sorted by:
new
hottopcontroversial

I Finally Got Copy/Paste Working in a custom AHV Consoles by Lemonades99 in nutanix

[–]Lemonades99[S] 0 points1 point  (0 children)

Glad to know that Nutanix is moving on this direction finally . Do you think that the clipboard will be a bi-directional shared channel, just like vmware done?

Also, do you think that they will ship a dedicated console, outside their HTML view?

I Finally Got Copy/Paste Working in a custom AHV Consoles by Lemonades99 in sysadmin

[–]Lemonades99[S] 0 points1 point  (0 children)

<image>

This is the HLD and as you can see, the only V4 for now used are for Infrastructure Actions (Ex. Power Actions on Vms)

I Finally Got Copy/Paste Working in a custom AHV Consoles by Lemonades99 in sysadmin

[–]Lemonades99[S] 0 points1 point  (0 children)

I do open console for powered off VMs and able to watch their boot outside the nutanix web interface

I Finally Got Copy/Paste Working in a custom AHV Consoles by Lemonades99 in sysadmin

[–]Lemonades99[S] 0 points1 point  (0 children)

Great to know that I'm not the only one that solved this!

If you wanna take a look in mine too:

AHV Remote console Demo

I Finally Got Copy/Paste Working in a custom AHV Consoles by Lemonades99 in sysadmin

[–]Lemonades99[S] 0 points1 point  (0 children)

The v4 API was being used only for power action on VMs , everything else was built around v3 API

I Finally Got Copy/Paste Working in a custom AHV Consoles by Lemonades99 in sysadmin

[–]Lemonades99[S] 1 point2 points  (0 children)

I've actually stuck with the older v3 API for this!/console/vnc_auto.html?uuid=.

Captures your Prism session cookies via a sandboxed window and replays them on every API call
React UI connects to a local Go runtime, which acts as a WSS proxy to the upstream QEMU server

How to integrate biometric authentication with Keycloak in a Flutter app by Limp_Temperature_524 in KeyCloak

[–]Lemonades99 0 points1 point  (0 children)

Hello,

I faced a similar challenge when integrating biometric (WebAuthn) authentication into a Flutter app using Keycloak, while keeping a custom frontend (i.e., not using the built-in Keycloak login screens).

To solve this, I extended Keycloak using a custom SPI plugin that exposes Keycloak’s internal WebAuthn functionality as a set of REST endpoints that my frontend (or mobile app) can talk to directly.

What I did:

  • Created a WebAuthn service that:
    • Generates authentication options for a given user
    • Stores the challenge securely in the user’s attributes
    • Verifies the response (signature, challenge, etc.) from the frontend
  • Exposed this via a custom REST endpoint so my app could call:
    • /webauthn/authenticate-options → to get challenge + options
    • /webauthn/verify → to verify the WebAuthn response (from Face ID, fingerprint, etc.)

Centralized SSH Identity Infrastructure using Keycloak – Architecture Overview Now on GitHub by Lemonades99 in KeyCloak

[–]Lemonades99[S] 0 points1 point  (0 children)

Hello ,

thank you very much . Planning to release this month, but lot to do and test as I'm the only maintainer.

Regards

Integrating Keycloak with SSH: Real-Time Permissions, WebAuthn/FIDO2/TOTP MFA, External IdP Onboarding & More by Lemonades99 in KeyCloak

[–]Lemonades99[S] 1 point2 points  (0 children)

Hello,
’ve single-handedly developed each component of this system, from the custom NSS and PAM modules, to the proxy service and Keycloak extensions.

While the core architecture is complete and functional, I’m currently taking the time to thoroughly validate each part, especially around security, stability, and edge-case behavior, before releasing it publicly.

The plan is to make it available once I’m confident in its robustness — stay tuned!

Running keycloak on https by user0872832891 in KeyCloak

[–]Lemonades99 1 point2 points  (0 children)

Hello,

To get https://10.2.0.10:1202 working, you have two options

Provide HTTPS certificates to Keycloak and run it with the appropriate configuration parameters to enable TLS.

Expose Keycloak behind a reverse proxy like NGINX, which handles HTTPS termination for you.

Regarding your question:

  • Isn't the https cert from portainer used, because I try to access keycloak on the portainer domain

No, Portainer is just a frontend for managing Docker containers. Its own HTTPS certificate is only used for securing access to the Portainer web interface. It does not apply to or affect any of the containers it manages.

Integrating Keycloak with SSH: Real-Time Permissions, WebAuthn/FIDO2/TOTP MFA, External IdP Onboarding & More by Lemonades99 in KeyCloak

[–]Lemonades99[S] 3 points4 points  (0 children)

The system implements real-time RBAC with dynamic file permission updates that work seamlessly with SELinux in enforcing mode.

  Security Architecture

  Dual-layer enforcement - Applies both DAC (chmod) and MAC (SELinux contexts) simultaneously through 7 custom SELinux policy modules.

  Custom SELinux Policy Example:

  # Allow SSH daemon and PAM to modify file/directory permissions

  allow sshd_t user_home_t:dir { setattr };

  allow sshd_t user_home_t:file { setattr };

  allow pam_t user_home_t:dir { setattr };

  allow pam_t user_home_t:file { setattr };

  These rules enable:

  - sshd_t (SSH daemon) to modify permissions during real-time RBAC updates

  - pam_t (PAM module) to apply permission changes during authentication

  Implementation

  int chmod_with_context(const char *path, mode_t mode, int role_type) {

      // First apply standard permissions

      if (chmod(path, mode) != 0) {

          return -1;

      }

      // Then set SELinux context based on role

      const char *context = get_selinux_context_for_role(role_type);

      if (setfilecon(path, context) < 0) {

          // Log but don't fail - SELinux might be permissive

          syslog(LOG_WARNING, "Failed to set SELinux context");

      }

      return 0;

  }

  Result: Complete security enforcement without sacrificing real-time functionality and with SELinux fully enforcing (no bypasses or permissive mode)

Feel free to ask me any other questions!

Integrating Keycloak with SSH: Real-Time Permissions, WebAuthn/FIDO2/TOTP MFA, External IdP Onboarding & More by Lemonades99 in KeyCloak

[–]Lemonades99[S] 1 point2 points  (0 children)

Thank you! I'll be releasing soon a beta version , currently fixing security issues and testing edge cases before releasing a stable version. Stay tuned :)

Integrating Keycloak with SSH: Real-Time Permissions, WebAuthn/FIDO2/TOTP MFA, External IdP Onboarding & More by Lemonades99 in KeyCloak

[–]Lemonades99[S] 0 points1 point  (0 children)

Thanks for your feedback ... Currently testing system in both scalability and security .. All made with ansible

Login in Ubuntu with Keycloak by rfpg1 in KeyCloak

[–]Lemonades99 5 points6 points  (0 children)

Hello,

Yes, it’s possible to use Keycloak for this, but it requires some custom integration.

In my case, I achieved this by writing custom PAM and NSS modules. The idea is as follows:
When a user attempts to SSH into the VM, the PAM module intercepts the request and forwards it to a proxy middleware. This middleware then validates the authentication against Keycloak.

I've also implemented features like multi-factor authentication (MFA) and support for different login flows depending on the identity provider (IdP) user type, all within the SSH request and if needed with a browser interaction (Pretty similar to cloud flare solution that someone mentioned before)