mobile can access Windows-only apps and other systems via RDP/SSH/VNC/DB.
This is the Remote Application to start on the RDS Host or target system configured with RemoteApp. This application and only this application will be available to the user upon launching the connection. Typically, for an application to be available, it must first be published as a "RemoteApp" program in a current or newly created "Collection". You can specify the "Alias" you have set of a RemoteApp, such as "||cmd" or use full paths to launch a program instead of an alias such as "C:\Windows\system32\cmd.exe" or "%windir%\system32\cmd.exe". Some more information about Remote Desktop Services collection for remote apps can be officially found .
This will be the working directory of the remote application, if any and or supported. Not all applications support working directory, such as Notepad for example.
In the context of Microsoft's RemoteApp, the working directory is the default folder that a remote application uses to open and save files. It is the starting location for file operations and is particularly important for legacy applications that expect to find specific files in a certain place to function correctly such as data or configurations.
To specify "Working Directory" simply add the directory path such as "C:\remoteworkingdir\"
This is where you would put "command-line arguments" to pass to the remote application, if any. Not all applications have command-line arguments. Please refer to the command line documentation for your application's "command-line arguments" and usage.
For example, if you wanted the RemoteApp, "cmd.exe" to enable command extensions, change background/foreground colors and list out the contents of your working directory, upon Launching the RemoteApp connection, you can add the following command-line arguments "/e:on /t:06 /k dir", specifically for "cmd.exe
Below is a screenshot of the resulting "C:\Windows\system32\cmd.exe" RemoteApp being launched with its RemoteApp Parameters and the "/e:on /t:06 /k dir" command-line arguments for "cmd.exe" being executed, automatically, upon launching the RemoteApp connection.
If your remote desktop servers are behind a load balancer, sometimes referred to as a "connection broker" or "TS session broker", that balancer may require additional information during the connection process to determine how the incoming connection should be routed. RDP does not dictate the format of this information; it is specific to the balancer in use.
If you are using a load balancer and are unsure whether such information is required, you will need to check the documentation for your balancer. If your balancer provides .rdp files for convenience, look through the contents of those files for a string field called "loadbalanceinfo", as that field is where the required information/cookie would be specified.
Load balance info/cookie:
load-balance-info
The load balancing information or cookie which should be provided to the connection broker. If no connection broker is being used, this should be left blank.
Some RDP servers host multiple logical RDP connections behind a single server listening on a single TCP port. To select between these logical connections, an RDP client must send the "preconnection PDU" - a message which contains values that uniquely identify the destination, referred to as the "RDP source". This mechanism is defined by the "Session Selection Extension" for the RDP protocol, and is implemented by Microsoft's Hyper-V hypervisor.
If you are using Hyper-V, you will need to specify the ID of the destination virtual machine as the "preconnection BLOB". This value can be determined using PowerShell:
The preconnection PDU is intentionally generic. While its primary use is as a means for selecting virtual machines behind Hyper-V, other RDP servers may use it as well. It is up to the RDP server itself to determine whether the preconnection ID, BLOB, or both will be used, and what their values mean.
If you do intend to use Hyper-V, beware that its built-in RDP server uses slightly different parameters for both authentication and the port number, and Guacamole's defaults will not work. In most cases, you will need to do the following when connecting to Hyper-V:
Specify both the username and password appropriately, and set the security mode to "vmconnect". Selecting the "vmconnect" security mode will configure Guacamole to automatically negotiate security modes known to be supported by Hyper-V, and will automatically select Hyper-V's default RDP port (2179).
If necessary, ignore the TLS certificate used by Hyper-V, which may be self-signed.
RDP source ID:
preconnection-id
The numeric ID of the RDP source. This is a non-negative integer value dictating which of potentially several logical RDP connections should be used. This parameter is only required if the RDP server is documented as requiring it. If using Hyper-V, this should be left blank.
Preconnection BLOB (VM ID):
preconnection-blob
An arbitrary string which identifies the RDP source - one of potentially several logical RDP connections hosted by the same RDP server. This parameter is only required if the RDP server is documented as requiring it, such as Hyper-V. In all cases, the meaning of this parameter is opaque to the RDP protocol itself and is dictated by the RDP server. For Hyper-V, this will be the ID of the destination virtual machine.
RDP sessions can be recorded graphically. These recordings take the form of Guacamole protocol dumps and are recorded automatically to a specified directory. Recordings can be subsequently played back using the Keeper Connection Manager Session Recording Player application hosted at player.glyptodon.com (or using a local deployment of this application).
The player is a static web application, using only JavaScript to play back provided recordings. This functionality is implemented strictly locally; the recordings are not uploaded to a remote service for processing. If you would prefer to use your own deployment of this application, or would like to investigate the source, the full source of the Keeper Connection Manager Session Recording Player can be found on GitHub, along with instructions for local deployment: https://github.com/glyptodon/glyptodon-enterprise-player
Recording path:
recording-path
The directory in which screen recording files should be created. If a graphical recording needs to be created, then this parameter is required. Specifying this parameter enables graphical screen recording. If this parameter is omitted, no graphical recording will be created.
Recording name:
recording-name
The filename to use for any created recordings. If omitted, the filename of each recording will simply be "recording".
Guacamole will never overwrite an existing recording. If necessary, a numeric suffix like ".1", ".2", ".3", etc. will be appended to the filename to avoid overwriting an existing recording. If even appending a numeric suffix does not help, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude graphics/streams:
recording-exclude-output
If set to "true", graphical output and other data normally streamed from server to client will be excluded from the recording, producing a recording which contains only user input events. By default, graphical output will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Guacamole can provide file transfer over SFTP even when the remote desktop is otherwise being accessed through RDP and not SSH. This support is independent of the file transfer implemented through RDP's own "drive redirection" (RDPDR), and is particularly useful for RDP servers which do not support RDPDR. The SFTP server does not need to be the same server as the RDP server.
Enable SFTP:
enable-sftp
Whether file transfer should be enabled. If set to "true", the user will be allowed to upload or download files from the specified server using SFTP. If omitted, SFTP will be disabled.
Hostname:
sftp-hostname
The hostname or IP address of the server hosting SFTP. If omitted, the specified hostname or address of the RDP server will be used.
Port:
sftp-port
The port the SSH server providing SFTP is listening on, usually 22. If omitted, the standard port of 22 will be used.
allowed-resource-url-patterns
The patterns of all URLs that the a page should be allowed to load as a resource, such as an image, script, stylesheet, font, etc. Multiple patterns may be specified, separated by newlines.
If specified, only resources matching patterns in the list are permitted to be loaded.
By default, no restrictions are imposed on resources loaded by pages.
Browser Profile Storage Directory
profile-storage-directory
Location in the guacamole container where the browser session data is retained.
Automatically Create Profile Directory
create-profile-directory
The possible values are:
"false" (default), "true" and "recursive"
google.com
This would allow any protocol or path from google.com root domain, but does not allow a subdomain.
The duration that each generated code should remain valid, in seconds.
Two-Factor Code Secret
totp-secret
N/A
The secret key that should be used to generate TOTP codes. This key will be unique to each user of the destination website and can be pulled dynamically from KSM using parameter tokens (see below).
Sample Rate
audio-sample-rate
44100
The sample rate (in Hz) that should be used for any audio data sent through KCM.
Exclude mouse:
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude touch events:
recording-exclude-touch
If set to "true", user touch events will be excluded from the recording, producing a recording which lacks the exact details of touch interactions. This will not necessarily prevent touch events from being visible, as the remote desktop server may still choose to render touch interaction on its own. By default, touch events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events:
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path:
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
PS C:\> Get-VM VirtualMachineName | Select-Object Id
Id
--
ed272546-87bd-4db9-acba-e36e1a9ca20a
PS C:\> cmd.exe"en-gb-qwerty" - UK English
"en-us-qwerty" - US English (the default)
"es-es-qwerty" - Spanish
"es-latam-qwerty" - Latin American
"fr-be-azerty" - Belgian French
"fr-ch-qwertz" - Swiss French
"fr-fr-azerty" - French
"hu-hu-qwertz" - Hungarian
"it-it-qwerty" - Italian
"ja-jp-qwerty" - Japanese
"pt-br-qwerty" - Portuguese Brazilian
"sv-se-qwerty" - Swedish
"tr-tr-qwerty" - Turkish-Q
"failsafe" - Force use of Unicode events rather than key events for all keys
This is the layout of the RDP server and has nothing to do with the keyboard layout in use on the client. The Guacamole client is independent of keyboard layout. The RDP protocol is not independent of keyboard layout, and Guacamole needs to know the keyboard layout of the server in order to send the proper keys when a user is typing.
If you require a keyboard layout that is not currently supported, please notify us by opening a support ticket through your account.
Security mode:
security
The security mode to use for the RDP connection. This mode dictates how data will be encrypted and what type of authentication will be performed, if any. By default, security mode negotiation is performed.
Legal values are:
"any" - Negotiate with the server, allowing the RDP server to choose its preferred security mode (the default).
"nla" - Network Level Authentication, sometimes also referred to as "hybrid" or CredSSP (the protocol that drives NLA) and uses TLS encryption.
"nla-ext" - Extended Network Level Authentication. This mode is identical to NLA except that an additional "" is required to be sent from the server to the client immediately after the NLA handshake is completed.
"tls" - Transport Layer Security.
"vmconnect" - Automatically select the security mode based on the security protocols supported by both the client and the server, limiting that negotiation to only the protocols known to be supported by Hyper-V /
VMConnect. This security mode must be selected if connecting to the console of a Hyper-V virtual machine.
"rdp" - Standard RDP encryption. Newer Windows servers generally have this mode disabled by default, and instead require NLA.
Disable authentication:
disable-auth
If set to "true", authentication will be disabled. Note that this refers to authentication that takes place while connecting. Any authentication enforced by the server over the remote desktop session (such as a login dialog) will still take place. By default, authentication is enabled and only used when requested by the server.
If you are using NLA, authentication must be enabled by definition.
Ignore server certificate:
ignore-cert
If set to "true", the certificate returned by the server will be ignored, even if that certificate cannot be validated. This is useful if you universally trust the server and your connection to the server, and you know that the server's certificate cannot be validated (for example, if it is self-signed).
Password:
gateway-password
The password to provide when authenticating with the remote desktop gateway, if a gateway is being used.
Domain:
gateway-domain
The domain of the user authenticating with the remote desktop gateway, if a gateway is being used. This is not necessarily the same domain as the user actually using the remote desktop connection.
Time zone:
timezone
The timezone that the client should send to the server for configuring the local time display of that server. The format of the timezone is in the standard IANA key zone format, which is the format used in UNIX/Linux. This will be converted by RDP into the correct format for Windows.
Support for forwarding the client timezone varies by RDP server implementation. For example, with Windows, support for forwarding timezones is only present in Windows Server with Remote Desktop Services (RDS, formerly known as Terminal Services) installed. Windows Server installations in admin mode, along with Windows workstation versions, do not allow the timezone to be forwarded. Other server implementations, such as XRDP, may not implement this feature at all. Consult the documentation for the RDP server to determine whether or not this feature is supported.
Enable multi-touch:
enable-touch
"true" if multi-touch support should be enabled for the RDP connection. Enabling RDP support for multi-touch allows touch events to be passed through to the remote desktop, and requires that the RDP server support the RDPEI channel.
This parameter does not control whether Guacamole itself supports touch events. Guacamole always supports touch events and will use any touch events to emulate a mouse by default. This parameter controls only whether touch events should be passed directly through to the RDP server instead of emulating a mouse.
Administrator console:
console
If set to "true", you will be connected to the console (admin) session of the RDP server.
Color depth:
color-depth
The color depth to request, in bits per pixel. Legal values 8, 16, or 24. Note that, regardless of what value is chosen here, Guacamole will always attempt to optimize image transmission, automatically using fewer bits per pixel if doing so will not visibly alter image quality.
Force lossless compression:
force-lossless
Whether this connection should use lossless compression only. If set to "true", all graphical updates will use lossless compression algorithms. By default, lossy compression will automatically be used when Guacamole detects that doing so would likely outperform lossless compression.
Resize method:
resize-method
The method to use to update the RDP server when the width or height of the client display changes. If this value is not specified, no action will be taken when the client display changes size.
Normally, the display size of an RDP session is constant and can only be changed when initially connecting. As of RDP 8.1, the "Display Update" channel can be used to request that the server change the display size. For older RDP servers, the only option is to disconnect and reconnect with the new size.
Legal values are:
"display-update" - Use the "Display Update" channel (added in RDP 8.1) to signal the server when display size has changed
"reconnect" - Automatically disconnect and reconnect the RDP session when the client display size has changed
Read-only:
read-only
Whether this connection should be read-only. If set to "true", no input will be accepted on the connection at all. Users will be able to see the desktop or application but will be unable to interact.
Enable printing:
enable-printing
If set to "true", a redirected printer will be made available within the RDP session that users can use to print to a PDF. The PDF is received and automatically downloaded by the user's browser. By default, printing is disabled.
Redirected printer name:
printer-name
The name of the redirected printer device that is passed through to the RDP session. This is the name that the user will see in their applications and within the Devices and Printers control panel. If printer redirection is not enabled, this parameter has no effect.
Enable drive:
enable-drive
If set to "true", a redirected drive will be made available within the RDP session that users can use to transfer files. The contents of the virtual drive are persisted on the Guacamole server in the directory specified by the "drive-path" parameter. By default, drive redirection is disabled.
Drive name:
drive-name
The name of the filesystem used when passed through to the RDP session. This is the name that users will see in their Computer/My Computer area along with client name, and is also the name of the share when accessing the special \\tsclient network location.
If drive redirection is not enabled, this parameter is ignored.
Drive path:
drive-path
The directory on the Guacamole server in which transferred files should be stored. This directory must be accessible by the guacd service user or group.
If drive redirection is not enabled, this parameter is ignored.
Automatically create drive:
create-drive-path
If set to "true", the final directory within the specified drive path will automatically be created if it does not yet exist. By default, no part of the drive path will be automatically created, and any attempt to use a non-existent directory will result in an error.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the will fail with an error.
If drive redirection is not enabled, this parameter is ignored.
Static channel names:
static-channels
A comma-separated list of static channel names to open and expose as pipes. If you wish to communicate between an application running on the remote desktop and JavaScript, this is the best way to do it. Guacamole will open an outbound pipe with the name of the static channel. If JavaScript needs to communicate back in the other direction, it should respond by opening another pipe with the same name.
Guacamole allows any number of static channels to be opened, but protocol restrictions of RDP limit the size of each channel name to 7 characters.
Enable full-window drag:
enable-full-window-drag
If set to "true", the contents of windows will be displayed as windows are moved. By default, the RDP server will only draw the window border while windows are being dragged.
Enable desktop composition (Aero):
enable-desktop-composition
If set to "true", graphical effects such as transparent windows and shadows will be allowed. By default, such effects, if available, are disabled.
Enable menu animations:
enable-menu-animations
If set to "true", menu open and close animations will be allowed. Menu animations are disabled by default.
Disable bitmap caching:
disable-bitmap-caching
If set to "true", the RDP bitmap cache will not be used. By default, caching of bitmaps is enabled.
This is generally only useful when dealing with an RDP server that has known bugs in its implementation of bitmap caching, and should remain enabled in most circumstances.
Disable off-screen caching:
disable-offscreen-caching
If set to "true," caching of regions of the screen that are not currently visible will be disabled. By default, caching of off-screen regions is enabled.
This is generally only useful when dealing with an RDP server that has known bugs in its implementation of off-screen caching, and should remain enabled in most circumstances.
Disable glyph caching:
disable-glyph-caching
If set to "true", the RDP glyph cache will not be used. By default, caching of glyphs is enabled.
This is generally only useful when dealing with an RDP server that has known bugs in its implementation of glyph caching, and should remain enabled in most circumstances.
Exclude mouse:
recording-exclude-mouse
If set to "true", user mouse events will be excluded from the recording, producing a recording which lacks a visible mouse cursor. By default, mouse events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Exclude touch events:
recording-exclude-touch
If set to "true", user touch events will be excluded from the recording, producing a recording which lacks the exact details of touch interactions. This will not necessarily prevent touch events from being visible, as the remote desktop server may still choose to render touch interaction on its own. By default, touch events will be included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Include key events:
recording-include-keys
If set to "true", user key events will be included in the recording. The recording can subsequently be passed through the guaclog utility to produce a human-readable interpretation of the keys pressed during the session. By default, for privacy's sake, key events will be NOT included in the recording.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Automatically create recording path:
create-recording-path
If set to "true", the final directory within the specified recording path will automatically be created if it does not yet exist. By default, no part of the recording path will be automatically created, and any attempt to use a non-existent directory will result in the session not being recorded and an error being logged.
Only the final directory in the path will be automatically created. If other directories earlier in the path do not exist, the session will not be recorded, and an error will be logged.
This parameter only has an effect if graphical recording is enabled, which is controlled by specifying a recording path. If the recording path is not specified, graphical session recording will not be enabled, and this parameter will be ignored.
Public host key (Base64):
sftp-host-key
The known hosts entry for the SSH server providing SFTP, in the same format as would be specified within an OpenSSH known_hosts file. If not provided, no verification of host identity will be performed.
Username:
sftp-username
The username to authenticate as when connecting to the specified SSH server for SFTP. This parameter is required if SFTP is enabled.
Password:
sftp-password
The password to use when authenticating with the specified SSH server for SFTP.
Private key:
sftp-private-key
The entire contents of the private key to use for public key authentication. If this parameter is not specified, public key authentication will not be used. The private key must be in OpenSSH format, as would be generated by the OpenSSH ssh-keygen utility.
Passphrase:
sftp-passphrase
The passphrase to use to decrypt the private key for use in public key authentication. This parameter is not needed if the private key does not require a passphrase.
File browser root directory:
sftp-root-directory
The directory to expose to connected users via Guacamole's file browser. If omitted, the root directory will be used by default.
Default upload directory:
sftp-directory
The directory to upload files to if they are simply dragged and dropped, and thus otherwise lack a specific upload location. If omitted, the default upload location of the SSH server providing SFTP will be used.
SFTP keepalive interval:
sftp-server-alive-interval
The interval in seconds between which keepalive packets should be sent to the SSH server for the SFTP connection, where "0" indicates that no keepalive packets should be sent at all (the default behavior). The minimum legal value is "2".
