self-hosted/teleport
self-hosted/teleport
1
0
Fork 0
mirror of https://github.com/gravitational/teleport synced 2024-10-20 01:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Remove OpenSSL dependency from the rust RDP client

Browse source
This commit is contained in:
Łukasz Kozłowski 2022-04-21 15:11:13 +02:00 committed by Łukasz Kozłowski
parent 130aefd33e
commit 59004b2334
7 changed files with 254 additions and 213 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

371
Cargo.lock generated
View file

@ -43,15 +43,6 @@ dependencies = [
"winapi",
]
[[package]]
name = "autocfg"
version = "0.1.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0dde43e75fd43e8a1bf86103336bc699aa8d17ad1be60c76c0bdfd4828e19b78"
dependencies = [
"autocfg 1.1.0",
]
[[package]]
name = "autocfg"
version = "1.1.0"
@ -130,6 +121,12 @@ version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40e38929add23cdf8a366df9b0e088953150724bcbe5fc330b0d8eb3b328eec8"
[[package]]
name = "bumpalo"
version = "3.9.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a4a45a46ab1f2412e53d3a0ade76ffad2025804294569aae387231a0cd6e0899"
[[package]]
name = "byte-tools"
version = "0.3.1"
@ -162,25 +159,9 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
[[package]]
name = "const-oid"
version = "0.6.2"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9d6f2aa4d0537bcc1c74df8755072bd31c1ef1a3a1b85a68e8404a8c353b7b8b"
[[package]]
name = "core-foundation"
version = "0.9.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "194a7a9e6de53fa55116934067c844d9d749312f75c6f6d0980e8c252f8c2146"
dependencies = [
"core-foundation-sys",
"libc",
]
[[package]]
name = "core-foundation-sys"
version = "0.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5827cebf4670468b8772dd191856768aedcb1b0278a04f989f7766351917b9dc"
checksum = "e4c78c047431fee22c1a7bb92e00ad095a02a983affe4d8a72e2a2c62c1b94f3"
[[package]]
name = "cortex-m"
@ -221,15 +202,24 @@ dependencies = [
[[package]]
name = "crypto-bigint"
version = "0.2.11"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f83bd3bb4314701c568e340cd8cf78c975aa0ca79e03d3f6d1677d5b0c9c0c03"
checksum = "03c6a1d5fa1de37e071642dfa44ec552ca5b299adb128fab16138e24b548fd21"
dependencies = [
"generic-array 0.14.5",
"rand_core 0.6.3",
"subtle 2.4.1",
]
[[package]]
name = "crypto-common"
version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "57952ca27b5e3606ff4dd79b0020231aaf9d6aa76dc05fd30137538c50bd3ce8"
dependencies = [
"generic-array 0.14.5",
"typenum",
]
[[package]]
name = "crypto-mac"
version = "0.7.0"
@ -251,12 +241,13 @@ dependencies = [
[[package]]
name = "der"
version = "0.4.5"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "79b71cca7d95d7681a4b3b9cdf63c8dbc3730d0584c2c74e31416d64a90493f4"
checksum = "6919815d73839e7ad218de758883aae3a257ba6759ce7a9992501efbb53d705c"
dependencies = [
"const-oid",
"crypto-bigint",
"pem-rfc7468",
]
[[package]]
@ -292,11 +283,11 @@ dependencies = [
[[package]]
name = "digest"
version = "0.9.0"
version = "0.10.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3dd60d1080a57a05ab032377049e0591415d2b31afd7028356dbf3cc6dcb066"
checksum = "f2fb860ca6fafa5552fb6d0e816a69c8e49f0908bf524e30a90d97c85892d506"
dependencies = [
"generic-array 0.14.5",
"crypto-common",
]
[[package]]
@ -355,21 +346,6 @@ version = "0.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "279fb028e20b3c4c320317955b77c5e0c9701f05a1d309905d6fc702cdc5053e"
[[package]]
name = "foreign-types"
version = "0.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
dependencies = [
"foreign-types-shared",
]
[[package]]
name = "foreign-types-shared"
version = "0.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
[[package]]
name = "generic-array"
version = "0.12.4"
@ -478,7 +454,7 @@ version = "1.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "282a6247722caba404c065016bbfa522806e51714c34f5dfc3e4a3a46fcb4223"
dependencies = [
"autocfg 1.1.0",
"autocfg",
"hashbrown",
]
@ -507,7 +483,7 @@ version = "0.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "395d8e0ae63eb5016fbcf4a72864155880e34bce0158206fcfa7218efdd52e82"
dependencies = [
"untrusted",
"untrusted 0.9.0",
]
[[package]]
@ -519,6 +495,15 @@ dependencies = [
"either",
]
[[package]]
name = "js-sys"
version = "0.3.57"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "671a26f820db17c2a2750743f1dd03bafd15b98c9f30c7c2628c024c05d73397"
dependencies = [
"wasm-bindgen",
]
[[package]]
name = "lazy_static"
version = "1.4.0"
@ -606,24 +591,6 @@ version = "0.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e5ce46fe64a9d73be07dcbe690a38ce1b293be448fd8ce1e6c1b8062c9f72c6a"
[[package]]
name = "native-tls"
version = "0.2.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "48ba9f7719b5a0f42f338907614285fb5fd70e53858141f69898a1fb7203b24d"
dependencies = [
"lazy_static",
"libc",
"log",
"openssl",
"openssl-probe",
"openssl-sys",
"schannel",
"security-framework",
"security-framework-sys",
"tempfile",
]
[[package]]
name = "nb"
version = "0.1.3"
@ -656,18 +623,17 @@ version = "0.2.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "090c7f9998ee0ff65aa5b723e4009f7b217707f1fb5ea551329cc4d6231fb304"
dependencies = [
"autocfg 1.1.0",
"autocfg",
"num-integer",
"num-traits",
]
[[package]]
name = "num-bigint-dig"
version = "0.7.0"
version = "0.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4547ee5541c18742396ae2c895d0717d0f886d8823b8399cdaf7b07d63ad0480"
checksum = "566d173b2f9406afbc5510a90925d5a2cd80cae4605631f1212303df265de011"
dependencies = [
"autocfg 0.1.8",
"byteorder",
"lazy_static",
"libm",
@ -696,7 +662,7 @@ version = "0.1.44"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d2cc698a63b549a70bc047073d2949cce27cd1c7b0a4a862d08a8031bc2801db"
dependencies = [
"autocfg 1.1.0",
"autocfg",
"num-traits",
]
@ -706,7 +672,7 @@ version = "0.1.42"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b2021c8337a54d21aca0d59a92577a029af9431cb59b909b03252b9c164fad59"
dependencies = [
"autocfg 1.1.0",
"autocfg",
"num-integer",
"num-traits",
]
@ -717,7 +683,7 @@ version = "0.2.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a64b1ec5cda2586e284722486d802acf1f7dbdc623e2bfc57e65ca1cd099290"
dependencies = [
"autocfg 1.1.0",
"autocfg",
"libm",
]
@ -755,44 +721,11 @@ version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2839e79665f131bdb5782e51f2c6c9599c133c6098982a54c794358bf432529c"
[[package]]
name = "openssl"
version = "0.10.38"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0c7ae222234c30df141154f159066c5093ff73b63204dcda7121eb082fc56a95"
dependencies = [
"bitflags",
"cfg-if",
"foreign-types",
"libc",
"once_cell",
"openssl-sys",
]
[[package]]
name = "openssl-probe"
version = "0.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
[[package]]
name = "openssl-sys"
version = "0.9.72"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7e46109c383602735fa0a2e48dd2b7c892b048e1bf69e5c3b1d804b7d9c203cb"
dependencies = [
"autocfg 1.1.0",
"cc",
"libc",
"pkg-config",
"vcpkg",
]
[[package]]
name = "pem-rfc7468"
version = "0.2.4"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "84e93a3b1cc0510b03020f33f21e62acdde3dcaef432edc95bea377fbd4c2cd4"
checksum = "01de5d978f34aa4b2296576379fcc416034702fd94117c56ffd8a1a767cefb30"
dependencies = [
"base64ct",
]
@ -819,34 +752,26 @@ dependencies = [
[[package]]
name = "pkcs1"
version = "0.2.4"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "116bee8279d783c0cf370efa1a94632f2108e5ef0bb32df31f051647810a4e2c"
checksum = "a78f66c04ccc83dd4486fd46c33896f4e17b24a7a3a6400dedc48ed0ddd72320"
dependencies = [
"der",
"pem-rfc7468",
"pkcs8",
"zeroize",
]
[[package]]
name = "pkcs8"
version = "0.7.6"
version = "0.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ee3ef9b64d26bad0536099c816c6734379e45bbd5f14798def6809e5cc350447"
checksum = "7cabda3fb821068a9a4fab19a683eac3af12edf0f34b94a8be53c4972b8149d0"
dependencies = [
"der",
"pem-rfc7468",
"pkcs1",
"spki",
"zeroize",
]
[[package]]
name = "pkg-config"
version = "0.3.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "58893f751c9b0412871a09abd62ecd2a00298c6c83befa223ef98c52aef40cbe"
[[package]]
name = "ppv-lite86"
version = "0.2.16"
@ -1051,7 +976,7 @@ dependencies = [
[[package]]
name = "rdp-rs"
version = "0.1.0"
source = "git+https://github.com/gravitational/rdp-rs?rev=f51222e7edeaf2954e2c02db3506aa36e02304ca#f51222e7edeaf2954e2c02db3506aa36e02304ca"
source = "git+https://github.com/gravitational/rdp-rs?rev=17ec446ecb73c58b77ac47c6fc8598153f673076#17ec446ecb73c58b77ac47c6fc8598153f673076"
dependencies = [
"bufstream",
"byteorder",
@ -1059,10 +984,10 @@ dependencies = [
"indexmap",
"md-5",
"md4",
"native-tls",
"num-bigint",
"num_enum",
"rand 0.7.3",
"rustls",
"x509-parser",
"yasna",
]
@ -1102,6 +1027,21 @@ dependencies = [
"winapi",
]
[[package]]
name = "ring"
version = "0.16.20"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3053cf52e236a3ed746dfc745aa9cacf1b791d846bdaf412f60a8d7d6e17c8fc"
dependencies = [
"cc",
"libc",
"once_cell",
"spin 0.5.2",
"untrusted 0.7.1",
"web-sys",
"winapi",
]
[[package]]
name = "riscv"
version = "0.7.0"
@ -1136,20 +1076,20 @@ dependencies = [
[[package]]
name = "rsa"
version = "0.5.0"
version = "0.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e05c2603e2823634ab331437001b411b9ed11660fbc4066f3908c84a9439260d"
checksum = "4cf22754c49613d2b3b119f0e5d46e34a2c628a937e3024b8762de4e7d8c710b"
dependencies = [
"byteorder",
"digest 0.9.0",
"lazy_static",
"digest 0.10.3",
"num-bigint-dig",
"num-integer",
"num-iter",
"num-traits",
"pkcs1",
"pkcs8",
"rand 0.8.5",
"rand_core 0.6.3",
"smallvec",
"subtle 2.4.1",
"zeroize",
]
@ -1172,22 +1112,24 @@ dependencies = [
"nom",
]
[[package]]
name = "rustls"
version = "0.20.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4fbfeb8d0ddb84706bc597a5574ab8912817c52a397f819e5b614e2265206921"
dependencies = [
"log",
"ring",
"sct",
"webpki",
]
[[package]]
name = "ryu"
version = "1.0.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "73b4b750c782965c211b42f022f59af1fbceabdd026623714f104152f1ec149f"
[[package]]
name = "schannel"
version = "0.1.19"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f05ba609c234e60bee0d547fe94a4c7e9da733d1c962cf6e59efa4cd9c8bc75"
dependencies = [
"lazy_static",
"winapi",
]
[[package]]
name = "scopeguard"
version = "1.1.0"
@ -1195,26 +1137,13 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d29ab0c6d3fc0ee92fe66e2d99f700eab17a8d57d1c1d3b748380fb20baa78cd"
[[package]]
name = "security-framework"
version = "2.6.1"
name = "sct"
version = "0.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2dc14f172faf8a0194a3aded622712b0de276821addc574fa54fc0a1167e10dc"
checksum = "d53dcdb7c9f8158937a7981b48accfd39a43af418591a5d008c7b22b5e1b7ca4"
dependencies = [
"bitflags",
"core-foundation",
"core-foundation-sys",
"libc",
"security-framework-sys",
]
[[package]]
name = "security-framework-sys"
version = "2.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0160a13a177a45bfb43ce71c01580998474f556ad854dcbca936dd2841a5c556"
dependencies = [
"core-foundation-sys",
"libc",
"ring",
"untrusted 0.7.1",
]
[[package]]
@ -1261,10 +1190,11 @@ dependencies = [
[[package]]
name = "spki"
version = "0.4.1"
version = "0.5.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c01a0c15da1b0b0e1494112e7af814a678fec9bd157881b49beac661e9b6f32"
checksum = "44d01ac02a6ccf3e07db148d2be087da624fea0221a16152ed01f0496a6b0a27"
dependencies = [
"base64ct",
"der",
]
@ -1303,18 +1233,6 @@ dependencies = [
"unicode-xid",
]
[[package]]
name = "synstructure"
version = "0.12.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f36bdaa60a83aca3921b5259d5400cbf5e90fc51931376a9bd4a0eb79aa7210f"
dependencies = [
"proc-macro2",
"quote",
"syn",
"unicode-xid",
]
[[package]]
name = "tempfile"
version = "3.3.0"
@ -1375,6 +1293,12 @@ version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8ccb82d61f80a663efe1f787a51b16b5a51e3314d6ac365b08639f52387b33f3"
[[package]]
name = "untrusted"
version = "0.7.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
[[package]]
name = "untrusted"
version = "0.9.0"
@ -1396,12 +1320,6 @@ version = "0.1.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "77439c1b53d2303b20d9459b1ade71a83c716e3f9c34f3228c00e6f185d6c002"
[[package]]
name = "vcpkg"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
[[package]]
name = "version_check"
version = "0.9.4"
@ -1435,6 +1353,80 @@ version = "0.10.2+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fd6fbd9a79829dd1ad0cc20627bf1ed606756a7f77edff7b66b7064f9cb327c6"
[[package]]
name = "wasm-bindgen"
version = "0.2.80"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "27370197c907c55e3f1a9fbe26f44e937fe6451368324e009cba39e139dc08ad"
dependencies = [
"cfg-if",
"wasm-bindgen-macro",
]
[[package]]
name = "wasm-bindgen-backend"
version = "0.2.80"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "53e04185bfa3a779273da532f5025e33398409573f348985af9a1cbf3774d3f4"
dependencies = [
"bumpalo",
"lazy_static",
"log",
"proc-macro2",
"quote",
"syn",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-macro"
version = "0.2.80"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "17cae7ff784d7e83a2fe7611cfe766ecf034111b49deb850a3dc7699c08251f5"
dependencies = [
"quote",
"wasm-bindgen-macro-support",
]
[[package]]
name = "wasm-bindgen-macro-support"
version = "0.2.80"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "99ec0dc7a4756fffc231aab1b9f2f578d23cd391390ab27f952ae0c9b3ece20b"
dependencies = [
"proc-macro2",
"quote",
"syn",
"wasm-bindgen-backend",
"wasm-bindgen-shared",
]
[[package]]
name = "wasm-bindgen-shared"
version = "0.2.80"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d554b7f530dee5964d9a9468d95c1f8b8acae4f282807e7d27d4b03099a46744"
[[package]]
name = "web-sys"
version = "0.3.57"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7b17e741662c70c8bd24ac5c5b18de314a2c26c32bf8346ee1e6f53de919c283"
dependencies = [
"js-sys",
"wasm-bindgen",
]
[[package]]
name = "webpki"
version = "0.22.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f095d78192e208183081cc07bc5515ef55216397af48b873e5edcd72637fa1bd"
dependencies = [
"ring",
"untrusted 0.7.1",
]
[[package]]
name = "which"
version = "4.2.5"
@ -1499,21 +1491,6 @@ checksum = "0de7bff972b4f2a06c85f6d8454b09df153af7e3a4ec2aac81db1b105b684ddb"
[[package]]
name = "zeroize"
version = "1.4.3"
version = "1.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d68d9dcec5f9b43a30d38c49f91dfedfaac384cb8f085faca366c26207dd1619"
dependencies = [
"zeroize_derive",
]
[[package]]
name = "zeroize_derive"
version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3f8f187641dad4f680d25c4bfc4225b418165984179f26ca76ec4fb6441d3a17"
dependencies = [
"proc-macro2",
"quote",
"syn",
"synstructure",
]
checksum = "94693807d016b2f2d2e14420eb3bfcca689311ff775dcf113d74ea624b7cdf07"

BIN
docs/img/desktop-access/rdp-certificate-template.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 1.5 MiB

76
docs/pages/desktop-access/getting-started.mdx
View file

@ -30,7 +30,7 @@ This guide requires you to have:
You can reuse an existing server running any other Teleport instance.
## Step 1/6. Create a restrictive service account
## Step 1/7. Create a restrictive service account
Teleport requires a service account to connect to your Active Directory domain.
We recommend creating a dedicated service account with restrictive permissions
@ -86,7 +86,7 @@ dsacls "CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuratio
```
## Step 2/6. Prevent the service account from performing interactive logins
## Step 2/7. Prevent the service account from performing interactive logins
<Admonition type="note" title="gpupdate.exe">
Throughout this step and the next one, you will be modifying GPOs, and
@ -140,7 +140,7 @@ Computer Configuration > Policies > Windows Settings > Security Settings > Local
![Deny Interactive Login](../../img/desktop-access/deny-interactive-login.png)
</Figure>
## Step 3/6: Configure a GPO to allow Teleport connections
## Step 3/7. Configure a GPO to allow Teleport connections
Next, we need to configure a GPO to allow Teleport desktop sessions. This
includes telling your computers to trust Teleport's CA, allowing the
@ -322,7 +322,71 @@ If you have not done so already, ensure your GPO is updated by opening a PowerSh
gpupdate.exe /force
```
## Step 4/6. Export your LDAP CA certificate
## Step 4/7. Configure a certificate for RDP connections
<Admonition type="note" title="Secure Cipher Suites">
Teleport's RDP client supports only secure algorithms
for making TLS connections, so we have to configure our Domain Controller
to support those cipher suites as well.
This step is only *necessary* for Windows Server 2012 R2 Domain Controller as it does not support
secure algorithms by default. If it does not apply to you, you can skip this step and go to the [next step](#step-57-export-your-ldap-ca-certificate).
</Admonition>
In this step we'll create a new certificate template that uses elliptic curve cryptography, and then configure our GPO
to use the newly created template to issue certificates used for Remote Desktop connections.
### Create a certificate template
In this section, we will create a certificate template that uses elliptic curve P-384 and uses SHA384 as the signature algorithm.
1. Open the Microsoft Management Console (MMC)
```text
Start > Control Panel > Administrative Tools > Certificate Authority
```
2. Open your CA computer and right-click on `Certificate Templates`, then select `Manage`.
3. Find the `Computer` template on the list, right-click on it, then select `Duplicate Template`.
4. In the `Compatibility` tab change `Certification Authority` to `Windows Server 2012 R2` and click `OK`.
5. In the same tab change `Certificate recipient` to `Windows Server 2012 R2` and click `OK`.
6. Go to the `General` tab and change `Template display name` to `RemoteDesktopAccess`. Make sure `Template name` is also `RemoteDesktopAccess`.
7. In the `Cryptography` tab change `Provider Category` to `Key Storage Provider`, then `Algorithm name` to `ECDH_P384`. Also, change `Request hash` to `SHA384`.
8. Next, in the `Extensions` tab select `Application Polices` and click the `Edit` button.
9. Remove all entries from the list.
10. Go to the `Security` tab, select `Domain Controllers` and give the group `Read` and `Enroll` permissions.
11. Finally, create a template by clicking `OK`.
12. Go back to the Certificate Authority window and right-click on `Certificate Templates`. Then:
```text
New > Certificate Template to Issue
```
Select `RemoteDesktopAccess` and click `OK`.
### Update GPO to use a new certificate template
In the group policy editor for `Teleport Access Policy`, select:
```
Computer Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
```
Right-click on `Server authentication certificate template`, `Edit`, then select `Enabled` and fill `Certificate Template Name` with `RemoteDesktopAccess`.
<Figure align="left" bordered caption="RDP Certificate Template">
![RDP Certificate Template](../../img/desktop-access/rdp-certificate-template.png)
</Figure>
### Ensure your GPO is updated
If you have not done so already, ensure your GPO is updated by opening a PowerShell prompt and running:
```powershell
gpupdate.exe /force
```
## Step 5/7. Export your LDAP CA certificate
Teleport connects to your Domain Controller via LDAPS. This means that you must
let Teleport know that the certificate sent by your Domain Controller during the
@ -351,7 +415,7 @@ Now transfer the exported file to the system where you're running Teleport. You
can either add this certificate to your system's trusted repository or provide
the filepath to the `der_ca_file` configuration variable.
## Step 5/6. Configure Teleport
## Step 6/7. Configure Teleport
<Admonition type="note" title="Teleport CA">
Prior to v8.0, the Teleport CA was not compatible with Windows logins. If
@ -414,7 +478,7 @@ windows_desktop_service:
After updating `teleport.yaml`, start Teleport as usual using `teleport start`.
## Step 6/6. Log in using Teleport
## Step 7/7. Log in using Teleport
### Create a Teleport user/role for Windows Desktop Access

6
lib/service/service.go
View file

@ -862,9 +862,9 @@ func NewTeleport(cfg *Config) (*TeleportProcess, error) {
if cfg.WindowsDesktop.Enabled {
// FedRAMP/FIPS is not supported for Desktop Access. Desktop Access uses
// Rust for the underlying RDP protocol implementation and smart card
// authnentication. Return an error if the user attempts to start Desktop
// Access in FedRAMP/RIPS mode for now until we can ensure that the crypto
// used by this feature is compliant.
// authentication. Returns an error if the user attempts to start Desktop
// Access in FedRAMP/RIPS mode for now until we can ensure that the crypto
// used by this feature is compliant.
if cfg.FIPS {
return nil, trace.BadParameter("FedRAMP/FIPS 140-2 compliant configuration for Desktop Access not supported in Teleport %v", teleport.Version)
}

2
lib/srv/desktop/README.md
View file

@ -55,7 +55,7 @@ Save the following file as `certificate-services.ps1`
$ErrorActionPreference = "Stop"
Add-WindowsFeature Adcs-Cert-Authority -IncludeManagementTools
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -Force
Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -HashAlgorithmName SHA384 -Force
Restart-Computer -Force
```

4
lib/srv/desktop/rdp/rdpclient/Cargo.toml
View file

@ -19,6 +19,6 @@ num-derive = "0.3.3"
num-traits = "0.2.14"
rand = { version = "0.8.5", features = ["getrandom"] }
rand_chacha = "0.3.1"
rsa = { version = "0.5.0", features = ["alloc"] }
rdp-rs = { git = "https://github.com/gravitational/rdp-rs", rev = "f51222e7edeaf2954e2c02db3506aa36e02304ca" }
rsa = { version = "0.6.1" }
rdp-rs = { git = "https://github.com/gravitational/rdp-rs", rev = "17ec446ecb73c58b77ac47c6fc8598153f673076" }
uuid = { version = "0.8.2", features = ["v4"] }

8
lib/srv/desktop/rdp/rdpclient/src/piv.rs
View file

@ -19,7 +19,7 @@ use iso7816::command::Command;
use iso7816::response::Status;
use iso7816_tlv::ber::{Tag, Tlv, Value};
use rdp::model::error::*;
use rsa::pkcs1::FromRsaPrivateKey;
use rsa::pkcs1::DecodeRsaPrivateKey;
use rsa::{BigUint, PublicKeyParts, RsaPrivateKey};
use std::convert::TryFrom;
use std::io::{Cursor, Read};
@ -209,8 +209,8 @@ impl<const S: usize> Card<S> {
/// to decrypt. Most crypto libraries don't directly expose RSA decryption without padding, as
/// it's easy to build insecure crypto systems. Thankfully for us, this decryption is just a single
/// modpow operation which is suppored by RustCrypto.
fn sign_auth_challenge(&self, challenge: &Vec<u8>) -> Vec<u8> {
let c = BigUint::from_bytes_be(challenge.as_slice());
fn sign_auth_challenge(&self, challenge: &[u8]) -> Vec<u8> {
let c = BigUint::from_bytes_be(challenge);
let plain_text = c
.modpow(self.piv_auth_key.d(), self.piv_auth_key.n())
.to_bytes_be();
@ -414,7 +414,7 @@ fn tlv_tag(val: u8) -> RdpResult<Tag> {
}
fn hex_data<const S: usize>(cmd: &Command<S>) -> String {
to_hex(&cmd.data().to_vec())
to_hex(cmd.data())
}
fn to_hex(bytes: &[u8]) -> String {