Citrix

How to Mitigate Keyloggers with a Virtual Keyboard in Access Gateway Enterprise Edition

  • CTX118734
  • Created onMar 26, 2014
  • Updated onApr 11, 2014
Article Topic Authentication, Display
Download Virtual_Keyboard.zip

Objective

This article describes how to modify the Access Gateway Enterprise Edition logon page to incorporate a virtual keyboard that assists in mitigating the threat of keylogging software that might be present on client machines.

Background

Keyloggers are becoming an increasing threat on the Internet, and pose a risk to security of corporate networks. They are applications that run silently on a computer or Internet kiosk and record the keystrokes entered by a user for later review. They pose a risk because they can capture usernames and passwords entered, which can then be reviewed and used in obtaining unauthorized access to the corporate network.

To help mitigate the threat of keyloggers recording credentials when logging in to the Access Gateway Enterprise Edition appliance, it is possible to customize the logon page to include a virtual on-screen keyboard. This allows users to enter their credentials without using the keyboard, and therefore prevent any keylogger from capturing the keystrokes.

The following are sample screen shots of the virtual keyboard in different Access Gateway User Interface themes:

User-added image

User-added image

Requirements

  • Access Gateway Enterprise Edition 8.0 or later

  • A secure shell (SSH) based file-transfer utility such as WinSCP

  • Knowledge of the UNIX based text editor vi.

Note: Alternatively, the user can use the file-transfer utility to download the relative files to locally modify using a unicode-aware text editor and later re-upload the modified files.

Instructions

To modify the Access Gateway Enterprise Edition logon page to incorporate a virtual keyboard, complete the following procedure:

  1. Download and extract the contents of the virtual_keyboard.zip file attached to this article.

  2. Upload the following files into the appropriate locations:
    keyboard.js: /netscaler/ns_gui/vpn/
    keyboard.css: /netscaler/ns_gui/vpn/css/
    keyboard.png: /netscaler/ns_gui/vpn/images/

  3. Modify the /netscaler/ns_gui/vpn/index.html file and make the following changes:
    <link rel="stylesheet" type="text/css" href="images/keyboard.css">
    <script type="text/javascript" src="keyboard.js" charset="UTF-8"></script>

    Find and replace the class for the username input field. For example:

    <input class="CTXMSAM_ContentFont" style="font-size: 8pt" type="text" title="Enter user name" name="login" size="30" maxlength="127" onFocus="loginFieldCheck()"style="width:100%;" />

    Becomes:

    <input class="keyboardInput" style="font-size: 8pt" type="text" title="Enter user name" name="login" size="30" maxlength="127" onFocus="loginFieldCheck()"style="width:100%;" />

  4. Modify the /netscaler/ns_gui/vpn/login.js file and replace the class for both password input fields. For example:
    <input class=”CTXMSAM_ContentFont” type="Password" title="Enter password" name="passwd" size="30" maxlength="32" style="width:100%;">

    Becomes:

    <input class=”keyboardInput” type="Password" title="Enter password" name="passwd" size="30" maxlength="32" style="width:100%;">

  5. Ensure that the changes are retained after the appliance is restarted. For example, copy the five files involved in this process into the /var/modified_portal/ directory, and create (or append if the file already exists) the following lines into /nsconfig/nsafter.sh:
    cp /var/modified_portal/index.html /netscaler/ns_gui/vpn/index.html
    cp /var/modified_portal/login.js /netscaler/ns_gui/vpn/login.js
    cp /var/modified_portal/keyboard.js /netscaler/ns_gui/vpn/keyboard.js
    cp /var/modified_portal/keyboard.css /netscaler/ns_gui/vpn/css/keyboard.css
    cp /var/modified_portal/keyboard.png /netscaler/ns_gui/vpn/images/keyboard.png

  6. Run the following command to ensure that nsafter.sh has execute privileges:
    chmod 750 nsafter.sh

  7. For changes to take effect, restart the appliance, or manually run the /nsconfig/nsafter.sh command.

Forcing the Use of the Virtual Keyboard

It is possible to prevent the user entering credentials without using the virtual keyboard. To enable this, add the readonly="readonly" attribute to each input field that must have the virtual keyboard. For example, to force the use of the virtual keyboard on a password field, you must make the following changes to the login.js file:

<input class="keyboardInput" type="Password" title="Enter password" name="passwd" size="30" maxlength="32" style="width:100%;">

Becomes:

<input class="keyboardInput" readonly="readonly" type="Password" title="Enter password" name="passwd" size="30" maxlength="32" style="width:100%;">

Additional Resources

The components used in this article are based on the OpenSource code provided by GreyWyvern and are free for commercial and non-commercial use under the BSD License.

You can find additional keyboard layouts and advanced customizations at http://www.greywyvern.com/code/javascript/keyboard.

Disclaimer

The above mentioned sample code is provided to you as is with no representations, warranties or conditions of any kind. You may use, modify and distribute it at your own risk. CITRIX DISCLAIMS ALL WARRANTIES WHATSOEVER, EXPRESS, IMPLIED, WRITTEN, ORAL OR STATUTORY, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. Without limiting the generality of the foregoing, you acknowledge and agree that (a) the sample code may exhibit errors, design flaws or other problems, possibly resulting in loss of data or damage to property; (b) it may not be possible to make the sample code fully functional; and (c) Citrix may, without notice or liability to you, cease to make available the current version and/or any future versions of the sample code. In no event should the code be used to support of ultra-hazardous activities, including but not limited to life support or blasting activities. NEITHER CITRIX NOR ITS AFFILIATES OR AGENTS WILL BE LIABLE, UNDER BREACH OF CONTRACT OR ANY OTHER THEORY OF LIABILITY, FOR ANY DAMAGES WHATSOEVER ARISING FROM USE OF THE SAMPLE CODE, INCLUDING WITHOUT LIMITATION DIRECT, SPECIAL, INCIDENTAL, PUNITIVE, CONSEQUENTIAL OR OTHER DAMAGES, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Although the copyright in the code belongs to Citrix, any distribution of the code should include only your own standard copyright attribution, and not that of Citrix. You agree to indemnify and defend Citrix against any and all claims arising from your use, modification or distribution of the code.

Applicable Products

Automatic translation

Important: This article was translated by an automatic translation system (also referred to as Machine Translation, or MT) and has not been translated or reviewed by people. Citrix offers a machine translated version of this article to allow for greater access to the support content. However, automatic translation is not always perfect and may contain errors of vocabulary, syntax or grammar. Citrix is not responsible for inconsistencies, errors or damage incurred as a result of the use of MT articles from our customers.Thank you.
Click here to see the English version of this article.
Languages
Was this helpful?
Thank you for your feedback

Share your comments or find out more about this topic

Citrix Forums