PAM - LAPS Support
0 vote
Good morning,
Is there a way to use PAM to retrieve in a secure way the LAPS password of a computer without having to use the LAPS script in RDM that use the current user right ?
This is quite important for us to make the process secure.
I know you've add the possibility to add a local user in PAM but in a large environment it's not usable.
Thank you per advance.
Sylvain
All Comments (2)
Hello,
Not at this time, but walk me through this, I'd like to have your thoughts on the workflow.
Putting a PAM module on top of LAPs does offer a lot of value, even for secret management offerings like Azure KeyVault and Amazon Key Management Service for that matter... In the context of persons using secrets, it allows for checkout workflows to prevent others from using them at the same time, and we could add a layer for rotation as well (to harmonize password rotation across all or your secrets management systems...)
The issue with LAPS, is that it runs in the context of an authenticated session against that domain, meaning that there is an identity needed to query the directory. Since our Devolutions Server platform is composed of multiple components that can be distributed on various servers, this means that the query must be capable of being performed using ANOTHER identity, running on ANOTHER server.
This means that the credentials used for reading the password from the directory, ideally would be in the PAM system in order to transit securely. It also means that it would increase security by using "service" accounts to read the directory, rather than using user identities (starting a process on a server under a user identity does increase the surface area subject to attacks...)
Does this make sense?
We are designing a "generic" provider architecture that would allow us to deliver a Minimal Viable Feature for our next release (June).
Maurice
Hello Maurice,
Yes it's exactly this, it would be perfect as you discribe it !
Thnak you !!
Sylvain