search

bolkedebruin / rdpgw

Remote Desktop Gateway in Go for deploying on Linux/BSD/Kubernetes
Apache License 2.0
698 stars 115 forks source link

Use local auth #62

Closed archef2000 closed 3 months ago

archef2000 commented 1 year ago

Hello im trying to setup rdpgw via docker trough the provided docker-compose.yaml. My issue is that there is no documentation. And if i try to run rdpgw-auth with sh, exec or entrypoint it fails to start with the error message "file or directory not found" but the provided file path exists i can even confirm the file exists via cat even tough it is unreadable because it is a binary.

bolkedebruin commented 1 year ago

rdpgw-auth needs to have PAM available inside the container and, therefore, needs to run as root. Another option is to have sssd available inside the container. root is then not required. Explaining how to set that up please refer to sssd documentation.

sh is not available inside the standard container and if using entrypoint you need to be careful in setting it up ["/opt/bin/rdpgw-auth"].

archef2000 commented 1 year ago

I run it as root in a debian docker container that has a user called abc with a password setup

bolkedebruin commented 1 year ago

I suggest debugging your PAM setup first with a container that runs SSH (with PAM turned on) or something alike. Logs from /var/log/ can be helpful as is your Dockerfile.

archef2000 commented 1 year ago

I run this 

useradd -c "abc" -m abc
echo "abc:abc" | chpasswd

cat <<EOT > rdpgw.yaml
Server:
 Authentication:
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: auto
 CertFile: /opt/rdpgw/server.pem
 KeyFile: /opt/rdpgw/key.pem
 GatewayAddress: host.tld
 Port: 9443
 Hosts:
  - xrdp:3389
 HostSelection: roundrobin
 SessionKey: amgRRTziC8iDB5L1LgsheFsREUyRVsjS
 SessionEncryptionKey: xQxWCFNNpyopnj6a8Fdn0fir21ps2IRD
 SessionStore: cookie
Caps:
 SmartCardAuth: false
 TokenAuth: false
 IdleTimeout: 10000
 EnablePrinter: true
 EnablePort: true
 EnablePnp: true
 EnableDrive: true
 EnableClipboard: true
Client:
  UsernameTemplate: "{{ username }}\x1f{{ token }}"
  NetworkAutoDetect: 0
  BandwidthAutoDetect: 1
  ConnectionType: 6
  SplitUserDomain: false
Security:
  PAATokenSigningKey: PH2aVB2Rdu1ed2obu30KRTJFAcR3c0VC
  PAATokenEncryptionKey: 5pwGjt2wf3yGs6M4D0TzyFwW48LSz7Y8
  UserTokenEncryptionKey: MKoXaLdeCJ4458QE51yLGDjfSARhvpPq
  EnableUserToken: false
  VerifyClientIp: true
EOT

exec ./rdpgw-auth &
exec ./rdpgw

inside archef2000/rdpgw but it is privileged and has sleep 999d as command and i then exec inside the container

archef2000 commented 1 year ago

Could you may share a full example of a local setup

archef2000 commented 1 year ago

ssh pam setup is working i also set it up on bare metal ubuntu with the same config file but not working

bolkedebruin commented 1 year ago

Please share config (docker pam) and logs (rdp, auth, pam). This isn't much to go on, unfortunately.

archef2000 commented 1 year ago

Sorry for taking a lot of time to answer.

My config:

Server:
 Authentication:
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: true
 CertFile: /opt/rdpgw/server.pem
 KeyFile: /opt/rdpgw/key.pem
 GatewayAddress: rdp.domain.tld
 Port: 9443
 Hosts:
  - xrdp:3389
 HostSelection: roundrobin
 SessionKey: secret
 SessionEncryptionKey: secret
 SessionStore: cookie
Caps:
 SmartCardAuth: false
 TokenAuth: false
 IdleTimeout: 10
 EnablePrinter: true
 EnablePort: true
 EnablePnp: true
 EnableDrive: true
 EnableClipboard: true
Client:
  UsernameTemplate: "{{ username }}\x1f{{ token }}"
  NetworkAutoDetect: 0
  BandwidthAutoDetect: 1
  ConnectionType: 6
  SplitUserDomain: false
Security:
  PAATokenSigningKey: secret
  PAATokenEncryptionKey: secret
  UserTokenEncryptionKey: secret
  EnableUserToken: false
  VerifyClientIp: false

As a result i only get a "Identity SessionId: de5ca174-b779-48b1-99f2-27c04786ee61, UserName: : Authenticated: false" when i tick "remember login credentials"

Could you maybe show a complete working complete example.

archef2000 commented 11 months ago

May you publish an end to end example for a complete docker pam local auth rdpgw

ChrisOstler commented 5 months ago

I'm also trying to get a PAM setup. I found that i needed an entry for the PAM service name used by rdpgw-auth (rdpgw by default) in /etc/pam.d/ to get authentication to work. After that I could make HTTP requests to /remoteDesktopGateway/ that passed the auth check and returned an empty document.

archef2000 commented 5 months ago

Is RDP working with pam? Could you share your PAM entry please. And if it is not much to ask also your config file and setup/run commands

ChrisOstler commented 5 months ago

I used the same PAM configuration as for sshd. Other than passing the location of the rdpgw config file (-c rdpgw.yaml) there's no params for running rdpgw and rdpgw-auth. I did generate a cert pair to use for TLS (required for basic auth per comments in the YAML file). The relevant parts of rdpgw.yaml are:

 Authentication: 
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: auto
 CertFile: server.pem
 KeyFile: key.pem

All that said, I haven't yet gotten a client to connect. Native MS clients haven't worked and have minimal debugging visibility. Next step is to try with an OS client.

archef2000 commented 5 months ago

Ok thanks, but the cert must be a valid one that is for a domain name.

archef2000 commented 5 months ago

@bolkedebruin run on arm64 bare metal ubuntu 22.04 pam: cloned from sshd to rdpgw-auth lo logs relevant in /var/log: sudo grep -Rnw '/var/log' -e 'rdp'

rdpgw.yaml

Server:
 Authentication:
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: auto
 CertFile: ./fullchain.pem
 KeyFile: ./privkey.pem
 GatewayAddress: domain
 Port: 443
 Hosts:
  - 172.173.5.2:3389
 HostSelection: roundrobin
 SessionKey: amgRRTziC8iDB5L1LgsheFsREUyRVsjS
 SessionEncryptionKey: xQxWCFNNpyopnj6a8Fdn0fir21ps2IRD
 SessionStore: cookie
Caps:
 SmartCardAuth: false
 TokenAuth: false
 IdleTimeout: 10
 EnablePrinter: true
 EnablePort: true
 EnablePnp: true
 EnableDrive: true
 EnableClipboard: true
Client:
  UsernameTemplate: "{{ username }}"
  #UsernameTemplate: "{{ username }}\x1f{{ token }}"
  NetworkAutoDetect: 0
  BandwidthAutoDetect: 1
  ConnectionType: 6
  SplitUserDomain: false
Security:
  PAATokenSigningKey: PH2aVB2Rdu1ed2obu30KRTJFAcR3c0VC
  PAATokenEncryptionKey: 5pwGjt2wf3yGs6M4D0TzyFwW48LSz7Y8
  UserTokenEncryptionKey: MKoXaLdeCJ4458QE51yLGDjfSARhvpPq
  EnableUserToken: false
  VerifyClientIp: false

terminal1: sudo ./rdpgw-auth rdpgw.yaml

2024/02/20 16:29:40 Starting auth server on /tmp/rdpgw-auth.sock

terminal2: sudo ./rdpgw rdpgw.yaml

2024/02/20 16:29:51 Cookies are used as session storage
2024/02/20 16:29:51 Starting remote desktop gateway server
2024/02/20 16:29:51 enabling basic authentication

cert generated for domain with certbot

With official RDP client on Win11: 172.173.5.2:3389: works 172.173.5.2:3389 with domain as gateway: always promted for login to domain with login failed

no furter log mesasges and nothing with sudo nc -U :/tmp/rdpgw-auth.sock

archef2000 commented 4 months ago

@bolkedebruin May you be able to share your setup with pam auth as you seam to get it working.

archef2000 commented 4 months ago

Can I use a reverse proxy in front of it?

bolkedebruin commented 4 months ago

An example pam authentication is now available in docker-compose-local.yml . Yes you can use a reverse proxy in front of it (like HAProxy), but it needs to understand the non standard HTTP operations that the client executes.

xiaonaiquan commented 3 months ago

@bolkedebruin run on arm64 bare metal ubuntu 22.04 pam: cloned from sshd to rdpgw-auth lo logs relevant in /var/log: sudo grep -Rnw '/var/log' -e 'rdp'

rdpgw.yaml

Server:
 Authentication:
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: auto
 CertFile: ./fullchain.pem
 KeyFile: ./privkey.pem
 GatewayAddress: domain
 Port: 443
 Hosts:
  - 172.173.5.2:3389
 HostSelection: roundrobin
 SessionKey: amgRRTziC8iDB5L1LgsheFsREUyRVsjS
 SessionEncryptionKey: xQxWCFNNpyopnj6a8Fdn0fir21ps2IRD
 SessionStore: cookie
Caps:
 SmartCardAuth: false
 TokenAuth: false
 IdleTimeout: 10
 EnablePrinter: true
 EnablePort: true
 EnablePnp: true
 EnableDrive: true
 EnableClipboard: true
Client:
  UsernameTemplate: "{{ username }}"
  #UsernameTemplate: "{{ username }}\x1f{{ token }}"
  NetworkAutoDetect: 0
  BandwidthAutoDetect: 1
  ConnectionType: 6
  SplitUserDomain: false
Security:
  PAATokenSigningKey: PH2aVB2Rdu1ed2obu30KRTJFAcR3c0VC
  PAATokenEncryptionKey: 5pwGjt2wf3yGs6M4D0TzyFwW48LSz7Y8
  UserTokenEncryptionKey: MKoXaLdeCJ4458QE51yLGDjfSARhvpPq
  EnableUserToken: false
  VerifyClientIp: false

terminal1: sudo ./rdpgw-auth rdpgw.yaml

2024/02/20 16:29:40 Starting auth server on /tmp/rdpgw-auth.sock

terminal2: sudo ./rdpgw rdpgw.yaml

2024/02/20 16:29:51 Cookies are used as session storage
2024/02/20 16:29:51 Starting remote desktop gateway server
2024/02/20 16:29:51 enabling basic authentication

cert generated for domain with certbot

With official RDP client on Win11: 172.173.5.2:3389: works 172.173.5.2:3389 with domain as gateway: always promted for login to domain with login failed

no furter log mesasges and nothing with sudo nc -U :/tmp/rdpgw-auth.sock

Did you solve the problem?

archef2000 commented 3 months ago

https://github.com/bolkedebruin/rdpgw/issues/75#issuecomment-2009204233

Apologies, what I probably forgot is that mstsc does not allow basic (non NTLM) authentication. So your only options are Kerberos or OpenID connect here. You can use a third party client or it might work with the client from the MS Store.