RFE: Support interactive PAM authentication, for two-factor auth

[akkornel]

Hello!

I would like to request that xrdp's PAM authentication be modified, so that calls to the PAM conversation function (verify_pam_conv3) cause messages (and prompts) to be displayed to the user over the graphic connection, before the connection to the window manager (Xvnc, xorgxrdp, Xorg, etc.) happens.

Use Cases

Here are a pair of use cases:

• Our information security group requires that all interactive logins use two-step authentication. Duo has a PAM module (pam_duo), which takes the username (via the PAM_USER item) and uses multiple PAM conversations to ask the user which two-step device to use, what their current 6-digit code is, etc.

• I would like to use pam_krb51. When it authenticates a user, if the user's Kerberos password has expired, it will force a password-change during the login process. That password-change is performed using a PAM conversation.

In both of those cases, the connection would fail, because the way conversations are handled right now assumes that the first conversation message is for a username, and the second message is for a password.

In addition, even the way conversations are handled today causes weird behavior:

I use pam_duo today, with "autopush" turned on. This setting automatically pushes a two-step request to the user's device, or (if the user doesn't have a smart phone) makes a phone call to the user. This works with xrdp, but even in this case pam_duo still uses conversation messages to send messages like "Calling you now…" and "Success! Logging you in". Since xrdp doesn't expect those, it causes pam_duo to log "Conversation failed" warnings.

That is the rationale behind my RFE.

Prerequisites

Before this could be implemented, I think two other enhancements would be needed:

• First, #735 has to be implemented. With #735 implemented, basic PAM modules (like pam_unix) will already have the username and password available to them; so the conversation function should only be needed when more information is required (like with two-step), or if a password is wrong.

• Second, #392 should also be implemented. This is useful because I know at least one two-step PAM module (Duo's PAM module) which will use the client IP to see if two-step authentication is even necessary.

Once those RFE's could be implemented, I think this could be worked on, but I'm not exactly sure how!

Ideas

The problem is, there would have to be some way for sesman to communicate with the xrdp component that is responsible for graphics at the very start of the session (I'm talking about the component that asks users for username, password, and session type). There would be three types of communication from sesman to the graphics component:

• Send message without waiting for reply. One parameter: The text of the message.
• Send message and get a reply. Two parameters: The text of the message, and weather the reply prompt should be masked.
• Conversation over. No parameters.

The Graphics Component

I think the graphic component would do something like this:

• When the first "Send message…" communication is received, draw a window. The window would have two text boxes, one above the other. The top text box would be 80 columns wide, 24 rows tall, and read-only. The bottom text box (the "input box") would be 1 row tall, 80 columns wide, and would start disabled (greyed out).
• Any time a "Send message…" communication comes in, the received text would be appended to the bottom of the big text box, along with a newline.
• When a "Send message without waiting for reply" message comes in, the input box would not be touched. Once the big text box is updated, the communication is done.
• When a "Send message and get a reply" communication comes in, the input box would be enabled, and focused on (so the cursor starts blinking). If the reply needs to be masked, then all input would be replaced with * (or •) characters. Once a Return/Enter is received, the input box would be disabled again, and its contents cleared. The entered text would be sent back to sesman.
• When the "Conversation over" message is received, if no other messages came in, then do nothing. If other messages were received, then clean up the window and return.

Sesman authentication side

On the sesman side, in auth_userpass, I think the behavior would be:

• At the start, set auth_info->pamc.appdata_ptr to somehow reference the communications channel to the graphics component. Once #735 is implemented, I don't think the auth_info struct would be needed anymore.
• Once pam_authenticate returns, send the "Conversation over" communication to the graphics component.

Finally, verify_pam_conv would have to be changed:

• If a message has the PAM_PROMPT_ECHO_ON or PAM_PROMPT_ECHO_OFF type, send a "Send message and get a reply" communication to the graphics component, wait for a reply from the graphics component, and put the reply into the corresponding pam_response.
• If a message has the PAM_ERROR_MSG or PAM_TEXT_INFO type, send a "Send message without waiting for reply" communication to the graphics component. The corresponding pam_response would be empty.

Closing

I know virtually nothing about the innards of xrdp (which really shows since I can't really talk about the graphics component). But, I didn't want to be an ass by putting in a one-line enhancement request! I don't know how else I can help, but if you have any questions for me, I'll do my best!

[brijeshjaiswal]

Hallo.. can you please help me to get xrdp authentication with google-authenticator in step by step method.

[metalefty]

I understand the importance of multi-factor authentication and I also want to implement it. I need sponsors to work on it.

[brijeshjaiswal]

Actually I am looking for this project to get it done by you asap so that xrdp can move further with respect to security level.

[brijeshjaiswal]

Hallo, I am getting Blue screen after login. Please help me. I am attaching the logs. xrdp.log xrdp-sesman.log

Please help me to get out from this issue. Also please help me to integrate google-authenticate with XRDP. Kindly confirm whether its possible or not. If not will look for some other applications.

[metalefty]

@brijeshjaiswal DON'T HIJACK OTHER'S ISSUE.

[matt335672]

See also #1961 which covers this.