Add support for token authentication

This feature allows to embed a token in the username field. Tokens
are separated from the username by the ASCII field separator character
0x1F (unicode 0x001F).
This commit is contained in:
Bolke de Bruin 2020-08-17 08:52:17 +02:00
parent e89f124afe
commit b0bca1363e
7 changed files with 30 additions and 2 deletions

View File

@ -12,3 +12,4 @@ as possible.
Our email eddress for security report is: Our email eddress for security report is:
* [xrdp-core@googlegroups.com](mailto:xrdp-core@googlegroups.com) * [xrdp-core@googlegroups.com](mailto:xrdp-core@googlegroups.com)

View File

@ -159,6 +159,8 @@ struct xrdp_client_info
int use_cache_glyph_v2; int use_cache_glyph_v2;
int rail_enable; int rail_enable;
int suppress_output; int suppress_output;
int enable_token_login;
}; };
#endif #endif

View File

@ -144,6 +144,10 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
{ {
client_info->require_credentials = g_text2bool(value); client_info->require_credentials = g_text2bool(value);
} }
else if (g_strcasecmp(item, "enable_token_login") == 0)
{
client_info->enable_token_login = g_text2bool(value);
}
else if (g_strcasecmp(item, "use_fastpath") == 0) else if (g_strcasecmp(item, "use_fastpath") == 0)
{ {
if (g_strcasecmp(value, "output") == 0) if (g_strcasecmp(value, "output") == 0)

View File

@ -675,6 +675,7 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
int len_ip = 0; int len_ip = 0;
int len_dll = 0; int len_dll = 0;
char tmpdata[256]; char tmpdata[256];
const char *sep;
/* initialize (zero out) local variables */ /* initialize (zero out) local variables */
g_memset(tmpdata, 0, sizeof(char) * 256); g_memset(tmpdata, 0, sizeof(char) * 256);
@ -808,7 +809,6 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
{ {
return 1; return 1;
} }
DEBUG(("username %s", self->rdp_layer->client_info.username));
if (flags & RDP_LOGON_AUTO) if (flags & RDP_LOGON_AUTO)
{ {
@ -818,6 +818,17 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
} }
DEBUG(("flag RDP_LOGON_AUTO found")); DEBUG(("flag RDP_LOGON_AUTO found"));
} }
else if (self->rdp_layer->client_info.enable_token_login
&& len_user > 0
&& len_password == 0
&& (sep = g_strchr(self->rdp_layer->client_info.username, '\x1f')) != NULL)
{
DEBUG(("Logon token detected"));
g_strncpy(self->rdp_layer->client_info.password, sep + 1,
sizeof(self->rdp_layer->client_info.password) - 1);
self->rdp_layer->client_info.username[sep - self->rdp_layer->client_info.username] = '\0';
self->rdp_layer->client_info.rdp_autologin = 1;
}
else else
{ {
if (!s_check_rem(s, len_password + 2)) if (!s_check_rem(s, len_password + 2))
@ -831,6 +842,7 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
return 1; /* credentials on cmd line is mandatory */ return 1; /* credentials on cmd line is mandatory */
} }
} }
DEBUG(("username %s", self->rdp_layer->client_info.username));
if (unicode_utf16_in(s, len_program, self->rdp_layer->client_info.program, sizeof(self->rdp_layer->client_info.program) - 1) != 0) if (unicode_utf16_in(s, len_program, self->rdp_layer->client_info.program, sizeof(self->rdp_layer->client_info.program) - 1) != 0)
{ {

View File

@ -76,6 +76,8 @@ new_cursors=true
use_fastpath=both use_fastpath=both
; when true, userid/password *must* be passed on cmd line ; when true, userid/password *must* be passed on cmd line
#require_credentials=true #require_credentials=true
; when true, the userid will be used to try to authenticate
#enable_token_login=true
; You can set the PAM error text in a gateway setup (MAX 256 chars) ; You can set the PAM error text in a gateway setup (MAX 256 chars)
#pamerrortxt=change your password according to policy at http://url #pamerrortxt=change your password according to policy at http://url

View File

@ -1001,6 +1001,11 @@ load_xrdp_config(struct xrdp_config *config, int bpp)
else if (g_strncmp(n, "allow_multimon", 64) == 0) else if (g_strncmp(n, "allow_multimon", 64) == 0)
globals->allow_multimon = g_text2bool(v); globals->allow_multimon = g_text2bool(v);
else if (g_strncmp(n, "enable_token_login", 64) == 0) {
log_message(LOG_LEVEL_DEBUG, "Token login detection enabled x");
globals->enable_token_login = g_text2bool(v);
}
/* login screen values */ /* login screen values */
else if (g_strncmp(n, "ls_top_window_bg_color", 64) == 0) else if (g_strncmp(n, "ls_top_window_bg_color", 64) == 0)
globals->ls_top_window_bg_color = HCOLOR(bpp, xrdp_wm_htoi(v)); globals->ls_top_window_bg_color = HCOLOR(bpp, xrdp_wm_htoi(v));
@ -1109,12 +1114,13 @@ load_xrdp_config(struct xrdp_config *config, int bpp)
g_writeln("new_cursors: %d", globals->new_cursors); g_writeln("new_cursors: %d", globals->new_cursors);
g_writeln("nego_sec_layer: %d", globals->nego_sec_layer); g_writeln("nego_sec_layer: %d", globals->nego_sec_layer);
g_writeln("allow_multimon: %d", globals->allow_multimon); g_writeln("allow_multimon: %d", globals->allow_multimon);
g_writeln("enable_token_login: %d", globals->enable_token_login)
g_writeln("ls_top_window_bg_color: %x", globals->ls_top_window_bg_color); g_writeln("ls_top_window_bg_color: %x", globals->ls_top_window_bg_color);
g_writeln("ls_width: %d", globals->ls_width); g_writeln("ls_width: %d", globals->ls_width);
g_writeln("ls_height: %d", globals->ls_height); g_writeln("ls_height: %d", globals->ls_height);
g_writeln("ls_bg_color: %x", globals->ls_bg_color); g_writeln("ls_bg_color: %x", globals->ls_bg_color);
g_writeln("ls_title: %s", globals->ls_title); g_writeln("ls_title: %s", globals->ls_title);
g_writeln("ls_logo_filename: %s", globals->ls_logo_filename); g_writeln("ls_logo_filename: %s", globals->ls_logo_filename);
g_writeln("ls_logo_x_pos: %d", globals->ls_logo_x_pos); g_writeln("ls_logo_x_pos: %d", globals->ls_logo_x_pos);
g_writeln("ls_logo_y_pos: %d", globals->ls_logo_y_pos); g_writeln("ls_logo_y_pos: %d", globals->ls_logo_y_pos);

View File

@ -566,6 +566,7 @@ struct xrdp_cfg_globals
int new_cursors; int new_cursors;
int nego_sec_layer; int nego_sec_layer;
int allow_multimon; int allow_multimon;
int enable_token_login;
/* colors */ /* colors */