date:20210703

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

2021-07-03 Thread Nick Couchman

On Sat, Jul 3, 2021 at 2:37 PM Angal, Rajeev 
wrote:

> Thanks for your reply, Nick.
> On #2:
> User workstation —> Guacamole intermediate server —> Target RDP or SSH
> server
>
> After the initial authentication to Guacamole with SAML/ smartcard/etc,
> If the intermediate  server could get a ephemeral certificate (on behalf
> of the authenticated user) from a CA and allow auto login over SSH snd RDP
> to the target server.
> This post describes the conceot:
>
>
> https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/
>
>
>
Ah, okay, so you're not so much concerned with support for authenticating
to Guacamole via certificate, you're wanting to pass the certificate
through to the remote desktop system?

Guacamole doesn't support that, either, currently, but I'm sure it is
doable.

-Nick

>

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

2021-07-03 Thread Angal, Rajeev

Thanks for your reply, Nick.
On #2:
User workstation —> Guacamole intermediate server —> Target RDP or SSH server

After the initial authentication to Guacamole with SAML/ smartcard/etc,
If the intermediate  server could get a ephemeral certificate (on behalf of the 
authenticated user) from a CA and allow auto login over SSH snd RDP to the 
target server.
This post describes the conceot:

https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/



Get Outlook for iOS

From: Nick Couchman 
Sent: Saturday, July 3, 2021 10:16:35 AM
To: user@guacamole.apache.org 
Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP 
(instead of username/password)?

On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev  wrote:

Love Guacamole so far!



For remote Windows servers that support only smartcard authentication,  would 
like the following capabilities:

  1.  Smartcard redirection
  2.  Generation of ephemeral certs on the “gateway” for seamless “SSO”



Are these features available or on the roadmap?

The first one is definitely not implemented, yet, and I don't think there's a 
JIRA feature issue for it, either.

For the second one, I'm not entirely sure what you mean. Several SSO platforms 
are supported in Guacamole - CAS, OpenID, and SAML - and within those some of 
them have support for validating logins using various means, including 
certificates between Guacamole and the SSO IdP. I know there was a recent 
e-mail on the list regarding getting SAML to work with certificate validation, 
so there may be some issues with that, and it's worth testing out further.

In the end, doing certificate-based authentication to Guacamole shouldn't 
require too much work - the guacamole-ext framework provides relatively simple 
ways for supporting new authentication mechanisms, and SmartCards are really 
just x509 certificates, so really anything that supports certificate-based 
authentication should work. I know CAS supports x509 authentication, so it 
would probably be reasonably easy to get CAS x509 -> Guacamole authentication 
working without having to modify any code at all.

-Nick

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

2021-07-03 Thread Nick Couchman

On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev 
wrote:

> Love Guacamole so far!
>
>
>
> For remote Windows servers that support only smartcard authentication,
>  would like the following capabilities:
>
>1. Smartcard redirection
>2. Generation of ephemeral certs on the “gateway” for seamless “SSO”
>
>
>
> Are these features available or on the roadmap?
>
>
The first one is definitely not implemented, yet, and I don't think there's
a JIRA feature issue for it, either.

For the second one, I'm not entirely sure what you mean. Several SSO
platforms are supported in Guacamole - CAS, OpenID, and SAML - and within
those some of them have support for validating logins using various means,
including certificates between Guacamole and the SSO IdP. I know there was
a recent e-mail on the list regarding getting SAML to work with certificate
validation, so there may be some issues with that, and it's worth testing
out further.

In the end, doing certificate-based authentication to Guacamole shouldn't
require too much work - the guacamole-ext framework provides relatively
simple ways for supporting new authentication mechanisms, and SmartCards
are really just x509 certificates, so really anything that supports
certificate-based authentication should work. I know CAS supports x509
authentication, so it would probably be reasonably easy to get CAS x509 ->
Guacamole authentication working without having to modify any code at all.

-Nick

>

Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

2021-07-03 Thread Angal, Rajeev

Love Guacamole so far!

For remote Windows servers that support only smartcard authentication,  would 
like the following capabilities:

  1.  Smartcard redirection
  2.  Generation of ephemeral certs on the “gateway” for seamless “SSO”

Are these features available or on the roadmap?

Thanks,
-rajeev

I am overwhelmed by the sheer number of open source remote desktop software in the world

2021-07-03 Thread Turritopsis Dohrnii Teo En Ming

Subject: I am overwhelmed by the sheer number of open source remote 
desktop software in the world


Good day from Singapore,

I am overwhelmed by the sheer number of open source remote desktop 
software in the world. How many open source remote desktop software 
projects are there in the world? There are simply too many choices! I 
don't know how to choose!


Could you recommend some of the best open source remote desktop 
software?


Thank you very much for your kind assistance.

Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 3rd July 2021, 
is a TARGETED INDIVIDUAL living in Singapore. He is an IT consultant 
with a System Integrator (SI)/computer firm in Singapore. He is an IT 
enthusiast.






--
-BEGIN EMAIL SIGNATURE-

The Gospel for all Targeted Individuals (TIs):

[The New York Times] Microwave Weapons Are Prime Suspect in Ills of
U.S. Embassy Workers

Link:
https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html



Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's
Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts
at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan
(5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020):

[1] https://tdtemcerts.wordpress.com/

[2] https://tdtemcerts.blogspot.sg/

[3] https://www.scribd.com/user/270125049/Teo-En-Ming

-END EMAIL SIGNATURE-

-
To unsubscribe, e-mail: user-unsubscr...@guacamole.apache.org
For additional commands, e-mail: user-h...@guacamole.apache.org

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

I am overwhelmed by the sheer number of open source remote desktop software in the world

5 matches

Site Navigation

Mail list logo

Footer information