search

bolkedebruin / rdpgw

Remote Desktop Gateway in Go for deploying on Linux/BSD/Kubernetes
Apache License 2.0
698 stars 115 forks source link

[QUESTION] disallow TLS disabled + basic auth #46

Closed pierre42100 closed 1 year ago

pierre42100 commented 1 year ago

Hello,

First, I would like to thank you for this great project. It's always good to have FOSS alternatives to Windows-only, closed-source softwares.

I have a question about these lines of code (in configuration.go):

if Conf.Server.Authentication == "local" && Conf.Server.DisableTLS {
    log.Fatalf("basicauth=local and disabletls are mutually exclusive")
}

Is there a technical limitation that prevent using rdpgw behind a reverse proxy with a local authentication, or you did this to enforce end-to-end credentials encryption ?

Thank you

bolkedebruin commented 1 year ago

This is due to the latter. If you are terminating TLS at a proxy and have turned on basic authentication (as opposed to oauth) you are passing credentials in the clear over the network.

What I probably will do is allow "REMOTE_USER" to be set by a trusted proxy, so that authentication can happen at the proxy instead, so there is no need to deal with credentials.

pierre42100 commented 1 year ago

OK thank you for you quick response.

But I have a question: if the reverse proxy and the gateway are on the same machine, it is not really a security issue to have cleartext connection between the two : an attacker would need to gain privileged access on the machine to capture traffic, so he would be able to access these credentials by other means anyway. In this case, wouldn't it be easier to just print a warning instead of a fatal error?

bolkedebruin commented 1 year ago

That's not entirely true. With perfect forward secrecy (pfs) an attacker would need to reconfigure the server to capture the traffic and decrypt it (we are also protecting the user here not just the backend rdp service). Obviously this can be done, but it is another layer. Basically, I don't want people to shoot themselves in the foot by accidentally having an insecure config, because who reads warnings anyway especially in the type of home/sme setup you mentioned?

I intend to add to add ACME support (letsencrypt etc) to make obtaining certificates easier.

bolkedebruin commented 1 year ago

@pierre42100 ACME / Letsencrypt is now in.

pierre42100 commented 1 year ago

Great, that's a good compromise, if the gateway can request itself a certificate. Thank you, I will close the issue then.