Forum / Remote Desktop Manager - Feature Request

Interface for externally polling data from RDM

  • Create an Issue
  • Cancel

Hi!

Is it possible (through some API) to poll data from RDM for use in 3rd party applications?

We are currently establishing a new software for documenting (CMDB) and it would be really handy to access the credential entries in RDM from there.
So for our case we'd need a Web/JavaScript based interface to browse credential entries and store the GUID in the documentation. clicking on a "reveal password" link would then poll RDM and show the password on the page.

Would something like this be possible at all?

Thanks! Daniel

Clock6 yrs

This is possible to access the database directly and read the password if you enable the "external sysem" feature:

http://help.remotedesktopmanager.com/administration_connectingexternalsystem.htm

David Hervieux

signaturesignature

Clock6 yrs

Cool, thanks!

Still we'd like to keep the password decryption on RDM's side, so there is no way someone can read the passwords even when one has access to the documentation.
Only with a valid opened RDM datasource, this should be possible. The problem is that each user must have a separate encryption key for this to work...

Anyway, a database-based solution is something to start with, we just have to do the decryption (of the database key) in a safe way ourselves...

Basically what we need to build is an interface between the web browser and SQL database that somehow grabs the database decryption key, pulls the password from the database and decrypts it.

But how to do it in Offline mode? I can't connect to the DB, but it should still be possible to obtain the password through RDM's offline mode?

Thank you!

Clock6 yrs

Hi,
There is no solution for the offline mode. We need to be careful when we expose the password. We don't want to compromise the security.

David Hervieux

signaturesignature

Clock6 yrs

indeed smile

I don't quite understand how the offline data is secured anyway. it's not encrypted using the data source password right?

It is encrypted using NTFS encryption, so it's tied to the Windows user account/password.
But can other programs access and decrypt the offline mode data? I think they can.

So there could be 3rd party programs that use the offline mode data aswell...

I see there's an .off and a .sec file, which are both encrypted on the filesystem and probably using a different method. so only RDM can decrypt it. But where does RDM get the key for this?
I don't quite see how it all connects, but I'd like to understand. I also understand if you don't explain the internal security model publicly on the forum, but I'd be interested because I cannot know it's safe if I don't know how it works.

Thanks David!

Clock6 yrs

Hi,
The offline mode is double encrypted. The first encryption uses our own private key mixed with some information from the computer to make sure that it's not possible to copy on another machine. After that it's encrypted with the Windows NTFS encryption. There is no key saved anywhere.

David Hervieux

signaturesignature

Clock6 yrs

our own private key mixed with some information from the computer


Is the private key fixed in the program? (the same for everyone?)
If so, it should be possible to reverse engineer it. (read it off memory or decompile or brute force etc....)
also the algorithm to mix the local computer information should be hackable.


If a private key (that is technically free to download with the software) and a secret algorithm (that is executed on customers' computers) is the only encryption, it is security by obscurity, and not the right thing to do.


I'm sure there are better ways to do this... but I'm not really too fond of encryption, so can't really tell you what the ideal solution would be.


It would propably involve some kinde of public/private key encryption, system TPM module or at least a user password included in the key.


cheers
Daniel

Clock6 yrs

Hi Daniel,
We already have a todo on our list to allow user to specify their own encryption key.

David Hervieux

signaturesignature

Clock6 yrs