Configure Consent banner before login to web GUI.
- Thread starter rfrIII
- Start date
Large company/Law enforcement/DoD policy, I implement solutions for mostly DoD and Banks. Proxmox has features they want and support is priced right, but security policies like consent banners, session timeouts, smart card support, etc are causing Proxmox to lose competitive evaluations with other tools even though it would win otherwise.
I'm looking at puting it behind a proxy that could provide some of this, but security guys want native support.
-Rob
I'm looking at puting it behind a proxy that could provide some of this, but security guys want native support.
-Rob
Okay, in that case please open a feature request at https://bugzilla.proxmox.com/ including a description of requirements for such a banner, then we can evaluate. Thanks!
Hi, about smartcard, session timeout
you have oidc authentification, so I think you already have an sso infrastructure you could reuse ?
Personnaly, I'm using a keycloak server for oidc, and if current sso don't support oidc (maybe saml only for example), I'm using keycloak between them to forward/transale oidc to saml.
you have oidc authentification, so I think you already have an sso infrastructure you could reuse ?
Personnaly, I'm using a keycloak server for oidc, and if current sso don't support oidc (maybe saml only for example), I'm using keycloak between them to forward/transale oidc to saml.
Some sites have SSO and some don't, I am currently using Proxmox in a Ceph deployment for the Navy and we are using an SSO (keycloak) for Smartcard/session timeout support, but it was still a tough sell to DoD security. Unfortunately a lot of security/IA types assess a set of checkboxes and either they align to the standard or not, they tend to be light on the technical side. Across the street at a different Navy command they won't touch Proxmox because it won't meet security requirements.
The big guys like VMWare just get the DoD STIG and the law enforcement/medical/intel equivalents and natively support all the findings. Smaller groups like Proxmox have to pick and choose. I think the banner (pre login) and Session timeout are low hanging fruit that for some reason get the Security guys all excited.
What I love to use Proxmox for is small deployments and exercises that require a fast turnaround, it so superior to VMWare/RHEV/etc for that use case, but without an SSO infrastructure it gets slammed by security sometimes. We can get VM management, containers, and storage from one tool and it is easy enough to use and document that people with limited IT skills can manage it where as straight KVM + Docker would require an extra person(s) to be deployed.
The big guys like VMWare just get the DoD STIG and the law enforcement/medical/intel equivalents and natively support all the findings. Smaller groups like Proxmox have to pick and choose. I think the banner (pre login) and Session timeout are low hanging fruit that for some reason get the Security guys all excited.
What I love to use Proxmox for is small deployments and exercises that require a fast turnaround, it so superior to VMWare/RHEV/etc for that use case, but without an SSO infrastructure it gets slammed by security sometimes. We can get VM management, containers, and storage from one tool and it is easy enough to use and document that people with limited IT skills can manage it where as straight KVM + Docker would require an extra person(s) to be deployed.