search

mcdope / pam_usb

Hardware authentication for Linux using ordinary flash media (USB & Card based).
GNU General Public License v2.0
187 stars 20 forks source link

[Local check] Detect if vnc and teamviewer process(es) have incoming connections #202

Open mcdope opened 1 year ago

mcdope commented 1 year ago 
    Sorry for the delay. Kinda as suspected, neither xvnc nor TeamViewer sessions will show any sign of a remote connection. They pretty much just capture the screen and inject keyboard/mouse events, simulating a local user. On the other hand I think it exposed an error in a script somewhere:
[src/local.c:344]       Trying to get tty by loginctl
sh: 1: Syntax error: "(" unexpected

As far as TeamViewer and VNC go, there doesn't seem to be any way to detect an active incoming TeamViewer or VNC connection short of checking active. ss -tnp for example will show a line users:(("TeamViewer_Desk",pid=406339,fd=14)) when there is an active incoming connection.

Full output from Konsole via an established TeamViewer console (looks the same on xvnc):

username@testvm:~$ pamusb-check --debug username
* Authentication request for user "username" (pamusb-check)
[src/local.c:227] Checking whether the caller (pamusb-check) is local or not...
[src/local.c:238]       Checking pid 405205 (pamusb-check)...
[src/local.c:238]       Checking pid 405177 (/bin/bash)...
[src/local.c:238]       Checking pid 405156 (konsole)...
[src/local.c:238]       Checking pid   1555 (/lib/systemd/systemd)...
[src/local.c:238]       Checking pid      1 (/sbin/init)...
[src/local.c:296]       Using DISPLAY :0 for utmp search
[src/local.c:050]       No utmp entry found for tty ":0"
[src/local.c:312]       Trying to get tty from display server
[src/local.c:322]               Failed, no result while trying to get TTY from display server
[src/local.c:327]       Trying to get tty by DISPLAY
[src/local.c:335]               Failed, no result while searching utmp for display :0 owned by user username
[src/local.c:344]       Trying to get tty by loginctl
sh: 1: Syntax error: "(" unexpected
[src/local.c:214]               'loginctl' returned nothing.'
[src/local.c:355]               Failed, no result while searching utmp for tty (null)
[src/local.c:367]       Fallback: Using TTY /dev/pts/1 from ttyname() for search
[src/local.c:053]               utmp entry for tty "pts/1" found
[src/local.c:054]                       utmp->ut_pid: 405177
[src/local.c:055]                       utmp->ut_user: username
[src/local.c:071]               Checking utmp->ut_addr_v6[0]
[src/local.c:071]               Checking utmp->ut_addr_v6[1]
[src/local.c:071]               Checking utmp->ut_addr_v6[2]
[src/local.c:071]               Checking utmp->ut_addr_v6[3]
[src/local.c:075]       utmp check successful, request originates from a local source!
[src/local.c:374] No remote access detected, seems to be local request - allowing.
[src/device.c:038] Searching for "KeychainDrive" in the hardware database...
* Authentication device "KeychainDrive" is connected.
[src/device.c:100] One time pad is disabled, no more verifications to do.
* Access granted.

...and output from w (also the same for Teamviewer and VNC):

USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
username tty1     :0               17:54    6:00  16.87s  0.26s /usr/bin/startplasma-x11
username pts/0    :0               17:54    6:00   0.00s  1.67s /usr/bin/kded5
username pts/1    :0               17:55    0.00s  0.02s  0.01s w
username tty2     -                17:54    6:00   0.05s  0.03s -bash

_Originally posted by @steelsnake in https://github.com/mcdope/pam_usb/discussions/124#discussioncomment-5434844_

mcdope commented 2 months ago

TeamViewer does not provide a way to check for active connections, except in the GUI which is obv not an option.

So for TV we are left with either parsing logs, or checking for active connections to the process - both not reliable enough.

mcdope commented 2 months ago

xrdp can be detected via envvars grafik

mcdope commented 2 months ago

For gnome-remote-desktop it seems there is also no way to check for incoming connection

For VNC: to many different servers

Maybe really the best to build a list of processnames, check if they run, and if they run: check them for incoming connection. Could lead some FPs though I guess.

mcdope commented 2 months ago

For gnome-remote-desktop it seems there is also no way to check for incoming connection

For VNC: to many different servers

Maybe really the best to build a list of processnames, check if they run, and if they run: check them for incoming connection. Could lead some FPs though I guess.

To check via proc:

mcdope commented 2 months ago

Active Teamviewer connection result in a process that does not exist without connection established

ss -ntp | grep TeamViewer
ESTAB 0      0          127.0.0.1:47192       127.0.0.1:5939  users:(("TeamViewer",pid=93958,fd=44))      
ESTAB 0      0          127.0.0.1:50652       127.0.0.1:5939  users:(("TeamViewer_Desk",pid=103648,fd=14))
mcdope commented 2 months ago

gnome-remote-desktop in VNC mode can also be detected that way, doesnt work in RDP though grafik

ESTAB 0 21128 [::ffff:192.168.1.101]:5900 [::ffff:192.168.1.103]:46328 users:(("gnome-remote-de",pid=38390,fd=58))

mcdope commented 1 month ago

Hmpf I dont get x11vnc working to test it...