Closed alphabet5 closed 1 year ago
Looks like the default config right now is to just randomly select a host.
// do a round robin selection for now
rand.Seed(time.Now().Unix())
host := c.Hosts[rand.Intn(len(c.Hosts))]
host = strings.Replace(host, "{{ preferred_username }}", userName, 1)
Any idea how it would be best to select different hosts? ?host=1.2.3.4%3A3389
maybe?
An example error with the 'any' under hosts.
2022/04/22 02:16:59 Client specified host 1.2.3.4:3389 does not match token host 192.168.1.2:3389
2022/04/22 02:16:59 Not allowed to connect to 1.2.3.4:3389 by policy handler
I've modifed the VerifyServerFunc with
if s.RemoteServer != host && !(Contains(config.Conf.Server.Hosts, "any"))
And it seems to work just fine now. However, it looks like 'any' might need to be skipped when choosing the random host to connect to, as 'any' isn't accessible.
Yes, this isn't working as expected or documented :-). The approach I would like to take is to allow specifying a host "pre-download" time, so that it can still be verified keeping certain security guarantees in place.
This has been solved now in master. hostselection
can now be roundrobin
, signed
, unsigned
or any
. For your use case you probably want signed
or unsigned
.
From the docs it reads like having 'any' in the list of hosts should allow you to modify the rdp file and connect to any host.
Trying this and modifying the rdp file to connect to 10.111.111.101:3389 gives the following error.
Looking at the logs, it's getting blocked because the host does not match the token host 'any'.
If I add in 10.111.111.101:3389 to the list of hosts the .rdp file downloaded seems to be for a random host with 'roundRobin' set to false. When the host is changed to another host that is specified in the configuration file, I still receive the 'not allowed to connect' message.
Example config file:
With that I have a few questions.