Previously I posted about provisioning secure remote access - a zero-trust access solution.
I've been asked a few times why I didn't just install Guacamole.
Apache Guacamole is an excellent tool - but it provides a rather different spin on the problem of remote access. It's really a sort of privileged access management tool - you authenticate to Guacamole and it then injects credentials into client applications. It can do TOTP with GoogleAuth.
I didn't want to provide access to privileged accounts - I wanted people to access their own accounts.
If Guacamole could integrate with a good secrets management system, or even just PAM it would make it so much better. If it used PAM for authentication this would open the door to so many more use-cases. It does have a few choices for how to authenticate but does the Java thing of constantly reinventing the wheel. And I want my security to be as solid as possible.
It wasn't really that hard to get my solution (which, unlike Guacamole, really leverages the existing security subsystems of Linux).