Feature Request: Support PAM based MFA #1959
Comments
|
The current code can authenticate users with google-authenticator. |
|
Hi @MrPippin66 Yes, this is a major code change but it's starting to look like it's a necessary one. There's a number of issues which are coming together here, like password change (see #600) and a big issue caused by systemd (#1684). There are other features like automatic session reconnection which has been asked for which I think are related. As regards your last point, the systemd PAM module introduces an architectural dependency. A process which starts a PAM session must be the same process that was used to authenticate the user (i.e. must have the same PID) . At the moment we don't do that, but many other programs which log a user in (e.g. lightdm, openssh) do. We authenticate in sesman, and then call session create (if necessary) in a sub-process. We do it that way as unlike lightdm and openssh we have to support users connecting to existing sessions. The limitation prevents the authentication being done in xrdp. It must be done as a sub-process of sesman. To support this, I think the following changes are necessary:-
Once we get to step 4, we can provide password-change, MFA, session reconnect and (I think) NLA support in a clear and supportable manner. The big downside is it's a lot of work, and step 2 is going to inconvenience some users. Feel free to challenge my reasoning above. I'd love to find a less disruptive way to move all of these related issues forward. |
|
Hello Dear @matt335672 Can you help me to configure a XRDP on Ubuntu 20.04 with google authenticator xrdp configuration: root@xrdp:/etc/pam.d# cat xrdp-sesman restart sshd service or restart docker container and try to login ( I tried ubuntu on a docker container ) For login to xrdp : Please provide username and then on password box provide password+otp together. Password should be first then otp from gogole-authenticator app together without any space or extra character. But not working Can you help me? |
|
@Alvaro1316 - great you've decided to look at this as a way to make your system more secure. I cannot emphasise enough that you really need to understand how this all works. If you don't, you can't have any confidence in the security of your system, particularly not if you've been changing the PAM configuration. Your file above suggests to me that you could do with improving your knowledge of PAM. A good place to start is The Linux-PAM System Administrators' Guide, although there are other tutorials. Once you've read that, the files in |
|
@matt335672 Has there been any progress on this? I realize it's a complicated endeavor, but just curious where this stands. |
|
@MrPippin66 - no actual functionality yet I'm afraid. I've been looking at other things. In my list above the first two items are completed. We've also fleshed out a design. So it's getting there, but progress is pretty slow. |
This is related to issue #676, but I'd like to formerly request that XRDP support PAM based MFA in Linux (or other supported Unixes that use PAM).
I realize this is a major code change due to how XRDP currently authenticates.
I think this would mean full authentication would need to occur within "xrdp", instead of credentials being gathered in "xrdp" and passed to "sesman".
The text was updated successfully, but these errors were encountered: