Skip to content

feat(dgw): proxy-based credentials injection support for RDP#1360

Merged
Benoît Cortier (CBenoit) merged 4 commits into
masterfrom
ARC-277
May 30, 2025
Merged

feat(dgw): proxy-based credentials injection support for RDP#1360
Benoît Cortier (CBenoit) merged 4 commits into
masterfrom
ARC-277

Conversation

@CBenoit
Copy link
Copy Markdown
Member

@CBenoit Benoît Cortier (CBenoit) commented May 24, 2025
edited
Loading

Consumer side

  • Provide and associate the proxy-target credential mapping with the association token using a preflight API call.
  • Connect using the fake (proxy) credentials to the Devolutions Gateway as usual, with a PCB containing the association token.

How it works

  • Perform two-way forwarding between the client and the target until the TLS security upgrade.
  • Separately perform the TLS upgrade for both the client and the server, effectively acting as a man-in-the-middle.
    • The client must trust the TLS certificate configured in the Devolutions Gateway.
  • Separately perform CredSSP authentification as server with the client, and as client with the target.
    • The fake, proxy credentials are used with the client.
    • The real, target credentials are used with the target.
  • Proceed with the usual two-way forwarding (expect we can actually see and inspect all the traffic)

Demo

proxy-based-credentials-injection-prototype.webm

@CBenoit Benoît Cortier (CBenoit) marked this pull request as draft May 24, 2025 20:30
@CBenoit
feat(dgw): emit a warning alert when TLS is not configured and creden…
232c21f 
…tials are pushed

For instance, proxy-based credentials injection for RDP requires a TLS
certificate and private key to be configured.
@CBenoit
refactor(dgw): rename module rdp_extension to rd_clean_path
69807f1
@CBenoit Benoît Cortier (CBenoit) marked this pull request as ready for review May 29, 2025 21:11
@CBenoit Benoît Cortier (CBenoit) enabled auto-merge (rebase) May 29, 2025 21:12
CBenoit
Benoît Cortier (CBenoit) commented May 29, 2025
View reviewed changes
Comment thread docs/COOKBOOK.md
Copy link
Copy Markdown
Member Author

@CBenoit Benoît Cortier (CBenoit) May 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pavlo Myroniuk (@TheBestTvarynka) I updated the cookbook with instructions explaining how you can test the full thing using only curl and freerdp 🙂

Copy link
Copy Markdown
Collaborator

@TheBestTvarynka Pavlo Myroniuk (TheBestTvarynka) May 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you 🙏 !

pacmancoder
Vladyslav Nikonov (pacmancoder) approved these changes May 30, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@pacmancoder Vladyslav Nikonov (pacmancoder) left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me! The code is well-written and well-documented as always, nice work! 🥇

@CBenoit Benoît Cortier (CBenoit) merged commit e003be2 into master May 30, 2025
39 checks passed
@CBenoit Benoît Cortier (CBenoit) deleted the ARC-277 branch May 30, 2025 17:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheBestTvarynka Pavlo Myroniuk (TheBestTvarynka) TheBestTvarynka left review comments

+1 more reviewer

@pacmancoder Vladyslav Nikonov (pacmancoder) pacmancoder approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CBenoit @pacmancoder @TheBestTvarynka