I'll just stick my oar into this thread to remind people there are many ways to skin this feline
I use mod_auth_mellon behind an Apache reverse proxy to protect guacamole. More precisely, we use Apache as a bastion host to protect a variety of backend applications such as guacamole - and focus the "authentication security risks" within an apache module instead of a wide range of backend options. And of course our SAML IdP requires MFA - thus making everything MFA-ed without extra effort There is also a mod_auth_openidc module that makes an Apache reverse proxy able to use OpenID Connect for authentication, but I found that the websocket stuff guacamole does didn't play nicely with it's Cookie requirements - so we stuck to SAML BTW, if you implement any of these "MFA auth" bastion-host based solutions, you can tell your boss you're "implementing ZeroTrust technologies" - gotta get those keywords in your performance reviews ;-) PS: ironically back in the early 90s I implemented my first firewall before "firewalls" was a thing - it was a bastion host (FWTK?). All that was old is new again... On Fri, May 8, 2020 at 11:36 PM Peter De Tender <[email protected]> wrote: > Hi all, > > Interesting to think having multiple accounts with different passwords is > more secure than SSO. > > I would try to go for an SSO solution like OpenID connect and extend with > multi factor authentication. > > Thanks Peter > > Get Outlook for Android <https://aka.ms/ghei36> > > ------------------------------ > *From:* Dave Kempe <[email protected]> > *Sent:* Friday, May 8, 2020 1:32:05 PM > *To:* [email protected] <[email protected]> > *Cc:* [email protected] <[email protected]> > *Subject:* Re: Want some Salsa with your guacamole? > > > > On Fri, May 8, 2020, 9:25 PM Sven Specker <[email protected]> > wrote: > > On > > Your setup with salsa: > > haproxy(auth)->guacamole-appserver(maybe cas/shib,mfa)->guacd > > So..3 factor authentication? /If/ you can pull that off with your users > and force them to use different passwords and disable sso, yes. That > would increase security. > > > That's the idea. We have used an older version of salsa in production for > years and it has worked well. The support model suited the particular > environment, for example where you have vendors who need to support legacy > devices, and have internal staff hold their second factor. > > Thanks > > Dave > > > > > -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
