RE: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?
Thanks. Nick. Makes total sense. Yes I agree opensource projects need developers who have interest and time. I will check the developer forum to get a feel of the component it goes to and the scope of the effort. I have filed a Jira ticket here: https://jira.glyptodon.com/browse/GUAC-1694 -rajeev From: Nick Couchman Sent: Friday, October 29, 2021 9:10 AM To: user@guacamole.apache.org Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)? On Thu, Oct 28, 2021 at 10:25 PM Angal, Rajeev mailto:ran...@visa.com.invalid>> wrote: Hello - Want to request a poll to the community if this feature would be useful? If you think this feature would be useful, the best thing to do is 1) insure that there's a Jira issue for it, 2) vote for the Jira issue, and 3) contribute. https://issues.apache.org/jira/projects/GUACAMOLE/issues<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fprojects%2FGUACAMOLE%2Fissues=04%7C01%7Crangal%40visa.com%7C8a3a06042359446d832e08d99af6b5dc%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637711206667665739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000=7jXvRz0N8majgdYlCcDfOQ%2Fvx5opuyOWSz2gggJErVA%3D=0> If there is enough interest , please advise the best way to implement it in the near future. While you're welcome to lend your voice to the issue by posting here or submitting and/or voting on the Jira issue, if you want to get it implemented then you need to either wait for one of the developers to have the time, expertise, and inclination to do it, or jump in and contribute yourself. This is an open source, community project, and, while enough people asking for a feature can help raise it to a level that an existing developer would jump in and do it, the reality is that many features get implemented when someone who has a vested interest in the feature is able to contribute to it's getting done. I recognize that not everyone is a developer - I'm not a very good one, and it isn't what I spend most of my time doing - I'm a systems engineer/admin and IT Manager by day. My contributions are pretty limited as compared to some of the other folks who spend their time on the project, but I wrote the RADIUS extension when I needed it enough in my #DayJob that I was willing to invest time in brushing up on my Java skills and working with the other developers to get the code to the point where it could be included in the project. -Nick
RE: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?
Hello - Want to request a poll to the community if this feature would be useful? If there is enough interest , please advise the best way to implement it in the near future. Thanks, -rajeev From: Angal, Rajeev Sent: Saturday, July 3, 2021 11:37 AM To: user@guacamole.apache.org Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)? Thanks for your reply, Nick. On #2: User workstation -> Guacamole intermediate server -> Target RDP or SSH server After the initial authentication to Guacamole with SAML/ smartcard/etc, If the intermediate server could get a ephemeral certificate (on behalf of the authenticated user) from a CA and allow auto login over SSH snd RDP to the target server. This post describes the conceot: https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Finformationsecuritybuzz.com%2Farticles%2Fwhy-ephemeral-certificates-are-the-ideal-option-for-secure-it-access%2F=04%7C01%7Crangal%40visa.com%7C8f04441e0ec241333a2608d93e519fea%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637609343374789505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=YqHXG4C9Pbjis%2BG8BC8Vqj8WDjv2ebgqMFjFohieIZw%3D=0> Get Outlook for iOS<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef=04%7C01%7Crangal%40visa.com%7C8f04441e0ec241333a2608d93e519fea%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637609343374789505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000=XtK3mu%2FqjLDtmDO1WXUXs0r15GCDVAn1RLnWri%2F9T9Y%3D=0> From: Nick Couchman mailto:vn...@apache.org>> Sent: Saturday, July 3, 2021 10:16:35 AM To: user@guacamole.apache.org<mailto:user@guacamole.apache.org> mailto:user@guacamole.apache.org>> Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)? On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev mailto:ran...@visa.com.invalid>> wrote: Love Guacamole so far! For remote Windows servers that support only smartcard authentication, would like the following capabilities: 1. Smartcard redirection 2. Generation of ephemeral certs on the "gateway" for seamless "SSO" Are these features available or on the roadmap? The first one is definitely not implemented, yet, and I don't think there's a JIRA feature issue for it, either. For the second one, I'm not entirely sure what you mean. Several SSO platforms are supported in Guacamole - CAS, OpenID, and SAML - and within those some of them have support for validating logins using various means, including certificates between Guacamole and the SSO IdP. I know there was a recent e-mail on the list regarding getting SAML to work with certificate validation, so there may be some issues with that, and it's worth testing out further. In the end, doing certificate-based authentication to Guacamole shouldn't require too much work - the guacamole-ext framework provides relatively simple ways for supporting new authentication mechanisms, and SmartCards are really just x509 certificates, so really anything that supports certificate-based authentication should work. I know CAS supports x509 authentication, so it would probably be reasonably easy to get CAS x509 -> Guacamole authentication working without having to modify any code at all. -Nick
Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?
Thanks for your reply, Nick. On #2: User workstation —> Guacamole intermediate server —> Target RDP or SSH server After the initial authentication to Guacamole with SAML/ smartcard/etc, If the intermediate server could get a ephemeral certificate (on behalf of the authenticated user) from a CA and allow auto login over SSH snd RDP to the target server. This post describes the conceot: https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/ Get Outlook for iOS<https://aka.ms/o0ukef> From: Nick Couchman Sent: Saturday, July 3, 2021 10:16:35 AM To: user@guacamole.apache.org Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)? On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev wrote: Love Guacamole so far! For remote Windows servers that support only smartcard authentication, would like the following capabilities: 1. Smartcard redirection 2. Generation of ephemeral certs on the “gateway” for seamless “SSO” Are these features available or on the roadmap? The first one is definitely not implemented, yet, and I don't think there's a JIRA feature issue for it, either. For the second one, I'm not entirely sure what you mean. Several SSO platforms are supported in Guacamole - CAS, OpenID, and SAML - and within those some of them have support for validating logins using various means, including certificates between Guacamole and the SSO IdP. I know there was a recent e-mail on the list regarding getting SAML to work with certificate validation, so there may be some issues with that, and it's worth testing out further. In the end, doing certificate-based authentication to Guacamole shouldn't require too much work - the guacamole-ext framework provides relatively simple ways for supporting new authentication mechanisms, and SmartCards are really just x509 certificates, so really anything that supports certificate-based authentication should work. I know CAS supports x509 authentication, so it would probably be reasonably easy to get CAS x509 -> Guacamole authentication working without having to modify any code at all. -Nick
Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?
Love Guacamole so far! For remote Windows servers that support only smartcard authentication, would like the following capabilities: 1. Smartcard redirection 2. Generation of ephemeral certs on the “gateway” for seamless “SSO” Are these features available or on the roadmap? Thanks, -rajeev