metalefty
commented
7 years ago Currently, xrdp doesn't support multi-factor authentication. We know some people want to do MFA. We need to manage it someday.
Open Kaydub00 opened 7 years ago
metalefty
commented
7 years ago Currently, xrdp doesn't support multi-factor authentication. We know some people want to do MFA. We need to manage it someday.
Kaydub00
commented
7 years ago I believe we got this working where xrdp would accept the password as password + otp. We reconfigured /etc/pam.d/xrdp-sesman and now it works with password + otp.
MarcoJankowski
commented
7 years ago @Kaydub00 , can you paste your xrdp-sesman pam configuration?
corrjo
commented
6 years ago @Kaydub00, can you give some insight on how you accomplished this?
jenningsloy318
commented
5 years ago @Kaydub00 can you share some details about your pam config ?
Kaydub00
commented
4 years ago @MarcoJankowski @corrjo @jenningsloy318 I'm reaching out to the company I worked for where I had to set this up. Going to see if I can get the details. If any of you three figured it out, please post it here!
shaneforsythe
commented
4 years ago @MarcoJankowski @corrjo @jenningsloy318 @Kaydub00
I have now FINALLY found a solution to this. Append this to your /etc/sssd/sssd.conf
[prompting/2fa/xrdp-sesman]
single_prompt = TrueSee this sssd discussion ( initially only sshd was hardcoded in sssd to allow combing password+otp ) https://bugzilla.redhat.com/show_bug.cgi?id=1402056
jenningsloy318
commented
4 years ago Thanks, I will check in our env
I have authentication setup to use FreeIPA. When a user has no OTP token they can login to xrdp fine with their FreeIPA credentials. Once an OTP token is added and OTP is turned on in FreeIPA XRDP login no longer works for that user.
I believe this is because there's a pre-authentication and then on other applications, like SSH, a second prompt is given asking for the second factor (otp token). XRDP just gets a failed login.