On Fri, May 8, 2020 at 7:08 AM Dave Kempe <[email protected]> wrote:
> > > On Fri, May 8, 2020, 8:52 PM Joachim Lindenberg <[email protected]> > wrote: > >> Hi Dave, >> >> I am trying to understand what it does and what it is good for. My take >> is: the user has to authenticate first to salsa, with LDAP credentials, >> which whitelists the IP used, and then authenticate again to Guacamole, >> likely using with LDAP credentials again? >> >> Which causes me to ask: do you think the Guacamole login screen is less >> secure then the one of Salsa? >> >> Or what am I missing? >> >> Thanks, Joachim >> >> > Hi Joachim > You have it about right. You should run Salsa on seperate machine btw. We > connect them together with spiped. > This simply increases the barrier to entry by one more step. Like any > security control it's only part of the picture. Allowing direct access to > guacamole felt open to more risk than we felt comfortable with. It really > depends on your practices and authentication sources as well. You can mix > and match as you see fit. > > > Thanks for taking the time to check it out. > > Thanks for sharing it with the community! -Nick
