diff --git a/sesman/libscp/libscp_session.c b/sesman/libscp/libscp_session.c index 8ac94d25..5c2a12a3 100644 --- a/sesman/libscp/libscp_session.c +++ b/sesman/libscp/libscp_session.c @@ -60,6 +60,9 @@ scp_session_set_type(struct SCP_SESSION* s, tui8 type) case SCP_SESSION_TYPE_XRDP: s->type = SCP_SESSION_TYPE_XRDP; break; + case SCP_GW_AUTHENTICATION: + s->type = SCP_GW_AUTHENTICATION; + break; case SCP_SESSION_TYPE_MANAGE: s->type = SCP_SESSION_TYPE_MANAGE; s->mng = (struct SCP_MNG_DATA*)g_malloc(sizeof(struct SCP_MNG_DATA), 1); diff --git a/sesman/libscp/libscp_types.h b/sesman/libscp/libscp_types.h index 7a54545a..e6521741 100644 --- a/sesman/libscp/libscp_types.h +++ b/sesman/libscp/libscp_types.h @@ -42,6 +42,10 @@ #define SCP_SESSION_TYPE_XVNC 0x00 #define SCP_SESSION_TYPE_XRDP 0x01 #define SCP_SESSION_TYPE_MANAGE 0x02 +/* SCP_GW_AUTHENTICATION can be used when XRDP + sesman act as a gateway + * XRDP sends this command to let sesman verify if the user is allowed + * to use the gateway */ +#define SCP_GW_AUTHENTICATION 0x04 #define SCP_ADDRESS_TYPE_IPV4 0x00 #define SCP_ADDRESS_TYPE_IPV6 0x01 diff --git a/sesman/libscp/libscp_v0.c b/sesman/libscp/libscp_v0.c index d46d6afa..e581691f 100644 --- a/sesman/libscp/libscp_v0.c +++ b/sesman/libscp/libscp_v0.c @@ -277,6 +277,42 @@ scp_v0s_accept(struct SCP_CONNECTION* c, struct SCP_SESSION** s, int skipVchk) } } } + if (code == SCP_GW_AUTHENTICATION) + { + /* g_writeln("Command is SCP_GW_AUTHENTICATION"); */ + session = scp_session_create(); + if (0 == session) + { + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__);*/ + return SCP_SERVER_STATE_INTERNAL_ERR; + } + + scp_session_set_version(session, version); + scp_session_set_type(session, SCP_GW_AUTHENTICATION); + /* reading username */ + in_uint16_be(c->in_s, sz); + buf[sz]='\0'; + in_uint8a(c->in_s, buf, sz); + /* g_writeln("Received user name: %s",buf); */ + if (0 != scp_session_set_username(session, buf)) + { + scp_session_destroy(session); + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting username", __LINE__);*/ + return SCP_SERVER_STATE_INTERNAL_ERR; + } + + /* reading password */ + in_uint16_be(c->in_s, sz); + buf[sz]='\0'; + in_uint8a(c->in_s, buf, sz); + /* g_writeln("Received password: %s",buf); */ + if (0 != scp_session_set_password(session, buf)) + { + scp_session_destroy(session); + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: error setting password", __LINE__); */ + return SCP_SERVER_STATE_INTERNAL_ERR; + } + } else { log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: sequence error", __LINE__); @@ -315,8 +351,8 @@ scp_v0s_deny_connection(struct SCP_CONNECTION* c) out_uint32_be(c->out_s, 0); /* version */ out_uint32_be(c->out_s, 14); /* size */ out_uint16_be(c->out_s, 3); /* cmd */ - out_uint16_be(c->out_s, 0); /* data */ - out_uint16_be(c->out_s, 0); /* data */ + out_uint16_be(c->out_s, 0); /* data = 0 - means NOT ok*/ + out_uint16_be(c->out_s, 0); /* reserved for display number*/ s_mark_end(c->out_s); if (0 != scp_tcp_force_send(c->in_sck, c->out_s->data, c->out_s->end - c->out_s->data)) @@ -328,3 +364,26 @@ scp_v0s_deny_connection(struct SCP_CONNECTION* c) LOG_DBG(s_log, "[v0:%d] connection terminated (denied)", __LINE__); return SCP_SERVER_STATE_OK; } + +/******************************************************************************/ +enum SCP_SERVER_STATES_E +scp_v0s_replyauthentication(struct SCP_CONNECTION* c, unsigned short int value) +{ + out_uint32_be(c->out_s, 0); /* version */ + out_uint32_be(c->out_s, 14); /* size */ + /* cmd SCP_GW_AUTHENTICATION means authentication reply */ + out_uint16_be(c->out_s, SCP_GW_AUTHENTICATION); + out_uint16_be(c->out_s, value); /* reply code */ + out_uint16_be(c->out_s, 0); /* dummy data */ + s_mark_end(c->out_s); + + /* g_writeln("Total number of bytes that will be sent %d",c->out_s->end - c->out_s->data);*/ + if (0 != scp_tcp_force_send(c->in_sck, c->out_s->data, c->out_s->end - c->out_s->data)) + { + /* until syslog merge log_message(s_log, LOG_LEVEL_WARNING, "[v0:%d] connection aborted: network error", __LINE__); */ + return SCP_SERVER_STATE_NETWORK_ERR; + } + + /* until syslog merge LOG_DBG(s_log, "[v0:%d] connection terminated (scp_v0s_deny_authentication)", __LINE__);*/ + return SCP_SERVER_STATE_OK; +} diff --git a/sesman/libscp/libscp_v0.h b/sesman/libscp/libscp_v0.h index 7c6fd4b2..92b835f0 100644 --- a/sesman/libscp/libscp_v0.h +++ b/sesman/libscp/libscp_v0.h @@ -73,5 +73,14 @@ scp_v0s_allow_connection(struct SCP_CONNECTION* c, SCP_DISPLAY d); enum SCP_SERVER_STATES_E scp_v0s_deny_connection(struct SCP_CONNECTION* c); +/** + * @brief send reply to an authentication request + * @param c connection descriptor + * @param value the reply code 0 means ok + * @return + */ +enum SCP_SERVER_STATES_E +scp_v0s_replyauthentication(struct SCP_CONNECTION* c, unsigned short int value); + #endif diff --git a/sesman/scp_v0.c b/sesman/scp_v0.c index 0b4dc791..71b1ffad 100644 --- a/sesman/scp_v0.c +++ b/sesman/scp_v0.c @@ -38,9 +38,28 @@ scp_v0_process(struct SCP_CONNECTION* c, struct SCP_SESSION* s) struct session_item* s_item; data = auth_userpass(s->username, s->password); - - if (data) + if(s->type==SCP_GW_AUTHENTICATION) { + /* this is just authentication in a gateway situation */ + /* g_writeln("SCP_GW_AUTHENTICATION message received"); */ + if(data){ + if (1 == access_login_allowed(s->username)) + { + /* the user is member of the correct groups. */ + scp_v0s_replyauthentication(c,0); + /* g_writeln("Connection allowed"); */ + }else{ + scp_v0s_replyauthentication(c,3); + /* g_writeln("user password ok, but group problem"); */ + } + }else{ + /* g_writeln("username or password error"); */ + scp_v0s_replyauthentication(c,2); + } + auth_end(data); + } + else if (data) + { s_item = session_get_bydata(s->username, s->width, s->height, s->bpp, s->type); if (s_item != 0) { diff --git a/xrdp/xrdp.ini b/xrdp/xrdp.ini index af5f2650..a1da4f04 100644 --- a/xrdp/xrdp.ini +++ b/xrdp/xrdp.ini @@ -6,7 +6,7 @@ port=3389 crypt_level=low channel_code=1 max_bpp=24 -fork=yes +fork=no #black=000000 #grey=d6d3ce #dark_grey=808080 @@ -42,6 +42,9 @@ ip=ask port=ask5900 username=na password=ask +pamusername=asksame +pampassword=asksame +pamsessionmng=127.0.0.1 [xrdp4] name=sesman-any diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c index 2b394837..7065c2ce 100644 --- a/xrdp/xrdp_login_wnd.c +++ b/xrdp/xrdp_login_wnd.c @@ -21,7 +21,7 @@ */ #include "xrdp.h" - +#define ACCESS /*****************************************************************************/ /* all login help screen events go here */ static int DEFAULT_CC @@ -302,7 +302,11 @@ xrdp_wm_show_edits(struct xrdp_wm* self, struct xrdp_bitmap* combo) username_set = 1; } } +#ifdef ACCESS + if ((g_strncmp(name, "password", 255) == 0) || (g_strncmp(name, "pampassword", 255) == 0)) +#else if (g_strncmp(name, "password", 255) == 0) +#endif { b->password_char = '*'; if (username_set) diff --git a/xrdp/xrdp_mm.c b/xrdp/xrdp_mm.c index 223b128b..e7919e9b 100644 --- a/xrdp/xrdp_mm.c +++ b/xrdp/xrdp_mm.c @@ -21,6 +21,7 @@ */ #include "xrdp.h" +#define ACCESS /*****************************************************************************/ struct xrdp_mm* APP_CC @@ -103,6 +104,7 @@ xrdp_mm_delete(struct xrdp_mm* self) } /*****************************************************************************/ +/* Send login information to sesman */ static int APP_CC xrdp_mm_send_login(struct xrdp_mm* self) { @@ -200,6 +202,7 @@ xrdp_mm_send_login(struct xrdp_mm* self) s_mark_end(s); s_pop_layer(s, channel_hdr); + /* Version 0 of the protocol to sesman is currently used by XRDP */ out_uint32_be(s, 0); /* version */ index = (int)(s->end - s->data); out_uint32_be(s, index); /* size */ @@ -743,6 +746,17 @@ xrdp_mm_connect_chansrv(struct xrdp_mm* self, char* ip, char* port) return 0; } +static void cleanup_sesman_connection(struct xrdp_mm* self) +{ + self->delete_sesman_trans = 1; + self->connected_state = 0; + if (self->wm->login_mode != 10) + { + xrdp_wm_set_login_mode(self->wm, 11); + xrdp_mm_module_cleanup(self); + } +} + /*****************************************************************************/ static int APP_CC xrdp_mm_process_login_response(struct xrdp_mm* self, struct stream* s) @@ -790,14 +804,7 @@ xrdp_mm_process_login_response(struct xrdp_mm* self, struct stream* s) xrdp_wm_log_msg(self->wm, "xrdp_mm_process_login_response: " "login failed"); } - self->delete_sesman_trans = 1; - self->connected_state = 0; - if (self->wm->login_mode != 10) - { - xrdp_wm_set_login_mode(self->wm, 11); - xrdp_mm_module_cleanup(self); - } - + cleanup_sesman_connection(self); return rv; } @@ -902,6 +909,7 @@ xrdp_mm_process_channel_data(struct xrdp_mm* self, tbus param1, tbus param2, } /*****************************************************************************/ +/* This is the callback registered for sesman communication replies. */ static int APP_CC xrdp_mm_sesman_data_in(struct trans* trans) { @@ -930,11 +938,14 @@ xrdp_mm_sesman_data_in(struct trans* trans) in_uint16_be(s, code); switch (code) { + /* even when the request is denied the reply will hold 3 as the command. */ case 3: error = xrdp_mm_process_login_response(self, s); break; default: - g_writeln("xrdp_mm_sesman_data_in: unknown code %d", code); + xrdp_wm_log_msg(self->wm, "An undefined reply code was received from sesman"); + g_writeln("Fatal xrdp_mm_sesman_data_in: unknown cmd code %d", code); + cleanup_sesman_connection(self); break; } } @@ -942,6 +953,103 @@ xrdp_mm_sesman_data_in(struct trans* trans) return error; } +#ifdef ACCESS +/*********************************************************************/ +/* return 0 on success */ +int access_control(char *username, char *password, char *srv){ + int reply ; + int rec = 1 ; // failure + struct stream* in_s; + struct stream* out_s; + unsigned long version ; + unsigned short int dummy; + unsigned short int ok; + unsigned short int code; + unsigned long size ; + int index ; + int socket = g_tcp_socket(); + if (socket > 0) { + /* we use a blocking socket here */ + reply = g_tcp_connect(socket, srv, "3350"); + if (reply == 0) + { + g_writeln("Connected to sesman user %s: password %s :srv %s",username, password, srv); + make_stream(in_s); + init_stream(in_s, 500); + make_stream(out_s); + init_stream(out_s, 500); + s_push_layer(out_s, channel_hdr, 8); + out_uint16_be(out_s, 4); /*0x04 means SCP_GW_AUTHENTICATION*/ + index = g_strlen(username); + out_uint16_be(out_s, index); + out_uint8a(out_s, username, index); + + index = g_strlen(password); + out_uint16_be(out_s, index); + out_uint8a(out_s, password, index); + s_mark_end(out_s); + s_pop_layer(out_s, channel_hdr); + out_uint32_be(out_s, 0); /* version */ + index = (int)(out_s->end - out_s->data); + out_uint32_be(out_s, index); /* size */ + /* g_writeln("Number of data to send : %d",index); */ + reply = g_tcp_send(socket, out_s->data, index, 0); + free_stream(out_s); + if (reply > 0) + { + reply = g_tcp_recv(socket, in_s->end, 500, 0); + if (reply > 0) + { + in_s->end = in_s->end + reply ; + in_uint32_be(in_s, version); + /*g_writeln("Version number in reply from sesman: %d",version) ; */ + in_uint32_be(in_s, size); + if((size==14) && (version==0)) + { + in_uint16_be(in_s, code); + in_uint16_be(in_s, ok); + in_uint16_be(in_s, dummy); + if(code!=4) + { + g_writeln("Return cmd code is corrupt"); + } + else + { + rec = ok; /* here we read the reply from the access control */ + /* g_writeln("Valid reply received"); */ + } + } + else + { + g_writeln("corrupt reply size or version from sesman: %d",size); + } + } + else + { + g_writeln("no data received from sesman"); + } + } + else + { + g_writeln("no success sending to sesman"); + } + free_stream(in_s); + g_tcp_close(socket); + } + else + { + g_writeln("failure connecting to socket sesman"); + } + } + else + { + g_writeln("failure creating socket"); + } + //g_free(port); + return rec; +} +#endif + /*****************************************************************************/ int APP_CC xrdp_mm_connect(struct xrdp_mm* self) @@ -950,7 +1058,6 @@ xrdp_mm_connect(struct xrdp_mm* self) struct list* values; int index; int count; - int use_sesman; int ok; int rv; char* name; @@ -960,14 +1067,22 @@ xrdp_mm_connect(struct xrdp_mm* self) char text[256]; char port[8]; char chansrvport[256]; - +#ifdef ACCESS + int use_pam_auth = 0 ; + char pam_auth_sessionIP[256] ; + char pam_auth_password[256]; + char pam_auth_username[256]; + char username[256]; + char password[256]; + username[0] = 0; + password[0] = 0; +#endif g_memset(ip, 0, sizeof(ip)); g_memset(errstr, 0, sizeof(errstr)); g_memset(text, 0, sizeof(text)); g_memset(port, 0, sizeof(port)); g_memset(chansrvport, 0, sizeof(chansrvport)); rv = 0; /* success */ - use_sesman = 0; names = self->login_names; values = self->login_values; count = names->count; @@ -983,25 +1098,82 @@ xrdp_mm_connect(struct xrdp_mm* self) { if (g_strcasecmp(value, "-1") == 0) { - use_sesman = 1; + self->sesman_controlled = 1; } } +#ifdef ACCESS + else if (g_strcasecmp(name, "pamusername") == 0) + { + use_pam_auth = 1; + g_strncpy(pam_auth_username, value, 255); + } + else if (g_strcasecmp(name, "pamsessionmng") == 0) + { + g_strncpy(pam_auth_sessionIP, value, 255); + } + else if (g_strcasecmp(name, "pampassword") == 0) + { + g_strncpy(pam_auth_password, value, 255); + } + else if (g_strcasecmp(name, "password") == 0) + { + g_strncpy(password, value, 255); + } + else if (g_strcasecmp(name, "username") == 0) + { + g_strncpy(username, value, 255); + } +#endif else if (g_strcasecmp(name, "chansrvport") == 0) { g_strncpy(chansrvport, value, 255); self->usechansrv = 1; } } - if (use_sesman) +#ifdef ACCESS + if(use_pam_auth){ + int reply; + char replytxt[80]; + char replymessage[4][80] = {"Ok","Sesman connect failure","User or password error","Privilege group error"}; + xrdp_wm_log_msg(self->wm, "Please wait, we now perform access control..."); + /* g_writeln("we use pam modules to check if we can approve this user"); */ + if(!g_strncmp(pam_auth_username,"same",255)) + { + g_writeln("pamusername copied from username - same: %s",username); + g_strncpy(pam_auth_username,username,255); + } + if(!g_strncmp(pam_auth_password,"same",255)) + { + g_writeln("pam_auth_password copied from username - same: %s",password); + g_strncpy(pam_auth_password,password,255); + } + /* access_control return 0 on success */ + reply = access_control(pam_auth_username, pam_auth_password, pam_auth_sessionIP); + if(reply>=0 && reply<4) + { + g_sprintf(replytxt,"Reply from access control: %s",replymessage[reply]); + } + else + { + g_sprintf(replytxt,"Reply from access control undefined"); + } + xrdp_wm_log_msg(self->wm,replytxt); + if(reply!=0) + { + rv = 1 ; + return rv ; + } + } +#endif + if (self->sesman_controlled) { ok = 0; - errstr[0] = 0; trans_delete(self->sesman_trans); self->sesman_trans = trans_create(TRANS_MODE_TCP, 8192, 8192); xrdp_mm_get_sesman_port(port, sizeof(port)); g_snprintf(text, 255, "connecting to sesman ip %s port %s", ip, port); xrdp_wm_log_msg(self->wm, text); - + /* xrdp_mm_sesman_data_in is the callback that is called when data arrives */ self->sesman_trans->trans_data_in = xrdp_mm_sesman_data_in; self->sesman_trans->header_size = 8; self->sesman_trans->callback_data = self; @@ -1027,6 +1199,8 @@ xrdp_mm_connect(struct xrdp_mm* self) } else { + g_snprintf(errstr, 255, "Failure to connect to sesman: %s port: %s", + ip, port); xrdp_wm_log_msg(self->wm, errstr); trans_delete(self->sesman_trans); self->sesman_trans = 0; @@ -1045,8 +1219,7 @@ xrdp_mm_connect(struct xrdp_mm* self) else { /* connect error */ - g_snprintf(errstr, 255, "Failure to connect to: %s port: %s", - ip, port); + g_snprintf(errstr, 255, "Failure to connect to: %s",ip); xrdp_wm_log_msg(self->wm, errstr); rv = 1 ; /* failure */ } @@ -1057,7 +1230,6 @@ xrdp_mm_connect(struct xrdp_mm* self) xrdp_mm_module_cleanup(self); } } - self->sesman_controlled = use_sesman; if ((self->wm->login_mode == 10) && (self->sesman_controlled == 0) && (self->usechansrv != 0))