MaxLoginRetry for xrdp-sesman effectively broken #1739
Comments
matt335672
added a commit
to matt335672/xrdp
that referenced
this issue
Dec 14, 2022
Update sesman to cope with separate authentication/authorization (AA) and command processing. Also, internally users are now tracked by UID rather thn username. This addresses a problem found by some users using federated naming services (e.g. Active Directory) where the same user can be referred to in more than one way. See neutrinolabs#1823 The separation of AA in this way allows for multiple attempts to be made on one connection to get a password right. This addresses MaxLoginRetry not working (neutrinolabs#1739)
matt335672
added a commit
to matt335672/xrdp
that referenced
this issue
Dec 14, 2022
Update sesman to cope with separate authentication/authorization (AA) and command processing. Also, internally users are now tracked by UID rather thn username. This addresses a problem found by some users using federated naming services (e.g. Active Directory) where the same user can be referred to in more than one way. See neutrinolabs#1823 The separation of AA in this way allows for multiple attempts to be made on one connection to get a password right. This addresses MaxLoginRetry not working (neutrinolabs#1739)
matt335672
added a commit
to matt335672/xrdp
that referenced
this issue
Dec 15, 2022
Update sesman to cope with separate authentication/authorization (AA) and command processing. Also, internally users are now tracked by UID rather thn username. This addresses a problem found by some users using federated naming services (e.g. Active Directory) where the same user can be referred to in more than one way. See neutrinolabs#1823 The separation of AA in this way allows for multiple attempts to be made on one connection to get a password right. This addresses MaxLoginRetry not working (neutrinolabs#1739)
matt335672
added a commit
to matt335672/xrdp
that referenced
this issue
Dec 22, 2022
Update sesman to cope with separate authentication/authorization (AA) and command processing. Also, internally users are now tracked by UID rather thn username. This addresses a problem found by some users using federated naming services (e.g. Active Directory) where the same user can be referred to in more than one way. See neutrinolabs#1823 The separation of AA in this way allows for multiple attempts to be made on one connection to get a password right. This addresses MaxLoginRetry not working (neutrinolabs#1739)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Issue description
The MaxLoginRetry parameter in /etc/xrdp/sesman.ini is effectively broken. Attackers can make an infinite number of login attempts in a single session because they are never disconnected.
Observed on Ubuntu 20.04 with:
Steps to reproduce the issue
What's the expected result?
xrdp sessions should be disconnected after ${MaxLoginRetry} failed logins.
What's the actual result?
Sessions are never disconnected, regardless of the number of failed attempts.
Additional Details
Discussion in the xrdp-questions gitter:
https://gitter.im/neutrinolabs/xrdp-questions?at=5fbce7610451324f15318c90
The text was updated successfully, but these errors were encountered: