At Teleport we had a lot of requests to support Windows / RDP. We ended up building our own Go/Rust Client into our server/web client. This gave more control over the RDP protocol and authentication.

https://goteleport.com/blog/desktop-access/ https://goteleport.com/blog/secure-rdp-client/

Guacamole has supported windows RDP for at least eight years now. (Probably longer, I started using it in 2016 and it had support already)

Congrats on the launch. This is a solid team, exciting use of eBPF and an important problem to solve.

Adding a second factor is more a UX glitch that we're working on. https://github.com/gravitational/teleport/issues/19314 https://www.passkeys.io/ provides a better flow and we'll likley see more sites moving in this direction.

OP here, thanks for posting! Happy to Answer any questions. I have to give our a shoutout to Alan at Teleport for all his work on Passwordless and his work to make Passwordless / TouchID work with MacOS CLI https://github.com/gravitational/teleport/blob/master/rfd/00...

Thanks for posting gmemstr. I'm on the DevRel team at Teleport. I'm happy to answer any questions about Teleport.

Oh, I didn't make it to the bottom of the article lol, I see that is what this is about.... cool!

If you setup SSH keys a while ago, you might want to run the below command to discover the type / key strength. If you're reading HackerNews comments, this might be good time to run an audit. Also; before going all in on Ed25519, native support from some cloud providers is limited.

$ for key in ~/.ssh/id_*; do ssh-keygen -l -f "${key}"; done | uniq

There's support in hardware tokens to consider too.

More if it did what? If you're avoiding the Yubikey's onboard ECDSA because you're worried ECDSA is weaker than EdDSA that's definitely crazy. The main thing the Yubikey is doing for you is protecting that private key from just straight up getting stolen, whereupon it could be some future quantum-proof magic and you're still screwed because now the adversary has it.

The OpenSSH FIDO implementation offers ECDSA because it makes sense to use ECDSA on older authenticators that don't offer anything better rather than go without. If there were any stand alone authenticators (as opposed to hybrid software like Microsoft Hello) that only offered RSA then I suspect OpenSSH would sigh and allow that too. For all that Safer Curves makes out it's the end of the world, bad guys really do steal SSH private key files and they don't actually perform crazy timing attacks on ECDSA because it's very hard.

is 2048/SHA256 long enough?

Yes https://gravitational.com/teleport/docs/user-manual/#copying...

but beware of SCP https://gravitational.com/blog/scp-familiar-simple-insecure-...

Interesting. Thanks!

Hey Rob, We are considering this. Send me mail, it would be good to get more feedback ben@gravitational.com

This can only get you so far. We invested a lot time into getting more from system access event using eBPF to take n unstructured SSH session and outputs a stream of structured events. https://gravitational.com/blog/enhanced-session-recording/

I was (naturally) skeptical at first as well, but this looks great.

I saw on another page that audit logs are sent off server, presumably append-only, but can Teleport pause execution until after log replication is verified?

For plain logs this would be straightforward, but for enhanced logging I suppose it'd be a matter of deciding when to pause execution, e.g. after downloading a file.