At Teleport we had a lot of requests to support Windows / RDP. We ended up building our own Go/Rust Client into our server/web client. This gave more control over the RDP protocol and authentication.
OP here, thanks for posting! Happy to Answer any questions. I have to give our a shoutout to Alan at Teleport for all his work on Passwordless and his work to make Passwordless / TouchID work with MacOS CLI https://github.com/gravitational/teleport/blob/master/rfd/00...
If you setup SSH keys a while ago, you might want to run the below command to discover the type / key strength. If you're reading HackerNews comments, this might be good time to run an audit. Also; before going all in on Ed25519, native support from some cloud providers is limited.
$ for key in ~/.ssh/id_*; do ssh-keygen -l -f "${key}"; done | uniq
More if it did what? If you're avoiding the Yubikey's onboard ECDSA because you're worried ECDSA is weaker than EdDSA that's definitely crazy. The main thing the Yubikey is doing for you is protecting that private key from just straight up getting stolen, whereupon it could be some future quantum-proof magic and you're still screwed because now the adversary has it.
The OpenSSH FIDO implementation offers ECDSA because it makes sense to use ECDSA on older authenticators that don't offer anything better rather than go without. If there were any stand alone authenticators (as opposed to hybrid software like Microsoft Hello) that only offered RSA then I suspect OpenSSH would sigh and allow that too. For all that Safer Curves makes out it's the end of the world, bad guys really do steal SSH private key files and they don't actually perform crazy timing attacks on ECDSA because it's very hard.
This can only get you so far. We invested a lot time into getting more from system access event using eBPF to take n unstructured SSH session and outputs a stream of structured events. https://gravitational.com/blog/enhanced-session-recording/
I was (naturally) skeptical at first as well, but this looks great.
I saw on another page that audit logs are sent off server, presumably append-only, but can Teleport pause execution until after log replication is verified?
For plain logs this would be straightforward, but for enhanced logging I suppose it'd be a matter of deciding when to pause execution, e.g. after downloading a file.
https://goteleport.com/blog/desktop-access/ https://goteleport.com/blog/secure-rdp-client/