On 2020-05-08 13:07, Dave Kempe wrote:
You have it about right. You should run Salsa on seperate machine btw. We connect them together with spiped. This simply increases the barrier to entry by one more step. Like any security control it's only part of the picture. Allowing direct access to guacamole felt open to more risk than we felt comfortable with. It really depends on your practices and authentication sources as well. You can mix and match as you see fit.
Ah...so you are using that tool as a simple second factor too? Ok.Actually, you are making it more complex but not necessarily more secure by adding a layer of authentication/authorization that adds little to the actual security of the system since you do not add a true second layer, but make the first layer a two-tiered one.
Your setup in this case without salsa would be: haproxy->guacamole-appserver(sso/other,mfa)->guacd Each of those can sit in seperate networks, completely encapsulated. Your setup with salsa: haproxy(auth)->guacamole-appserver(maybe cas/shib,mfa)->guacdSo..3 factor authentication? /If/ you can pull that off with your users and force them to use different passwords and disable sso, yes. That would increase security.
In most other cases, it will be a layer of complexity that will increase support on your side.
I would rather give haproxy a client-certificate check on the frontend and that will prevent anyone without one of those in their browser to connect. Instead of username/password.
Internally, you can route to different guacamoles by using the CN of the certificate. They could even be self-signed since only you use them.
Best regards, Sven Specker -- __________________________________________________________________ *** Sven Specker -- University of Frankfurt Computing Center *** *********** UNIX System Administration (Auth/IDM) **************** ***** [email protected] [Phone (+49)-69-798-15188] ***** ****************************************************************** __________________________________________________________________ Johann Wolfgang Goethe Universitaet - Hochschulrechenzentrum - Theodor W. Adorno-Platz 1 (PA-1P16) D-60323 Frankfurt/Main __________________________________________________________________ ______________ TeX-users do it in {groups}________________________
smime.p7s
Description: S/MIME Cryptographic Signature
