Add support for token authentication

This feature allows to embed a token in the username field. Tokens are separated from the username by the ASCII field separator character 0x1F (unicode 0x001F).
2020-08-17 08:52:17 +02:00 · 2020-08-17 08:52:17 +02:00 · b0bca1363e
parent e89f124afe
commit b0bca1363e
7 changed files with 30 additions and 2 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -12,3 +12,4 @@ as possible.
 Our email eddress for security report is:

 * [xrdp-core@googlegroups.com](mailto:xrdp-core@googlegroups.com)
+
--- a/common/xrdp_client_info.h
+++ b/common/xrdp_client_info.h
@ -159,6 +159,8 @@ struct xrdp_client_info
  int use_cache_glyph_v2;
  int rail_enable;
  int suppress_output;
+
+  int enable_token_login;
 };

 #endif
--- a/libxrdp/xrdp_rdp.c
+++ b/libxrdp/xrdp_rdp.c
@ -144,6 +144,10 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info)
        {
            client_info->require_credentials = g_text2bool(value);
        }
+        else if (g_strcasecmp(item, "enable_token_login") == 0)
+        {
+            client_info->enable_token_login = g_text2bool(value);
+        }
        else if (g_strcasecmp(item, "use_fastpath") == 0)
        {
            if (g_strcasecmp(value, "output") == 0)
--- a/libxrdp/xrdp_sec.c
+++ b/libxrdp/xrdp_sec.c
@ -675,6 +675,7 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
    int len_ip = 0;
    int len_dll = 0;
    char tmpdata[256];
+    const char *sep;

    /* initialize (zero out) local variables */
    g_memset(tmpdata, 0, sizeof(char) * 256);
@ -808,7 +809,6 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
    {
        return 1;
    }
-    DEBUG(("username %s", self->rdp_layer->client_info.username));

    if (flags & RDP_LOGON_AUTO)
    {
@ -818,6 +818,17 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
        }
        DEBUG(("flag RDP_LOGON_AUTO found"));
    }
+    else if (self->rdp_layer->client_info.enable_token_login
+             && len_user > 0
+             && len_password == 0
+             && (sep = g_strchr(self->rdp_layer->client_info.username, '\x1f')) != NULL)
+    {
+        DEBUG(("Logon token detected"));
+        g_strncpy(self->rdp_layer->client_info.password, sep + 1,
+                  sizeof(self->rdp_layer->client_info.password) - 1);
+        self->rdp_layer->client_info.username[sep - self->rdp_layer->client_info.username] = '\0';
+        self->rdp_layer->client_info.rdp_autologin = 1;
+    }
    else
    {
        if (!s_check_rem(s, len_password + 2))
@ -831,6 +842,7 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
            return 1; /* credentials on cmd line is mandatory */
        }
    }
+    DEBUG(("username %s", self->rdp_layer->client_info.username));

    if (unicode_utf16_in(s, len_program, self->rdp_layer->client_info.program, sizeof(self->rdp_layer->client_info.program) - 1) != 0)
    {
--- a/xrdp/xrdp.ini.in
+++ b/xrdp/xrdp.ini.in
@ -76,6 +76,8 @@ new_cursors=true
 use_fastpath=both
 ; when true, userid/password *must* be passed on cmd line
 #require_credentials=true
+; when true, the userid will be used to try to authenticate
+#enable_token_login=true
 ; You can set the PAM error text in a gateway setup (MAX 256 chars)
 #pamerrortxt=change your password according to policy at http://url

--- a/xrdp/xrdp_login_wnd.c
+++ b/xrdp/xrdp_login_wnd.c
@ -1001,6 +1001,11 @@ load_xrdp_config(struct xrdp_config *config, int bpp)
        else if (g_strncmp(n, "allow_multimon", 64) == 0)
            globals->allow_multimon = g_text2bool(v);

+        else if (g_strncmp(n, "enable_token_login", 64) == 0) {
+            log_message(LOG_LEVEL_DEBUG, "Token login detection enabled x");
+            globals->enable_token_login = g_text2bool(v);
+        }
+
        /* login screen values */
        else if (g_strncmp(n, "ls_top_window_bg_color", 64) == 0)
            globals->ls_top_window_bg_color = HCOLOR(bpp, xrdp_wm_htoi(v));
@ -1109,12 +1114,13 @@ load_xrdp_config(struct xrdp_config *config, int bpp)
    g_writeln("new_cursors:             %d", globals->new_cursors);
    g_writeln("nego_sec_layer:          %d", globals->nego_sec_layer);
    g_writeln("allow_multimon:          %d", globals->allow_multimon);
+    g_writeln("enable_token_login:      %d", globals->enable_token_login)

    g_writeln("ls_top_window_bg_color:  %x", globals->ls_top_window_bg_color);
    g_writeln("ls_width:                %d", globals->ls_width);
    g_writeln("ls_height:               %d", globals->ls_height);
    g_writeln("ls_bg_color:             %x", globals->ls_bg_color);
-    g_writeln("ls_title:            %s", globals->ls_title);
+    g_writeln("ls_title:                %s", globals->ls_title);
    g_writeln("ls_logo_filename:        %s", globals->ls_logo_filename);
    g_writeln("ls_logo_x_pos:           %d", globals->ls_logo_x_pos);
    g_writeln("ls_logo_y_pos:           %d", globals->ls_logo_y_pos);
--- a/xrdp/xrdp_types.h
+++ b/xrdp/xrdp_types.h
@ -566,6 +566,7 @@ struct xrdp_cfg_globals
    int  new_cursors;
    int  nego_sec_layer;
    int  allow_multimon;
+    int  enable_token_login;

    /* colors */