From b0bca1363e9ec9338c805efbcd100b79d10da296 Mon Sep 17 00:00:00 2001 From: Bolke de Bruin Date: Mon, 17 Aug 2020 08:52:17 +0200 Subject: [PATCH] Add support for token authentication This feature allows to embed a token in the username field. Tokens are separated from the username by the ASCII field separator character 0x1F (unicode 0x001F). --- SECURITY.md | 1 + common/xrdp_client_info.h | 2 ++ libxrdp/xrdp_rdp.c | 4 ++++ libxrdp/xrdp_sec.c | 14 +++++++++++++- xrdp/xrdp.ini.in | 2 ++ xrdp/xrdp_login_wnd.c | 8 +++++++- xrdp/xrdp_types.h | 1 + 7 files changed, 30 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index ae407850..f7416710 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -12,3 +12,4 @@ as possible. Our email eddress for security report is: * [xrdp-core@googlegroups.com](mailto:xrdp-core@googlegroups.com) + diff --git a/common/xrdp_client_info.h b/common/xrdp_client_info.h index fa7df6bf..3c43f34f 100644 --- a/common/xrdp_client_info.h +++ b/common/xrdp_client_info.h @@ -159,6 +159,8 @@ struct xrdp_client_info int use_cache_glyph_v2; int rail_enable; int suppress_output; + + int enable_token_login; }; #endif diff --git a/libxrdp/xrdp_rdp.c b/libxrdp/xrdp_rdp.c index 7950840c..629dd88b 100644 --- a/libxrdp/xrdp_rdp.c +++ b/libxrdp/xrdp_rdp.c @@ -144,6 +144,10 @@ xrdp_rdp_read_config(struct xrdp_client_info *client_info) { client_info->require_credentials = g_text2bool(value); } + else if (g_strcasecmp(item, "enable_token_login") == 0) + { + client_info->enable_token_login = g_text2bool(value); + } else if (g_strcasecmp(item, "use_fastpath") == 0) { if (g_strcasecmp(value, "output") == 0) diff --git a/libxrdp/xrdp_sec.c b/libxrdp/xrdp_sec.c index 4ce0d509..fde6f110 100644 --- a/libxrdp/xrdp_sec.c +++ b/libxrdp/xrdp_sec.c @@ -675,6 +675,7 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s) int len_ip = 0; int len_dll = 0; char tmpdata[256]; + const char *sep; /* initialize (zero out) local variables */ g_memset(tmpdata, 0, sizeof(char) * 256); @@ -808,7 +809,6 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s) { return 1; } - DEBUG(("username %s", self->rdp_layer->client_info.username)); if (flags & RDP_LOGON_AUTO) { @@ -818,6 +818,17 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s) } DEBUG(("flag RDP_LOGON_AUTO found")); } + else if (self->rdp_layer->client_info.enable_token_login + && len_user > 0 + && len_password == 0 + && (sep = g_strchr(self->rdp_layer->client_info.username, '\x1f')) != NULL) + { + DEBUG(("Logon token detected")); + g_strncpy(self->rdp_layer->client_info.password, sep + 1, + sizeof(self->rdp_layer->client_info.password) - 1); + self->rdp_layer->client_info.username[sep - self->rdp_layer->client_info.username] = '\0'; + self->rdp_layer->client_info.rdp_autologin = 1; + } else { if (!s_check_rem(s, len_password + 2)) @@ -831,6 +842,7 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s) return 1; /* credentials on cmd line is mandatory */ } } + DEBUG(("username %s", self->rdp_layer->client_info.username)); if (unicode_utf16_in(s, len_program, self->rdp_layer->client_info.program, sizeof(self->rdp_layer->client_info.program) - 1) != 0) { diff --git a/xrdp/xrdp.ini.in b/xrdp/xrdp.ini.in index f882afd9..b66768f2 100644 --- a/xrdp/xrdp.ini.in +++ b/xrdp/xrdp.ini.in @@ -76,6 +76,8 @@ new_cursors=true use_fastpath=both ; when true, userid/password *must* be passed on cmd line #require_credentials=true +; when true, the userid will be used to try to authenticate +#enable_token_login=true ; You can set the PAM error text in a gateway setup (MAX 256 chars) #pamerrortxt=change your password according to policy at http://url diff --git a/xrdp/xrdp_login_wnd.c b/xrdp/xrdp_login_wnd.c index c09f8002..719eeb53 100644 --- a/xrdp/xrdp_login_wnd.c +++ b/xrdp/xrdp_login_wnd.c @@ -1001,6 +1001,11 @@ load_xrdp_config(struct xrdp_config *config, int bpp) else if (g_strncmp(n, "allow_multimon", 64) == 0) globals->allow_multimon = g_text2bool(v); + else if (g_strncmp(n, "enable_token_login", 64) == 0) { + log_message(LOG_LEVEL_DEBUG, "Token login detection enabled x"); + globals->enable_token_login = g_text2bool(v); + } + /* login screen values */ else if (g_strncmp(n, "ls_top_window_bg_color", 64) == 0) globals->ls_top_window_bg_color = HCOLOR(bpp, xrdp_wm_htoi(v)); @@ -1109,12 +1114,13 @@ load_xrdp_config(struct xrdp_config *config, int bpp) g_writeln("new_cursors: %d", globals->new_cursors); g_writeln("nego_sec_layer: %d", globals->nego_sec_layer); g_writeln("allow_multimon: %d", globals->allow_multimon); + g_writeln("enable_token_login: %d", globals->enable_token_login) g_writeln("ls_top_window_bg_color: %x", globals->ls_top_window_bg_color); g_writeln("ls_width: %d", globals->ls_width); g_writeln("ls_height: %d", globals->ls_height); g_writeln("ls_bg_color: %x", globals->ls_bg_color); - g_writeln("ls_title: %s", globals->ls_title); + g_writeln("ls_title: %s", globals->ls_title); g_writeln("ls_logo_filename: %s", globals->ls_logo_filename); g_writeln("ls_logo_x_pos: %d", globals->ls_logo_x_pos); g_writeln("ls_logo_y_pos: %d", globals->ls_logo_y_pos); diff --git a/xrdp/xrdp_types.h b/xrdp/xrdp_types.h index b0c8b559..6faecd9e 100644 --- a/xrdp/xrdp_types.h +++ b/xrdp/xrdp_types.h @@ -566,6 +566,7 @@ struct xrdp_cfg_globals int new_cursors; int nego_sec_layer; int allow_multimon; + int enable_token_login; /* colors */