rdesktop
rdesktop copied to clipboard
Add support for NTLM authentication using CredSSP [$115]
Today the out-of-the-box experience is not that great when connecting to a RDS service because of that the RDS service is default configured to require NLA (CredSSP). rdesktop only supports CredSSP using Kerberos authentication and will there for, fail to connect to a RDS service which requires NLA and configuration of Kerberos ont the client side is required. Adding NTLM authentication would mean that no special client side configuration is needed with the result of a better out-of-the-box experience.
There is a $15 open bounty on this issue. Add to the bounty at Bountysource.
Every time I connect to a host rdesktop throws up a message that it's too broken to use CredSSP
, and demanding that it be given access to a non-existent domain controller.
How do I make it STFU about that ?
KRDC (KDE bundled GUI RDP/VNC client) has working code, that solves this issue.
This works for me in rdesktop 1.6 and 1.7; perhaps it could be forward-ported to newer versions: rdesktop patch to add limited RDPv6 + CredSSP
@DesktopECHO if i recall correctly, the old patches requires parts of samba and was a bit ugly. My intentions were to do a pure NTLM implement. However over time I found this [1] project that I think suits perfectly for rdesktop.
[1] https://github.com/simo5/gss-ntlmssp
+1 for https://github.com/simo5/gss-ntlmssp as this one was also on my list after checking how to proceed with this ticket sometime in the future.
Anybody can give information how to configure credssp with rdestop and linux?
Thanks
March 13th 2018 Windows updates kill Linux RDP,. Now CredSSP is being enabled in all servers.
https://github.com/FreeRDP/Remmina/issues/1513
Wiki page added with information about CredSSP
https://github.com/rdesktop/rdesktop/wiki/Network-Level-Authentication-(NLA)
@trentasis @keirun @emk2203 @UnitedMarsupials @lszyba1
That does not help if there isn't a domain; or even if it's behind a firewall (like they all should be).
If you didn't want to setup Kerberos. How do you use this? https://github.com/simo5/gss-ntlmssp
The biggest issue is the error message. It should A) state the server required ntlm authentiction and recommend to contact administrator to disable it, and point to this ticket. B) tell you what you need to do if you are not on a domain but rather outside firewall or his VPN.
The way I see it, if administrator will not lower now Windows server default security setting, this package can no longer be used? Unless I'm missing something. Thanks Lucas
@lszyba1 NTLM is a way of securing username/password authentication much like HTTP 'digest' authentication. It supplies proof to the server that you have the password without telling the server what the password is.
With Kerberos, OTOH, the client logs into the DC providing the proof that it has the password to the DC (without sending the password itself) and gets a "ticket" to prove to the service that the DC knows who it is. The server can then check and use this "ticket" to prove to the client they are the server the client is expecting.
The Kerberos protocol was designed in the '80s and is still secure. Nevertheless, a modern design would use public/private keypairs as that protocol ends up much simpler, easier to understand and generally more robust. IME Windows often has to fall back (usually silently) to using NTLM; with RDP it usually gets you that self-signed certificate warning (unless a validatable certificate has been installed).
If you're connecting to a Workgroup server using NLA it uses CredSSP without using Kerberos.
Thanks So what we need to do, to get ntlm working, if your home is not authorized to join the domain in order for you to access work servers.
kinit
doesn't require joining the domain.
Here is a real-world situation where kinit
won't work:
Deploy a Windows VM in Azure, typically it will have one randomized port opened for RDP. These VMs have NLA enabled/enforced. The only way I could get rdesktop to work in this situation was to use the patch I mentioned on Oct 27th.
FYI In January I added a few more dollars for this bug on Bountysource
@grawity of course it does, the Kerberos service is part of domain controller, to trust the DC the server must be joined to the domain. If there isn't a domain controller there isn't a Kerberos service.
If the server can't join a domain or the client isn't able to find a domain controller the client must use NTLM.
@DesktopECHO , how do you use the patch mentioned on Oct 27th? Is that something you simply make/install and then rdesktop works with NTLM? Or do I need to recompile rdesktop to use that package? Do I need to install/configure GSSAPI first?
In the interests of increasing the likelihood that this gets picked-up, may I suggest someone with the appropriate permissions updates the bounty amount in the issue title?
(I don't have much use for this feature any more, but it's still useful for others needing to connect to Azure, and I don't want to see my admittedly small contribution to the bounty go unclaimed.)
I will work on this. I have previously written exactly this feature in C#, but that was for a former employer and I don't have the code or the rights to it. I am not a C programmer and it will probably be ugly non-idiomatic code, someone else will have to integrate it into the solution.
Hello! Any progress about NTLM support without setting Kerberos? Thanks
@MarkLTZ
Personally I've mostly switched to xfreerdp
(Debian/Ubuntu package freerdp2-x11
2.0.0..)
It doesn't work very well with Windows XP (or Windows 7 ?) but if most things you're connecting to are Windows2012 or later it works fine, including machines with NLA forced on.
PS: Of course I just tried a Windows XP machine with rdesktop ... it didn't work either ... seems I always use a windows terminal server or VNC to connect to that old build VM.
@rdebath xfreerdp has many issues with the keyboard layout that rdesktop hasn't.
Interesting, keyboard is completely trouble free for me (no command line option needed).
Locale en_GB.utf8
, UK and UKX keyboards on windows. Even the Alt-gr stuff, for dead keys and diacritics, works with UKX.
I just installed a US locale too on windows and it works perfectly (including the "incorrect" conversion of " and @ when US is selected)
The only problem I, sometimes, have is that Ctl-Alt-2 is trapped by Xorg. But I don't want to change that.
PS: Rdesktop's keyboard works fine for me too.
@rdebath the issue for non US keyboard happens because I run xfreerdp on a kiosked system. On rdesktop I don0t have issues except the NTLM support. Workaround to disable it at Windows target side is not acceptable :(