MarkJaroski
commented
3 years ago I'm happy to work on this myself, but I'll need guidance, since I'm new to Golang and to this codebase.
Open MarkJaroski opened 3 years ago
MarkJaroski
commented
3 years ago I'm happy to work on this myself, but I'll need guidance, since I'm new to Golang and to this codebase.
benarent
commented
3 years ago Hi @MarkJaroski Thanks for creating the issue. We added support for pass-through headers rewrite https://github.com/gravitational/teleport/pull/6601 eariler this year. Does this work for you? Also, would adding JWT to the application be something you would consider?
MarkJaroski
commented
3 years ago Hi @benarent I realized in the middle of the night that I had written this incorrectly. Where I wrote "the first request to the hosted or proxied application" I should have written "the first response to the user-agent".
So, the solution is very similar to #6601, but the reverse.
It's probably more complex than just adding the call to rewriteHeaders() in rewriteResponse() but that's the general idea.
What do you think?
MarkJaroski
commented
3 years ago Ah, I didn't answer the question about JWTs and OAuth2 etc.
While that would be a much better solution, obviously, the kind of application I'm talking about is unlikely to support modern authentication in the near or even middle term. My target is a range of appliance-based things (network switches or audio-visual consoles for example), as well as things that should support one of SAML or JWT but are held by and administrated by vendors.
Jumping through the political hoops required to do reasonable AuthN on these things can delay PAM implementation by months or even years. I see tools like Teleport and similar, as a way to provide PAM now, while we wait for big vendors and their ecosystems to catch up.
SolarisEclipse
commented
2 years ago Are there any plans to implement this? I wanted to use Teleport as a middleware much in the same way Mark mentioned
An important use case for PAM tools like Teleport is to allow for individually named-user, logged access by middle-tier administrators to applications which normally must be accessed as an all-powerful superuser (root, sysadm, weblogic), and for which it is not possible to configure named-user access in app either due to technical limitations or organizational reasons.
At this time it's really not looking like it's capable.
What
An important use case for PAM tools like Teleport is to allow for individually named-user, logged access by middle-tier administrators to applications which normally must be accessed as an all-powerful superuser (root, sysadm, weblogic), and for which it is not possible to configure named-user access in app either due to technical limitations or organizational reasons.
The idea is here this, a user authenticates to teleport, and teleport opens a session in the target web application as the superuser, without divulging the superuser credentials.
How
Web applications usually establish a session for an authenticated user by means of a session cookie.
It is usually possible to construct a script, based on cURL or similar, to create a session, and obtain a current, valid session cookie for the proxied application.
I propose to add a configuration option to call such a script to obtain a session cookie and to add that cookie to a Set-Cookie header sent with the first response from the hosted or proxied application back to the user-agent.
Why
I have an application to which I must permit access to a team of mid-level administrators, to whom I must not divulge the application password. For organizational or technical limitations, I do not have the possibility of changing the application password.
EDIT: I was drinking beer after a long day and got the request and response part backwards.