search

kasmtech / workspaces-issues

19 stars 4 forks source link

[Feature Request] - Allow credentials to be linked to any Kasm user using API calls #378

Open brolifen opened 1 year ago

brolifen commented 1 year ago

We're developing a lightweight cost-effective PAM solution that utilizes passwordless technology, such as Microsoft auth app and Fido2 security keys, to create temporary privileged user accounts in Active Directory. Our aim is to eliminate outdated AD credentials, even if they're time-based.

As we also required a browser-based remote access solution that supported most modern IdP solutions, since we didn’t want to reinvent the wheel. We found Kasm to be the best fit feature and budget wise compared to others. We were also thrilled to discover that Kasm's API allowed you to create users and credentials, but unfortunately, it lacked a feature that could make it an ideal fit for us and perhaps many others.

Kasm is currently agnostic towards IdPs and remote endpoints or containers to run, allowing authentication from almost any IdP to any remote system. Therefore, why not extend this philosophy to Privileged Access Management? Kasm need not reinvent the wheel, as many PAM and password vaulting players already exist. Instead, a PAM solution could use Kasm by linking accounts from an Idp to local accounts/creds.

The following flow could occur:

  1. The user requests access to a resource on a third-party PAM solution.
  2. The user undergoes validation and an approval process.
  3. The PAM solution provisions the user's credentials on the desired systems or retrieves credentials from a vault.
  4. The PAM then calls the Kasm API and links these credentials to a user email for instance.
  5. When the user logs onto Kasm using their Idp SSO, Kasm recognizes the email and knows there are credentials linked to the account.
  6. When the user creates a session to a server, either the linked credential or a list of credentials is offered to choose from.
  7. The credential could also have the option to choose whether to expose them to the user, allowing them to be used on legacy systems that prompt for username/password
  8. Optionally: as these secrets can be made to expire by the PAM system, the Kasm API could also leverage this and make the credentials linked to a user time-based before completely removing them.

By doing so, Kasm would not have to deal with the complexity and overhead of implementing a full-blown PAM and/or secret management on top of it. All Kasm would care about is which credentials are linked to which user and for how long. The credentials are only exposed at the point of usage and don’t have to cross an insecure intermediary. It could allow Kasm to expand to a much larger use case than its current implementation of shared passwords per server or SSO for local users (or LDAP) only.

This simple addition would allow us to bring true passwordless access to any legacy system such as Active Directory and make Kasm highly attractive as a remote access solution that competes with bigger players out there.

TLDR; Allow Kasm API to link (ephemeral) credentials to any user type with or without the option of exposing these credentials to the user.

j-travis commented 1 year ago

Linking related thread: https://www.reddit.com/r/kasmweb/comments/138vo9g/can_kasm_handle_the_following_usecase/

brolifen commented 1 year ago

See reply: https://www.reddit.com/r/kasmweb/comments/138vo9g/comment/jjg58fi/?utm_source=share&utm_medium=web2x&context=3