On Fri, May 8, 2020, 8:52 PM Joachim Lindenberg <[email protected]> wrote:
> Hi Dave, > > I am trying to understand what it does and what it is good for. My take > is: the user has to authenticate first to salsa, with LDAP credentials, > which whitelists the IP used, and then authenticate again to Guacamole, > likely using with LDAP credentials again? > > Which causes me to ask: do you think the Guacamole login screen is less > secure then the one of Salsa? > > Or what am I missing? > > Thanks, Joachim > > Hi Joachim You have it about right. You should run Salsa on seperate machine btw. We connect them together with spiped. This simply increases the barrier to entry by one more step. Like any security control it's only part of the picture. Allowing direct access to guacamole felt open to more risk than we felt comfortable with. It really depends on your practices and authentication sources as well. You can mix and match as you see fit. Thanks for taking the time to check it out. Dave
