pam_usb icon indicating copy to clipboard operation
pam_usb copied to clipboard
verified publisher icon mcdope

[Local check] Detect if vnc and teamviewer process(es) have incoming connections

Open mcdope opened this issue 3 years ago • 7 comments 

    Sorry for the delay. Kinda as suspected, neither xvnc nor TeamViewer sessions will show any sign of a remote connection. They pretty much just capture the screen and inject keyboard/mouse events, simulating a local user. On the other hand I think it exposed an error in a script somewhere:

[src/local.c:344]       Trying to get tty by loginctl
sh: 1: Syntax error: "(" unexpected

As far as TeamViewer and VNC go, there doesn't seem to be any way to detect an active incoming TeamViewer or VNC connection short of checking active. ss -tnp for example will show a line users:(("TeamViewer_Desk",pid=406339,fd=14)) when there is an active incoming connection.

Full output from Konsole via an established TeamViewer console (looks the same on xvnc):

username@testvm:~$ pamusb-check --debug username
* Authentication request for user "username" (pamusb-check)
[src/local.c:227] Checking whether the caller (pamusb-check) is local or not...
[src/local.c:238]       Checking pid 405205 (pamusb-check)...
[src/local.c:238]       Checking pid 405177 (/bin/bash)...
[src/local.c:238]       Checking pid 405156 (konsole)...
[src/local.c:238]       Checking pid   1555 (/lib/systemd/systemd)...
[src/local.c:238]       Checking pid      1 (/sbin/init)...
[src/local.c:296]       Using DISPLAY :0 for utmp search
[src/local.c:050]       No utmp entry found for tty ":0"
[src/local.c:312]       Trying to get tty from display server
[src/local.c:322]               Failed, no result while trying to get TTY from display server
[src/local.c:327]       Trying to get tty by DISPLAY
[src/local.c:335]               Failed, no result while searching utmp for display :0 owned by user username
[src/local.c:344]       Trying to get tty by loginctl
sh: 1: Syntax error: "(" unexpected
[src/local.c:214]               'loginctl' returned nothing.'
[src/local.c:355]               Failed, no result while searching utmp for tty (null)
[src/local.c:367]       Fallback: Using TTY /dev/pts/1 from ttyname() for search
[src/local.c:053]               utmp entry for tty "pts/1" found
[src/local.c:054]                       utmp->ut_pid: 405177
[src/local.c:055]                       utmp->ut_user: username
[src/local.c:071]               Checking utmp->ut_addr_v6[0]
[src/local.c:071]               Checking utmp->ut_addr_v6[1]
[src/local.c:071]               Checking utmp->ut_addr_v6[2]
[src/local.c:071]               Checking utmp->ut_addr_v6[3]
[src/local.c:075]       utmp check successful, request originates from a local source!
[src/local.c:374] No remote access detected, seems to be local request - allowing.
[src/device.c:038] Searching for "KeychainDrive" in the hardware database...
* Authentication device "KeychainDrive" is connected.
[src/device.c:100] One time pad is disabled, no more verifications to do.
* Access granted.

...and output from w (also the same for Teamviewer and VNC):

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
username tty1     :0               17:54    6:00  16.87s  0.26s /usr/bin/startplasma-x11
username pts/0    :0               17:54    6:00   0.00s  1.67s /usr/bin/kded5
username pts/1    :0               17:55    0.00s  0.02s  0.01s w
username tty2     -                17:54    6:00   0.05s  0.03s -bash

Originally posted by @steelsnake in https://github.com/mcdope/pam_usb/discussions/124#discussioncomment-5434844

mcdope avatar Mar 27 '23 15:03 mcdope

TeamViewer does not provide a way to check for active connections, except in the GUI which is obv not an option.

So for TV we are left with either parsing logs, or checking for active connections to the process - both not reliable enough.

mcdope avatar Jul 04 '24 15:07 mcdope

xrdp can be detected via envvars grafik

mcdope avatar Jul 04 '24 15:07 mcdope

For gnome-remote-desktop it seems there is also no way to check for incoming connection

For VNC: to many different servers

Maybe really the best to build a list of processnames, check if they run, and if they run: check them for incoming connection. Could lead some FPs though I guess.

mcdope avatar Jul 04 '24 15:07 mcdope

For gnome-remote-desktop it seems there is also no way to check for incoming connection

For VNC: to many different servers

Maybe really the best to build a list of processnames, check if they run, and if they run: check them for incoming connection. Could lead some FPs though I guess.

To check via proc:

  • https://gist.github.com/jkstill/5095725
  • https://unix.stackexchange.com/a/497913

mcdope avatar Jul 04 '24 15:07 mcdope

Active Teamviewer connection result in a process that does not exist without connection established

ss -ntp | grep TeamViewer
ESTAB 0      0          127.0.0.1:47192       127.0.0.1:5939  users:(("TeamViewer",pid=93958,fd=44))      
ESTAB 0      0          127.0.0.1:50652       127.0.0.1:5939  users:(("TeamViewer_Desk",pid=103648,fd=14))

mcdope avatar Jul 06 '24 11:07 mcdope

gnome-remote-desktop in VNC mode can also be detected that way, doesnt work in RDP though grafik

ESTAB 0 21128 [::ffff:192.168.1.101]:5900 [::ffff:192.168.1.103]:46328 users:(("gnome-remote-de",pid=38390,fd=58))

mcdope avatar Jul 09 '24 16:07 mcdope

Hmpf I dont get x11vnc working to test it...

mcdope avatar Jul 22 '24 16:07 mcdope