Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

["Angal, Rajeev" <ra...@visa.com.INVALID>]

Love Guacamole so far!

For remote Windows servers that support only smartcard authentication,  would like the following capabilities:

  1.  Smartcard redirection
  2.  Generation of ephemeral certs on the “gateway” for seamless “SSO”

Are these features available or on the roadmap?

Thanks,
-rajeev

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Nicolas Baudrand <nb...@lozere.fr>]

+1 

It would be great ! 

> De: "Angal, Rajeev" <ra...@visa.com.INVALID>
> À: user@guacamole.apache.org
> Envoyé: Samedi 3 Juillet 2021 18:06:11
> Objet: Does Guacamole support PKI/Smartcard authentication for RDP (instead of
> username/password)?

> Love Guacamole so far!

> For remote Windows servers that support only smartcard authentication, would
> like the following capabilities:

>     1. Smartcard redirection
>     2. Generation of ephemeral certs on the “gateway” for seamless “SSO”

> Are these features available or on the roadmap?

> Thanks,

> -rajeev

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Mike Jumper <mj...@apache.org>]

On Fri, Nov 5, 2021, 00:10 Maram, Saber <sm...@posteo.net> wrote:

>
> Hello,
>
> it is definetly possible, you need 2-3 full time devs to write ~3k lines
> of C then a extension with native host communication for client side and
> some frontend coding and ~2 months time.
>
> i know that so well since we did it already, the next we are working on is
> usb device redirection as soon the test's for smartcard implementation are
> done.
>

If you have such support implemented and working, I really think the path
forward should be contributing those changes for the benefit of all.

- Mike

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

["Maram, Saber" <sm...@posteo.net>]

    
Hello,

it is definetly possible, you need 2-3 full time devs to write ~3k
lines of C then a extension with native host communication for client
side and some frontend coding and ~2 months time.

i know that so well since we did it already, the next we are working
on is usb device redirection as soon the test's for smartcard
implementation are done.

video link
->https://www.dropbox.com/s/89ai9ikho2atsn4/smartcard_reader.mp4?dl=0








Am Freitag, den 05.11.2021 um 03:28 schrieb Jason Haar:


I would say this is better to solve within a proper IdP rather than an
end-node webapp like guacamole. ie set up guacamole to use SAML or
OpenID connect to a "proper" Identity provider and make that thing do
the high-security checks. eg we use Apache with mod_auth_mellon as a
reverse proxy frontend to guacamole (set to use http-auth-header). As
we are an "Okta shop", that means we can lean into all the MFA
offerings they have - guacamole doesn't have to worry it's pretty
little head about it ;-). But Google's OpenID-Connect would do just as
good a job. Or this, or that, etc :-)

On Sat, Oct 30, 2021 at 6:12 AM Craig Sawyer  wrote:



OK I'm all for short-lived auth certs, I'm a fan. But I'm confused as
to the use case/utility here.  The idea you have is:

A: User visits Guacamole and authenticates via some method and guac
returns a Guac Auth Cookie to the browser.
B: User clicks on host SSHA in Guac UI, and Guac then determines SSHA
needs a short lived auth token/cert and then does one of these:
  1: Guac impersonates the user, to generate a short lived auth
token/cert/OTP for SSHA
  2: Guac has the rights to generate such things for ALL users, no
impersonation needed
C: Guac connects to SSHA, sends the short lived cert to SSHA and then
returns a full connection to the user.

To alleviate all of this complexity in our infrastructure, for Guac,
our virtual desktop systems have a 65 character randomly generated
password, shared only with Guac. Since brute force attacks against a
64 char password is currently known to require more energy than the
entire known universe, we feel confident the possible leak of an
account can only happen from guac being compromised or the target host
leaking it somehow. Either way a short lived cert doesn't buy us
anything(especially since using the Guac SQL DB, we can update those
passwords at will whenever we want with some SQL queries).

I don't see how a short lived cert(above) buys anything over say my
solution.

The 1st option, passing through an MFA/token from the end user
client(i.e. web browser) all the way through to the target host
machine (SSHA in this example) is something I'd definitely be
interested in.  This would require transporting FIDO/U2F or X509
certs
through, neither of which are user-friendly or 100% supported yet(last
I checked).  Since browsers have mostly decided client X509 certs are
evil and should never be user-friendly, the only option is FIDO/U2F
pass-through (unless I'm missing something) which isn't yet fully
supported across the major browsers yet(right?).

-Craig

On Fri, Oct 29, 2021 at 9:39 AM Angal, Rajeev  wrote:
>
> Thanks. Nick. Makes total sense. Yes I agree opensource projects
need developers who have interest and time.
>
> I will check the developer forum to get a feel of the component it
goes to and the scope of the effort.
>
> I have filed a Jira ticket here:
>
> https://jira.glyptodon.com/browse/GUAC-1694
>
>
>
> -rajeev
>
>
>
>
>
>
>
> From: Nick Couchman 
> Sent: Friday, October 29, 2021 9:10 AM
> To: user@guacamole.apache.org
> Subject: Re: Does Guacamole support PKI/Smartcard authentication for
RDP (instead of username/password)?
>
>
>
> On Thu, Oct 28, 2021 at 10:25 PM Angal, Rajeev  wrote:
>
> Hello –
>
> Want to request a poll to the community if this feature would be
useful?
>
>
>
> If you think this feature would be useful, the best thing to do is
1) insure that there's a Jira issue for it, 2) vote for the Jira
issue, and 3) contribute.
>
>
>
> https://issues.apache.org/jira/projects/GUACAMOLE/issues
>
>
>
> If there is enough interest , please advise the best way to
implement it in the near future.
>
>
>
> While you're welcome to lend your voice to the issue by posting here
or submitting and/or voting on the Jira issue, if you want to get it
implemented then you need to either wait for one of the developers to
have the time, expertise, and inclination to do it, or jump in and
contribute yourself. This is an open source, community project, and,
while enough people asking for a feature can help raise it to a level
that an existing developer would jump in and do it, the reality is
that many features get implemented when someone who has a vested
interest in the feature is able to contribute to it's getting done. I
recognize that not everyone is a developer - I'm not a very good one,
and it isn't what I spend most of my time doing - I'm a systems
engineer/admin and IT Manager by day. My contributions are pretty
limited as compared to some of the other folks who spend their time on
the project, but I wrote the RADIUS extension when I needed it enough
in my #DayJob that I was willing to invest time in brushing up on my
Java skills and working with the other developers to get the code to
the point where it could be included in the project.
>
>
>
> -Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org







-- 
Cheers


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Jason Haar <ja...@trimble.com>]

I would say this is better to solve within a proper IdP rather than an
end-node webapp like guacamole. ie set up guacamole to use SAML or OpenID
connect to a "proper" Identity provider and make that thing do the
high-security checks. eg we use Apache with mod_auth_mellon as a reverse
proxy frontend to guacamole (set to use http-auth-header). As we are an
"Okta shop", that means we can lean into all the MFA offerings they have -
guacamole doesn't have to worry it's pretty little head about it ;-). But
Google's OpenID-Connect would do just as good a job. Or this, or that, etc
:-)

On Sat, Oct 30, 2021 at 6:12 AM Craig Sawyer <cs...@yumaed.org> wrote:

> OK I'm all for short-lived auth certs, I'm a fan. But I'm confused as
> to the use case/utility here.  The idea you have is:
>
> A: User visits Guacamole and authenticates via some method and guac
> returns a Guac Auth Cookie to the browser.
> B: User clicks on host SSHA in Guac UI, and Guac then determines SSHA
> needs a short lived auth token/cert and then does one of these:
>   1: Guac impersonates the user, to generate a short lived auth
> token/cert/OTP for SSHA
>   2: Guac has the rights to generate such things for ALL users, no
> impersonation needed
> C: Guac connects to SSHA, sends the short lived cert to SSHA and then
> returns a full connection to the user.
>
> To alleviate all of this complexity in our infrastructure, for Guac,
> our virtual desktop systems have a 65 character randomly generated
> password, shared only with Guac. Since brute force attacks against a
> 64 char password is currently known to require more energy than the
> entire known universe, we feel confident the possible leak of an
> account can only happen from guac being compromised or the target host
> leaking it somehow. Either way a short lived cert doesn't buy us
> anything(especially since using the Guac SQL DB, we can update those
> passwords at will whenever we want with some SQL queries).
>
> I don't see how a short lived cert(above) buys anything over say my
> solution.
>
> The 1st option, passing through an MFA/token from the end user
> client(i.e. web browser) all the way through to the target host
> machine (SSHA in this example) is something I'd definitely be
> interested in.  This would require transporting FIDO/U2F or X509 certs
> through, neither of which are user-friendly or 100% supported yet(last
> I checked).  Since browsers have mostly decided client X509 certs are
> evil and should never be user-friendly, the only option is FIDO/U2F
> pass-through (unless I'm missing something) which isn't yet fully
> supported across the major browsers yet(right?).
>
> -Craig
>
> On Fri, Oct 29, 2021 at 9:39 AM Angal, Rajeev <ra...@visa.com.invalid>
> wrote:
> >
> > Thanks. Nick. Makes total sense. Yes I agree opensource projects need
> developers who have interest and time.
> >
> > I will check the developer forum to get a feel of the component it goes
> to and the scope of the effort.
> >
> > I have filed a Jira ticket here:
> >
> > https://jira.glyptodon.com/browse/GUAC-1694
> >
> >
> >
> > -rajeev
> >
> >
> >
> >
> >
> >
> >
> > From: Nick Couchman <vn...@apache.org>
> > Sent: Friday, October 29, 2021 9:10 AM
> > To: user@guacamole.apache.org
> > Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP
> (instead of username/password)?
> >
> >
> >
> > On Thu, Oct 28, 2021 at 10:25 PM Angal, Rajeev <ra...@visa.com.invalid>
> wrote:
> >
> > Hello –
> >
> > Want to request a poll to the community if this feature would be useful?
> >
> >
> >
> > If you think this feature would be useful, the best thing to do is 1)
> insure that there's a Jira issue for it, 2) vote for the Jira issue, and 3)
> contribute.
> >
> >
> >
> > https://issues.apache.org/jira/projects/GUACAMOLE/issues
> >
> >
> >
> > If there is enough interest , please advise the best way to implement it
> in the near future.
> >
> >
> >
> > While you're welcome to lend your voice to the issue by posting here or
> submitting and/or voting on the Jira issue, if you want to get it
> implemented then you need to either wait for one of the developers to have
> the time, expertise, and inclination to do it, or jump in and contribute
> yourself. This is an open source, community project, and, while enough
> people asking for a feature can help raise it to a level that an existing
> developer would jump in and do it, the reality is that many features get
> implemented when someone who has a vested interest in the feature is able
> to contribute to it's getting done. I recognize that not everyone is a
> developer - I'm not a very good one, and it isn't what I spend most of my
> time doing - I'm a systems engineer/admin and IT Manager by day. My
> contributions are pretty limited as compared to some of the other folks who
> spend their time on the project, but I wrote the RADIUS extension when I
> needed it enough in my #DayJob that I was willing to invest time in
> brushing up on my Java skills and working with the other developers to get
> the code to the point where it could be included in the project.
> >
> >
> >
> > -Nick
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
> For additional commands, e-mail: user-help@guacamole.apache.org
>
>

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Craig Sawyer <cs...@yumaed.org>]

OK I'm all for short-lived auth certs, I'm a fan. But I'm confused as
to the use case/utility here.  The idea you have is:

A: User visits Guacamole and authenticates via some method and guac
returns a Guac Auth Cookie to the browser.
B: User clicks on host SSHA in Guac UI, and Guac then determines SSHA
needs a short lived auth token/cert and then does one of these:
  1: Guac impersonates the user, to generate a short lived auth
token/cert/OTP for SSHA
  2: Guac has the rights to generate such things for ALL users, no
impersonation needed
C: Guac connects to SSHA, sends the short lived cert to SSHA and then
returns a full connection to the user.

To alleviate all of this complexity in our infrastructure, for Guac,
our virtual desktop systems have a 65 character randomly generated
password, shared only with Guac. Since brute force attacks against a
64 char password is currently known to require more energy than the
entire known universe, we feel confident the possible leak of an
account can only happen from guac being compromised or the target host
leaking it somehow. Either way a short lived cert doesn't buy us
anything(especially since using the Guac SQL DB, we can update those
passwords at will whenever we want with some SQL queries).

I don't see how a short lived cert(above) buys anything over say my solution.

The 1st option, passing through an MFA/token from the end user
client(i.e. web browser) all the way through to the target host
machine (SSHA in this example) is something I'd definitely be
interested in.  This would require transporting FIDO/U2F or X509 certs
through, neither of which are user-friendly or 100% supported yet(last
I checked).  Since browsers have mostly decided client X509 certs are
evil and should never be user-friendly, the only option is FIDO/U2F
pass-through (unless I'm missing something) which isn't yet fully
supported across the major browsers yet(right?).

-Craig

On Fri, Oct 29, 2021 at 9:39 AM Angal, Rajeev <ra...@visa.com.invalid> wrote:
>
> Thanks. Nick. Makes total sense. Yes I agree opensource projects need developers who have interest and time.
>
> I will check the developer forum to get a feel of the component it goes to and the scope of the effort.
>
> I have filed a Jira ticket here:
>
> https://jira.glyptodon.com/browse/GUAC-1694
>
>
>
> -rajeev
>
>
>
>
>
>
>
> From: Nick Couchman <vn...@apache.org>
> Sent: Friday, October 29, 2021 9:10 AM
> To: user@guacamole.apache.org
> Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?
>
>
>
> On Thu, Oct 28, 2021 at 10:25 PM Angal, Rajeev <ra...@visa.com.invalid> wrote:
>
> Hello –
>
> Want to request a poll to the community if this feature would be useful?
>
>
>
> If you think this feature would be useful, the best thing to do is 1) insure that there's a Jira issue for it, 2) vote for the Jira issue, and 3) contribute.
>
>
>
> https://issues.apache.org/jira/projects/GUACAMOLE/issues
>
>
>
> If there is enough interest , please advise the best way to implement it in the near future.
>
>
>
> While you're welcome to lend your voice to the issue by posting here or submitting and/or voting on the Jira issue, if you want to get it implemented then you need to either wait for one of the developers to have the time, expertise, and inclination to do it, or jump in and contribute yourself. This is an open source, community project, and, while enough people asking for a feature can help raise it to a level that an existing developer would jump in and do it, the reality is that many features get implemented when someone who has a vested interest in the feature is able to contribute to it's getting done. I recognize that not everyone is a developer - I'm not a very good one, and it isn't what I spend most of my time doing - I'm a systems engineer/admin and IT Manager by day. My contributions are pretty limited as compared to some of the other folks who spend their time on the project, but I wrote the RADIUS extension when I needed it enough in my #DayJob that I was willing to invest time in brushing up on my Java skills and working with the other developers to get the code to the point where it could be included in the project.
>
>
>
> -Nick

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@guacamole.apache.org
For additional commands, e-mail: user-help@guacamole.apache.org

RE: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

["Angal, Rajeev" <ra...@visa.com.INVALID>]

Thanks. Nick. Makes total sense. Yes I agree opensource projects need developers who have interest and time.
I will check the developer forum to get a feel of the component it goes to and the scope of the effort.
I have filed a Jira ticket here:
https://jira.glyptodon.com/browse/GUAC-1694

-rajeev



From: Nick Couchman <vn...@apache.org>
Sent: Friday, October 29, 2021 9:10 AM
To: user@guacamole.apache.org
Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

On Thu, Oct 28, 2021 at 10:25 PM Angal, Rajeev <ra...@visa.com.invalid>> wrote:
Hello -
Want to request a poll to the community if this feature would be useful?

If you think this feature would be useful, the best thing to do is 1) insure that there's a Jira issue for it, 2) vote for the Jira issue, and 3) contribute.

https://issues.apache.org/jira/projects/GUACAMOLE/issues<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fissues.apache.org%2Fjira%2Fprojects%2FGUACAMOLE%2Fissues&data=04%7C01%7Crangal%40visa.com%7C8a3a06042359446d832e08d99af6b5dc%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637711206667665739%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=7jXvRz0N8majgdYlCcDfOQ%2Fvx5opuyOWSz2gggJErVA%3D&reserved=0>

If there is enough interest , please advise the best way to implement it in the near future.

While you're welcome to lend your voice to the issue by posting here or submitting and/or voting on the Jira issue, if you want to get it implemented then you need to either wait for one of the developers to have the time, expertise, and inclination to do it, or jump in and contribute yourself. This is an open source, community project, and, while enough people asking for a feature can help raise it to a level that an existing developer would jump in and do it, the reality is that many features get implemented when someone who has a vested interest in the feature is able to contribute to it's getting done. I recognize that not everyone is a developer - I'm not a very good one, and it isn't what I spend most of my time doing - I'm a systems engineer/admin and IT Manager by day. My contributions are pretty limited as compared to some of the other folks who spend their time on the project, but I wrote the RADIUS extension when I needed it enough in my #DayJob that I was willing to invest time in brushing up on my Java skills and working with the other developers to get the code to the point where it could be included in the project.

-Nick

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Nick Couchman <vn...@apache.org>]

On Thu, Oct 28, 2021 at 10:25 PM Angal, Rajeev <ra...@visa.com.invalid>
wrote:

> Hello –
>
> Want to request a poll to the community if this feature would be useful?
>

If you think this feature would be useful, the best thing to do is 1)
insure that there's a Jira issue for it, 2) vote for the Jira issue, and 3)
contribute.

https://issues.apache.org/jira/projects/GUACAMOLE/issues


> If there is enough interest , please advise the best way to implement it
> in the near future.
>

While you're welcome to lend your voice to the issue by posting here or
submitting and/or voting on the Jira issue, if you want to get it
implemented then you need to either wait for one of the developers to have
the time, expertise, and inclination to do it, or jump in and contribute
yourself. This is an open source, community project, and, while enough
people asking for a feature can help raise it to a level that an existing
developer would jump in and do it, the reality is that many features get
implemented when someone who has a vested interest in the feature is able
to contribute to it's getting done. I recognize that not everyone is a
developer - I'm not a very good one, and it isn't what I spend most of my
time doing - I'm a systems engineer/admin and IT Manager by day. My
contributions are pretty limited as compared to some of the other folks who
spend their time on the project, but I wrote the RADIUS extension when I
needed it enough in my #DayJob that I was willing to invest time in
brushing up on my Java skills and working with the other developers to get
the code to the point where it could be included in the project.

-Nick

>

RE: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

["Angal, Rajeev" <ra...@visa.com.INVALID>]

Hello -
Want to request a poll to the community if this feature would be useful?
If there is enough interest , please advise the best way to implement it in the near future.

Thanks,
-rajeev

From: Angal, Rajeev <ra...@visa.com.INVALID>
Sent: Saturday, July 3, 2021 11:37 AM
To: user@guacamole.apache.org
Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

Thanks for your reply, Nick.
On #2:
User workstation -> Guacamole intermediate server -> Target RDP or SSH server

After the initial authentication to Guacamole with SAML/ smartcard/etc,
If the intermediate  server could get a ephemeral certificate (on behalf of the authenticated user) from a CA and allow auto login over SSH snd RDP to the target server.
This post describes the conceot:

https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Finformationsecuritybuzz.com%2Farticles%2Fwhy-ephemeral-certificates-are-the-ideal-option-for-secure-it-access%2F&data=04%7C01%7Crangal%40visa.com%7C8f04441e0ec241333a2608d93e519fea%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637609343374789505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=YqHXG4C9Pbjis%2BG8BC8Vqj8WDjv2ebgqMFjFohieIZw%3D&reserved=0>



Get Outlook for iOS<https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Faka.ms%2Fo0ukef&data=04%7C01%7Crangal%40visa.com%7C8f04441e0ec241333a2608d93e519fea%7C38305e12e15d4ee888b9c4db1c477d76%7C0%7C0%7C637609343374789505%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XtK3mu%2FqjLDtmDO1WXUXs0r15GCDVAn1RLnWri%2F9T9Y%3D&reserved=0>
________________________________
From: Nick Couchman <vn...@apache.org>>
Sent: Saturday, July 3, 2021 10:16:35 AM
To: user@guacamole.apache.org<ma...@guacamole.apache.org> <us...@guacamole.apache.org>>
Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev <ra...@visa.com.invalid>> wrote:

Love Guacamole so far!



For remote Windows servers that support only smartcard authentication,  would like the following capabilities:

  1.  Smartcard redirection
  2.  Generation of ephemeral certs on the "gateway" for seamless "SSO"



Are these features available or on the roadmap?

The first one is definitely not implemented, yet, and I don't think there's a JIRA feature issue for it, either.

For the second one, I'm not entirely sure what you mean. Several SSO platforms are supported in Guacamole - CAS, OpenID, and SAML - and within those some of them have support for validating logins using various means, including certificates between Guacamole and the SSO IdP. I know there was a recent e-mail on the list regarding getting SAML to work with certificate validation, so there may be some issues with that, and it's worth testing out further.

In the end, doing certificate-based authentication to Guacamole shouldn't require too much work - the guacamole-ext framework provides relatively simple ways for supporting new authentication mechanisms, and SmartCards are really just x509 certificates, so really anything that supports certificate-based authentication should work. I know CAS supports x509 authentication, so it would probably be reasonably easy to get CAS x509 -> Guacamole authentication working without having to modify any code at all.

-Nick

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Nick Couchman <vn...@apache.org>]

On Sat, Jul 3, 2021 at 2:37 PM Angal, Rajeev <ra...@visa.com.invalid>
wrote:

> Thanks for your reply, Nick.
> On #2:
> User workstation —> Guacamole intermediate server —> Target RDP or SSH
> server
>
> After the initial authentication to Guacamole with SAML/ smartcard/etc,
> If the intermediate  server could get a ephemeral certificate (on behalf
> of the authenticated user) from a CA and allow auto login over SSH snd RDP
> to the target server.
> This post describes the conceot:
>
>
> https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/
>
>
>
Ah, okay, so you're not so much concerned with support for authenticating
to Guacamole via certificate, you're wanting to pass the certificate
through to the remote desktop system?

Guacamole doesn't support that, either, currently, but I'm sure it is
doable.

-Nick

>

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

["Angal, Rajeev" <ra...@visa.com.INVALID>]

Thanks for your reply, Nick.
On #2:
User workstation —> Guacamole intermediate server —> Target RDP or SSH server

After the initial authentication to Guacamole with SAML/ smartcard/etc,
If the intermediate  server could get a ephemeral certificate (on behalf of the authenticated user) from a CA and allow auto login over SSH snd RDP to the target server.
This post describes the conceot:

https://informationsecuritybuzz.com/articles/why-ephemeral-certificates-are-the-ideal-option-for-secure-it-access/



Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Nick Couchman <vn...@apache.org>
Sent: Saturday, July 3, 2021 10:16:35 AM
To: user@guacamole.apache.org <us...@guacamole.apache.org>
Subject: Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev <ra...@visa.com.invalid> wrote:

Love Guacamole so far!



For remote Windows servers that support only smartcard authentication,  would like the following capabilities:

  1.  Smartcard redirection
  2.  Generation of ephemeral certs on the “gateway” for seamless “SSO”



Are these features available or on the roadmap?

The first one is definitely not implemented, yet, and I don't think there's a JIRA feature issue for it, either.

For the second one, I'm not entirely sure what you mean. Several SSO platforms are supported in Guacamole - CAS, OpenID, and SAML - and within those some of them have support for validating logins using various means, including certificates between Guacamole and the SSO IdP. I know there was a recent e-mail on the list regarding getting SAML to work with certificate validation, so there may be some issues with that, and it's worth testing out further.

In the end, doing certificate-based authentication to Guacamole shouldn't require too much work - the guacamole-ext framework provides relatively simple ways for supporting new authentication mechanisms, and SmartCards are really just x509 certificates, so really anything that supports certificate-based authentication should work. I know CAS supports x509 authentication, so it would probably be reasonably easy to get CAS x509 -> Guacamole authentication working without having to modify any code at all.

-Nick

Re: Does Guacamole support PKI/Smartcard authentication for RDP (instead of username/password)?

[Nick Couchman <vn...@apache.org>]

On Sat, Jul 3, 2021 at 12:06 PM Angal, Rajeev <ra...@visa.com.invalid>
wrote:

> Love Guacamole so far!
>
>
>
> For remote Windows servers that support only smartcard authentication,
>  would like the following capabilities:
>
>    1. Smartcard redirection
>    2. Generation of ephemeral certs on the “gateway” for seamless “SSO”
>
>
>
> Are these features available or on the roadmap?
>
>
The first one is definitely not implemented, yet, and I don't think there's
a JIRA feature issue for it, either.

For the second one, I'm not entirely sure what you mean. Several SSO
platforms are supported in Guacamole - CAS, OpenID, and SAML - and within
those some of them have support for validating logins using various means,
including certificates between Guacamole and the SSO IdP. I know there was
a recent e-mail on the list regarding getting SAML to work with certificate
validation, so there may be some issues with that, and it's worth testing
out further.

In the end, doing certificate-based authentication to Guacamole shouldn't
require too much work - the guacamole-ext framework provides relatively
simple ways for supporting new authentication mechanisms, and SmartCards
are really just x509 certificates, so really anything that supports
certificate-based authentication should work. I know CAS supports x509
authentication, so it would probably be reasonably easy to get CAS x509 ->
Guacamole authentication working without having to modify any code at all.

-Nick

>