RFE: Support interactive PAM authentication, for two-factor auth #736
Comments
|
Hallo.. can you please help me to get xrdp authentication with google-authenticator in step by step method. |
|
I understand the importance of multi-factor authentication and I also want to implement it. I need sponsors to work on it. |
|
Actually I am looking for this project to get it done by you asap so that xrdp can move further with respect to security level. |
|
Hallo, Please help me to get out from this issue. Also please help me to integrate google-authenticate with XRDP. Kindly confirm whether its possible or not. If not will look for some other applications. |
|
@brijeshjaiswal DON'T HIJACK OTHER'S ISSUE. |
|
See also #1961 which covers this. |
|
See also #3303 |
Hello!
I would like to request that xrdp's PAM authentication be modified, so that calls to the PAM conversation function (
verify_pam_conv3) cause messages (and prompts) to be displayed to the user over the graphic connection, before the connection to the window manager (Xvnc, xorgxrdp, Xorg, etc.) happens.Use Cases
Here are a pair of use cases:
Our information security group requires that all interactive logins use two-step authentication. Duo has a PAM module (
pam_duo), which takes the username (via thePAM_USERitem) and uses multiple PAM conversations to ask the user which two-step device to use, what their current 6-digit code is, etc.I would like to use
pam_krb51. When it authenticates a user, if the user's Kerberos password has expired, it will force a password-change during the login process. That password-change is performed using a PAM conversation.In both of those cases, the connection would fail, because the way conversations are handled right now assumes that the first conversation message is for a username, and the second message is for a password.
In addition, even the way conversations are handled today causes weird behavior:
I use pam_duo today, with "autopush" turned on. This setting automatically pushes a two-step request to the user's device, or (if the user doesn't have a smart phone) makes a phone call to the user. This works with xrdp, but even in this case pam_duo still uses conversation messages to send messages like "Calling you now…" and "Success! Logging you in". Since xrdp doesn't expect those, it causes pam_duo to log "Conversation failed" warnings.
That is the rationale behind my RFE.
Prerequisites
Before this could be implemented, I think two other enhancements would be needed:
First, RFE: Set PAM_USER and PAM_AUTHTOK before starting authentication #735 has to be implemented. With RFE: Set PAM_USER and PAM_AUTHTOK before starting authentication #735 implemented, basic PAM modules (like pam_unix) will already have the username and password available to them; so the conversation function should only be needed when more information is required (like with two-step), or if a password is wrong.
Second, Pass remote ip address to PAM #392 should also be implemented. This is useful because I know at least one two-step PAM module (Duo's PAM module) which will use the client IP to see if two-step authentication is even necessary.
Once those RFE's could be implemented, I think this could be worked on, but I'm not exactly sure how!
Ideas
The problem is, there would have to be some way for sesman to communicate with the xrdp component that is responsible for graphics at the very start of the session (I'm talking about the component that asks users for username, password, and session type). There would be three types of communication from sesman to the graphics component:
The Graphics Component
I think the graphic component would do something like this:
Sesman authentication side
On the sesman side, in
auth_userpass, I think the behavior would be:auth_info->pamc.appdata_ptrto somehow reference the communications channel to the graphics component. Once RFE: Set PAM_USER and PAM_AUTHTOK before starting authentication #735 is implemented, I don't think theauth_infostruct would be needed anymore.Finally,
verify_pam_convwould have to be changed:PAM_PROMPT_ECHO_ONorPAM_PROMPT_ECHO_OFFtype, send a "Send message and get a reply" communication to the graphics component, wait for a reply from the graphics component, and put the reply into the correspondingpam_response.PAM_ERROR_MSGorPAM_TEXT_INFOtype, send a "Send message without waiting for reply" communication to the graphics component. The correspondingpam_responsewould be empty.Closing
I know virtually nothing about the innards of xrdp (which really shows since I can't really talk about the graphics component). But, I didn't want to be an ass by putting in a one-line enhancement request! I don't know how else I can help, but if you have any questions for me, I'll do my best!
The text was updated successfully, but these errors were encountered: