xrdp
xrdp copied to clipboard
neutrinolabs
Feature Request: Support PAM based MFA
This is related to issue #676, but I'd like to formerly request that XRDP support PAM based MFA in Linux (or other supported Unixes that use PAM).
I realize this is a major code change due to how XRDP currently authenticates.
I think this would mean full authentication would need to occur within "xrdp", instead of credentials being gathered in "xrdp" and passed to "sesman".
Hi @MrPippin66
Yes, this is a major code change but it's starting to look like it's a necessary one.
There's a number of issues which are coming together here, like password change (see #600) and a big issue caused by systemd (#1684). There are other features like automatic session reconnection which has been asked for which I think are related.
As regards your last point, the systemd PAM module introduces an architectural dependency. A process which starts a PAM session must be the same process that was used to authenticate the user (i.e. must have the same PID) . At the moment we don't do that, but many other programs which log a user in (e.g. lightdm, openssh) do. We authenticate in sesman, and then call session create (if necessary) in a sub-process. We do it that way as unlike lightdm and openssh we have to support users connecting to existing sessions.
The limitation prevents the authentication being done in xrdp. It must be done as a sub-process of sesman.
To support this, I think the following changes are necessary:-
- Enhance the middleware between sesman and xrdp to support an exchange of authentication messages, rather than a one-way username/password call.
- Move the comms between xrdp and sesman to use Unix Domain Sockets rather than TCP. This is a disruptive change, but I think it is necessary for step 3.
- Enhance the middleware between xrdp and sesman to allow file descriptors to be passed around.
- Create an authentication process which can use the new features above to authenticate the user using a generic PAM conversation.
Once we get to step 4, we can provide password-change, MFA, session reconnect and (I think) NLA support in a clear and supportable manner.
The big downside is it's a lot of work, and step 2 is going to inconvenience some users.
Feel free to challenge my reasoning above. I'd love to find a less disruptive way to move all of these related issues forward.
Hello Dear @matt335672
Can you help me to configure a XRDP on Ubuntu 20.04 with google authenticator I already do this changes
xrdp configuration:
root@xrdp:/etc/pam.d# cat xrdp-sesman #%PAM-1.0 #@include common-auth #@include common-account #@include common-session #@include common-password #auth required pam_google_authenticator.so auth required pam_google_authenticator.so forward_pass auth required pam_unix.so use_first_pass
restart sshd service or restart docker container and try to login ( I tried ubuntu on a docker container )
For login to xrdp : Please provide username and then on password box provide password+otp together. Password should be first then otp from gogole-authenticator app together without any space or extra character.
But not working
Can you help me?
@Alvaro1316 - great you've decided to look at this as a way to make your system more secure.
I cannot emphasise enough that you really need to understand how this all works. If you don't, you can't have any confidence in the security of your system, particularly not if you've been changing the PAM configuration.
Your file above suggests to me that you could do with improving your knowledge of PAM. A good place to start is The Linux-PAM System Administrators' Guide, although there are other tutorials. Once you've read that, the files in /etc/pam.d should make a lot more sense to you.
@matt335672 Has there been any progress on this? I realize it's a complicated endeavor, but just curious where this stands.
@MrPippin66 - no actual functionality yet I'm afraid. I've been looking at other things.
In my list above the first two items are completed. We've also fleshed out a design. So it's getting there, but progress is pretty slow.