Redesign of authentication architecture #1961
Replies: 20 comments 36 replies
-
I've done more sketching out of this with a few data flows in my wiki:- https://github.com/matt335672/xrdp/wiki/Authentication-architecture-redesign Does that make it clearer what's being proposed here? |
Beta Was this translation helpful? Give feedback.
-
I am not sure if this belongs to here, but somehow it touches this thing aswell: As we know, XRDP can't handle "password expired". But also, it can't handle if the user is logging in for the first time (no home directory existing). For the second part: If using directory service (freeIPA in my case) the user doesn't exist as local account, but exists via LDAP. I am not sure if this is relevant, since the login process is somewhat managed via PAM anyways, right? |
Beta Was this translation helpful? Give feedback.
-
Good point @Samoangtagey. As well as your own use-case I've seen race conditions with ancient xrdp versions using NFS mounted home directories. I've just had a dig around in the sources and Git. Here's my understanding of how it's supposed to work:- Home directory creation is handled by pam_mkhomedir.so or pam_oddjob_mkhomedir.so. The latter module is used on SELinux systems (i.e. Fedora/RHEL/CentOS/etc) to create the home directory with the correct SELinux permissions. This is done by passing a synchronous D-BUS request to the How does this relate to xrdp? Both of these PAM modules run in the session creation phase of the PAM stack. From sesman, this happens when So AFAICT, home directory creation should work, provided:-
I could well be missing something though, and if I am, now would be a good time to find it so we can make sure it's covered here. Could you investigate your setup and let me know how much my mental picture of what is happening diverges from reality?? |
Beta Was this translation helpful? Give feedback.
-
More dataflows are added to https://github.com/matt335672/xrdp/wiki/Authentication-architecture-redesign to cover the In a similar way to Later, when we move the xrdp <-> sesman connection to UDS, we can make explicit authentication optional for these utilities. The UID+GID of the caller will be simply passed over the socket. |
Beta Was this translation helpful? Give feedback.
-
Hi @matt335672 Good work documenting this design so far. Can you please clarify a few things for me:
|
Beta Was this translation helpful? Give feedback.
-
https://github.com/matt335672/xrdp/wiki/Authentication-architecture-redesign has been updated to address review comments from @aquesnel and incorporate separate connection / authentication phases into the SCP dialogues. |
Beta Was this translation helpful? Give feedback.
-
Hi @matt335672 , Thanks for updating the wiki page with the clarifications that I asked for. We seem to be fumbling with the name of the "xrdp process that is connected to the rdp client", so can we choose a name for this forked process. I suggest one of:
For this reply I'm going to use the From the For the In the same section, you mention that the "list sessions" command is exclusive to the sesadmin utility, but I think that the "list sessions" command is also useful for rdp user facing use cases like an interactive session selector feature. I suggest that the exclusivity of this command to sesadmin be removed. In the Once again, thanks for the design and the discussion. |
Beta Was this translation helpful? Give feedback.
-
Hello, I starting to dig into sesman because I gathered a bug and ended here, because I had several thought while looking at sesman. The first thought I get is that sesman and SCP seems to be superfluous and it can be integrated to xrdp using files or databases such as sqlite. The other thought I had is that we may redesign the user "workflow" to make it both more consistent and more compatible with how PAM is working. The workflow may be as follow:
If we remove sesman, we can manage the session list using combination of files or/and databases, we just need an extra care for concurrent access to the database and to check if the session still alive. Replacing sesman by files make xrdp more simplier, imo, and session are independent from a process that may crash or being restarted. I did not thought deep into security, but if the database is readable/writeable only by the root it should be fine. Side note: I considering to contribute code. |
Beta Was this translation helpful? Give feedback.
-
Hi @matt335672 Thank you with your feed back. I think I understand why we want to keep RDP protocol out of the root user (freerdp) and it look sane even if it make the code more complicated. I will investigate more to have a better understanding of the architecture of xrdp. Best regards |
Beta Was this translation helpful? Give feedback.
-
Thanks @matt335672 @aquesnel and others for pushing this ahead. Great stuff here. We've learned much since we created sesman way back. Both about what xrdp needs and how auth works. 1 - RAIL support in sesman. Basically this just means starting the back-end(Xorg) and chansrv, no window manager. chansrv then starts(forks) any applications as they are part of the rail channel protocol. Although we should have a list of allowed(Published) apps somewhere. Session cleanup is triggered by chansrv exiting. So in this case sesman is not waiting for the window manager to exit, it's waiting for chansrv to exit. chansrv actually registers with Xorg as the window manger when the rail channel opens. Maybe we can have a list of apps to start and have one set as "primary" or "sentinel"? The primary one triggers session cleanup when it exits. RAIL is a really nice way to get xrdp used more in enterprise as the users don't even know they are using xrdp or even Linux. 2 - Multiple types and multiple types of the same back-ends. Currently we have Xorg, Xvnc, X11rdp as set types. One command line parameters config for each and global environment variables config. It would be nice to have something like Xorg-GPU1, Xorg-GPU2 where these have separate command line parameters and environment variables. Also, looking down the read, possible future back-ends could be Wayland, Android or Wine. Basically my thoughts are about what processes we start and how we manage them. |
Beta Was this translation helpful? Give feedback.
-
Sorry about the delay - been squishing bugs this week. From what @jsorg71 says about RAIL support, it could look like this:- We still need sdriver in this configuration, as:-
Please let me know if I've got anything significant wrong there. As far as Jay's second point goes about the back-ends I think that's sdriver detail, or am I missing something? |
Beta Was this translation helpful? Give feedback.
-
Hello, Looking deeper in all of your comments, I have several suggestion that I hope may be useful:
|
Beta Was this translation helpful? Give feedback.
-
As a general note, the changes proposed in #1077 should be relatively easy to implement in the sdriver after implementation. See also #1302 regarding lastlog. |
Beta Was this translation helpful? Give feedback.
-
Related to #909, #1976 and discussions on file descripor, I tried to add blacklistd support to xrdp years ago but gave up at the time. blacklistd comes from NetBSD to FreeBSD. It is a fail2ban like daemon to reject packets from IP address with failed login attempts. I implemented it to postifx as FreeBSD local patch. It is quite simple code. if (authentication_failed)
{
pfilter_notify(1, fd);
}
void
pfilter_notify(int a, int fd)
{
if (blstate == NULL)
blstate = blacklist_open();
if (blstate == NULL)
return;
(void)blacklist_r(blstate, a, fd, "smtpd");
if (a == 0) {
blacklist_close(blstate);
blstate = NULL;
}
} However, the reason I gave up once is, it requires file desctiptor to get client's IP address to block but sesman doesn't have file desctiptor of client's connection. In addition, xrdp process doesn't know authentication result. When file descriptor is passed to sesman or authentication result is notified to xrdp process, I can go on blacklistd again. |
Beta Was this translation helpful? Give feedback.
-
Hey there, been a while since the last message in here. Right now I have the "funny" job to make a first login manually for round about 1300 accounts so they can use xrdp afterwards ... which of course focuses my interest the more on the redesign of the authentication architecture. Any news on this? I don't know if there is anything I can do to help, but if there is something, please let me know ;-) |
Beta Was this translation helpful? Give feedback.
-
It's happening, but it won't be quick I'm afraid. There's quite a bit to do! I've made a start with #2011, which gets us to a place where we can make the required changes to the SCP protocol. I want to get that step in in the next month or so. This logging-in you mention sounds somewhat time-consuming. Surely it must be possible to automate some of it? |
Beta Was this translation helpful? Give feedback.
-
One of the main drivers behind the authentication redesign is to allow passwords to be changed. So that should work OK when it's done, as you can set an expired password for the user. I'm not at all clear why this won't work:-
If you've got PAM set up correctly, the homedirs should be created anyway unless you're running an ancient version of xrdp. At least that's my understanding. Does that not happen? |
Beta Was this translation helpful? Give feedback.
-
See also #736 which can be closed when this is implemented. |
Beta Was this translation helpful? Give feedback.
-
I've updated the architectural plan around what I hope is achievable for a first drop of the software- https://github.com/matt335672/xrdp/wiki/Authentication-architecture-redesign Previous versions of the document can be viewed from the history. It's not a massive change from where we are at the moment with xrdp v0.9.x, so it should be achievable relatively quickly with everything else that is going on. I'm still thinking about file descriptors, and in particular about this comment above. Originally UDS was out of the picture, but now not only is it available, but the new SCP gives us a natural API for passing file descriptors about by using the simple D-BUS type 'h' (see here) although this has yet to be implemented. More on this quite a bit later however. |
Beta Was this translation helpful? Give feedback.
-
Hello, I'm using jupyterhub [1] currently and they have a setup that is similar than our setup, and they use only sudo to switch user and all processes does not need to run as root. In particular I use the setup describe in [2]. It may be worth to take a look. Best regards [1] https://jupyterhub.readthedocs.io/en/stable/ |
Beta Was this translation helpful? Give feedback.
-
I've been involved in a few conversations recently which have made it pretty clear that our authentication protocol is difficult to extend in a generalised way to support more modern ways of authenticating.
Purpose of discussion
I'll summarise where we are at the moment, and what the drivers are for change, and then propose a way forward. I don't have all the answers at this stage, so I'd very much like some constructive criticism. In particular:-
Scope
This applies to the general case where both
xrdp
andxrdp-sesman
are involved in creating a new session, or connecting to an old session.At the moment I'm leaving auto session reconnection (see #1443) out-of-scope. I've explained this below.
Current login/reconnection process
xrdp
login boxxrdp-sesman
.xrdp-sesman
uses an authentication module (generally PAM) to authenticate and authorize the user. This happens in the mainxrdp-sesman
process.xrdp
is informed of this, and the whole process ends. The connection betweenxrdp
andxrdp-sesman
is terminated.xrdp-sesman
looks for an existing session for the userxrdp
which then connects to to the session. The connection betweenxrdp
andxrdp-sesman
ends.xrdp-sesman
forks a sub-process. The sub-process starts a PAM session (if appropriate), and then forks the session manager, X server and chansrv as sub-processes.xrdp
informing it of the new session details. The connection betweenxrdp
andxrdp-sesman
ends.xrdp-sesman
removes the session from its list.Observations
xrdp
toxrdp-sesman
has to contain all of the information for logging in.xrdp-sesman
becomes unresponsive until this is corrected.xrdp-sesman
process, we can have problems on systemd-enabled systems where D-BUS is used as part of authentication (see No user session created with xrdp and pam_systemd_home account module #1684). These problems do not apply to other ways of logging in to the system (i.e. viaopenssh
orlightdm
)xrdp
andxrdp-sesman
.Requirements
xrdp
, as a whole system, should support PAM conversations, or (more generally) authentication conversations.xrdp-sesman
process to prevent an existing conversation from preventing normalxrdp-sesman
operation.Why is auto session reconnection out-of-scope?
Auto reconnection is described in [MS-RDPBGR] section 1.3.1.5. This requires a permanent connection between
xrdp
and eitherxrdp-sesman
or the authentication sub-process so that cookie updates can be co-ordinated. In my opinion this will require file descriptors to be passed around, and so will necessitate replacing the existing SCP TCP implementation with something running over Unix Domain Sockets (UDS). We want to do this anyway, but that will be disruptive to the users and isn't necessary to bring into scope here.Rough design
xrdp
andxrdp-sesrun
) need to uselibxrdp
to communicate withxrdp-sesman
rather than implementing their own calls.xrdp-sesman
and the authentication sub-process.xrdp
via thexrdp
file descriptor. The eventual result of this is communicated back up toxrdp-sesman
proper via the additional protocol.xrdp
, thexrdp-sesrun
andxrdp-sesadmin
processes need updating to implement their side of the PAM conversation using the terminal.Beta Was this translation helpful? Give feedback.
All reactions