Having just implemented OAUTH into a Go app this week, I can assure you that it’s surprising easy to do so without making your entire application a website.
When it’s in a browser you don’t need to install anything on the local machine. I used to use Apache guacamole to access my machine at home from work when I was stuck in a cube all day.
Browsers are sandboxes, your native client often isn't, there is definitely a huge advantage, portability and embeddability as well, it's also simpler to sniff traffic (and MITM it).
If you have factual observations to make that's fine but can we stop with the "smells like vibe coding" attacks? It's like an AI version of an ad-hominem attack.
...A test suite, And security audits, And most importantly benchmarks.
What it does have is a license which it is GPLv3. So if anyone adds all those changes, they have to make the source code available with the same software license.
In this era tho, licenses (I don't agree with this, but this is what it is) are a matter of "tokens", I speak for a fact knowing multiple relatively-big companies just gobbling GPLv3 projects and rewriting them entirely, some do publish them as well.
To be honest, three nested RDPs sound like a terrible hack. In an ideal world, this would be two port forwardings and one RDP (thinking about ssh, which is still underrepresented in windows world). In an even more ideal world, this would be an IPv6 direct access ;-)
There are legit reasons, at least for two nested sessions. A production network that’s airgapped except for a bastion host that acts as a gateway. It’s better than port forwarding because you have to auth to the bastion host before the RDP chaining, and it often takes separate credentials for the second RDP session.
It’s a semi-common setup for higher security environments, and when you have a network of stuff that has known vulnerabilities you can’t patch for whatever reason. Traffic in and out is super carefully firewalled. It’s not great, but it’s better than a 25 year old MySQL with a direct public IP.
> airgapped except for a bastion host that acts as a gateway
First time I've heard of an airgapped system you could access remotely. Doesn't that kind of defeat the label "airgapped"? I think I'd just call that "isolated" at that point instead.
Air gapped means... there is nothing except air in the gap between systems.
A physical tether would defeat it.
Now, I pedant could start talking about wifi, but air-gapping is a concept older than the internet. (It stems from plumbing where there's air that prevents back leakage of contamination).
This concept is related to PAM.
You often have to do ops on infra and need some DMZ to do the ops. In regulated industry you have to record every operations done by the person and have to follow principle of least privilege. This what should happen in an ideal world.
> You often have to do ops on infra and need some DMZ to do the ops.
This makes sense, "bastion" hosts and similar things is fairly common too. What's not common is calling those "airgapped", because they're clearly not.
It's probably there not as a way to connect networks, but as a way to keep them separate, only allowing RDP between specific computers on different networks.
This is cool. If it adds session recording and SSO auth support, it can be used as an RDP jumphost.
I've used Azure bastion to do just this, you auth to the azure portal using whatever authentication regime is configured for your tenant, then you rdp into virtual machines from your browser using the local vm login. it handles things like files and clipboards great. But it also supports console sessions in the browser.
I haven't used it with windows/rdp (if it even is supported), but in GCP, their in-browser SSH is the best I've seen so far.
Even for Linux, I've found xrdp to be better than alternatives at times.
The main problem I see this solving (one of many) is the decoupling of the management interface for virtual machines and servers from their service interfaces. not having your web server's management services on the same IP/domain/interface as the http server is a big improvement. Lots of security screw-ups happen because of this entanglement.
That tracks, that's all Azure is there to do in the end. If it was easy to manage it myself, I'd do it, and I'd still need to pay them for a VM to host it on, along with traffic costs. But bastion isn't cheap, so something to consider for sure.
With hp shutting down anyware / teradici / pcoip there are quite a few people looking for alternatives that support high resolution multi monitor with 60fps high bit depth playback and things like wacom tablet support and all three OS. Parsec and DCV are out there on the spend money side. I'm excited about the open source efforts. Things like rustdesk,kyber, and teraguchi. The community needs an open source high performance option.
A few months back I ended up building a RDC Server in Golang (i.e. no Windows required!) entirely with Claude, which was a fun experiment.
I ended up fronting that with GitHub Auth (purely for rate limiting purposes, since it's bandwidth intensive), but I've built it in such a way that it surfaces/renders any arbitrary binary on the RDC side. In my case, I ended up just fronting it with a Snake binary, but it's been fun to experiment and push the bounds somewhat.
I should really think about open sourcing it - in my case it was an experiment to see how far I could push Claude that turned out pretty great tbh
jqpabc123 | a day ago
boredishBoi | a day ago
hnlmorg | 20 hours ago
boredishBoi | 14 hours ago
le-mark | 23 hours ago
https://guacamole.apache.org/
pixel_popping | 22 hours ago
jqpabc123 | 20 hours ago
pixel_popping | 18 hours ago
stephbook | 21 hours ago
zcw100 | 17 hours ago
tom_alexander | 20 hours ago
solarkraft | a day ago
d3Xt3r | a day ago
rvz | 23 hours ago
What it does have is a license which it is GPLv3. So if anyone adds all those changes, they have to make the source code available with the same software license.
pixel_popping | 22 hours ago
wcrossbow | a day ago
ktpsns | 23 hours ago
everforward | 22 hours ago
It’s a semi-common setup for higher security environments, and when you have a network of stuff that has known vulnerabilities you can’t patch for whatever reason. Traffic in and out is super carefully firewalled. It’s not great, but it’s better than a 25 year old MySQL with a direct public IP.
embedding-shape | 22 hours ago
First time I've heard of an airgapped system you could access remotely. Doesn't that kind of defeat the label "airgapped"? I think I'd just call that "isolated" at that point instead.
rzzzt | 21 hours ago
SigmundA | 21 hours ago
https://docs.aws.amazon.com/aws-backup/latest/devguide/logic...
dijit | 18 hours ago
Air gapped means... there is nothing except air in the gap between systems.
A physical tether would defeat it.
Now, I pedant could start talking about wifi, but air-gapping is a concept older than the internet. (It stems from plumbing where there's air that prevents back leakage of contamination).
https://en.wikipedia.org/wiki/Air_gap_(networking)
debarshri | 21 hours ago
embedding-shape | 21 hours ago
This makes sense, "bastion" hosts and similar things is fairly common too. What's not common is calling those "airgapped", because they're clearly not.
debarshri | 21 hours ago
embedding-shape | an hour ago
hnlmorg | 20 hours ago
zcw100 | 17 hours ago
hnlmorg | 6 hours ago
Which is what we are specifically discussing.
orisho | 22 hours ago
debarshri | 21 hours ago
hypercube33 | 20 hours ago
debarshri | 21 hours ago
Clipboard sharing, uploading and downloading via shared drive is a freerdp feature that should be readily available.
We also have sessions recording which is non-negotiable in PAM.
[1] https://adaptive.live
yamapikarya | 21 hours ago
igtztorrero | 18 hours ago
That was the main problem in guacamole rdp in browser.
notepad0x90 | 17 hours ago
I've used Azure bastion to do just this, you auth to the azure portal using whatever authentication regime is configured for your tenant, then you rdp into virtual machines from your browser using the local vm login. it handles things like files and clipboards great. But it also supports console sessions in the browser.
I haven't used it with windows/rdp (if it even is supported), but in GCP, their in-browser SSH is the best I've seen so far.
Even for Linux, I've found xrdp to be better than alternatives at times.
The main problem I see this solving (one of many) is the decoupling of the management interface for virtual machines and servers from their service interfaces. not having your web server's management services on the same IP/domain/interface as the http server is a big improvement. Lots of security screw-ups happen because of this entanglement.
hdgvhicv | 16 hours ago
notepad0x90 | 13 hours ago
MaKey | 10 hours ago
notepad0x90 | 9 hours ago
mcoliver | 15 hours ago
https://github.com/rustdesk/rustdesk
https://github.com/thedepartmentofexternalservices/teraguchi
https://kyber.tech/
miniman1337 | 13 hours ago
tombuildsstuff | 54 minutes ago
A few months back I ended up building a RDC Server in Golang (i.e. no Windows required!) entirely with Claude, which was a fun experiment.
I ended up fronting that with GitHub Auth (purely for rate limiting purposes, since it's bandwidth intensive), but I've built it in such a way that it surfaces/renders any arbitrary binary on the RDC side. In my case, I ended up just fronting it with a Snake binary, but it's been fun to experiment and push the bounds somewhat.
I should really think about open sourcing it - in my case it was an experiment to see how far I could push Claude that turned out pretty great tbh