Skip to content

feat(dgw): proxy-based credentials injection support for RDP #1360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat(dgw): proxy-based credentials injection support for RDP #1360

wants to merge 4 commits into from
+1,137 −157

Conversation

CBenoit
Copy link
Member

@CBenoit CBenoit commented May 24, 2025
edited
Loading

Consumer side

  • Provide and associate the proxy-target credential mapping with the association token using a preflight API call.
  • Connect using the fake (proxy) credentials to the Devolutions Gateway as usual, with a PCB containing the association token.

How it works

  • Perform two-way forwarding between the client and the target until the TLS security upgrade.
  • Separately perform the TLS upgrade for both the client and the server, effectively acting as a man-in-the-middle.
    • The client must trust the TLS certificate configured in the Devolutions Gateway.
  • Separately perform CredSSP authentification as server with the client, and as client with the target.
    • The fake, proxy credentials are used with the client.
    • The real, target credentials are used with the target.
  • Proceed with the usual two-way forwarding (expect we can actually see and inspect all the traffic)

Demo

proxy-based-credentials-injection-prototype.webm

@CBenoit CBenoit marked this pull request as draft May 24, 2025 20:30
@CBenoit CBenoit requested a review from pacmancoder May 24, 2025 20:30
CBenoit added 2 commits May 30, 2025 06:02
@CBenoit
feat(dgw): emit a warning alert when TLS is not configured and creden…
232c21f 
…tials are pushed

For instance, proxy-based credentials injection for RDP requires a TLS
certificate and private key to be configured.
@CBenoit
refactor(dgw): rename module rdp_extension to rd_clean_path
69807f1
@CBenoit CBenoit marked this pull request as ready for review May 29, 2025 21:11
@CBenoit CBenoit enabled auto-merge (rebase) May 29, 2025 21:12
CBenoit
CBenoit commented May 29, 2025
View reviewed changes
docs/COOKBOOK.md
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@TheBestTvarynka I updated the cookbook with instructions explaining how you can test the full thing using only curl and freerdp 🙂

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pacmancoder pacmancoder Awaiting requested review from pacmancoder

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@CBenoit