Use local auth

Question

Use local auth

archef2000 opened this issue 2 years ago · 19 comments

archef2000 commented 2 years ago

Hello im trying to setup rdpgw via docker trough the provided docker-compose.yaml. My issue is that there is no documentation. And if i try to run rdpgw-auth with sh, exec or entrypoint it fails to start with the error message "file or directory not found" but the provided file path exists i can even confirm the file exists via cat even tough it is unreadable because it is a binary.

Answer 1 · 2023-01-29T21:30:16.000Z

rdpgw-auth needs to have PAM available inside the container and, therefore, needs to run as root. Another option is to have sssd available inside the container. root is then not required. Explaining how to set that up please refer to sssd documentation.

sh is not available inside the standard container and if using entrypoint you need to be careful in setting it up ["/opt/bin/rdpgw-auth"].

Answer 2 · 2023-01-30T11:02:57.000Z

I run it as root in a debian docker container that has a user called abc with a password setup

Answer 3 · 2023-01-31T17:55:09.000Z

I suggest debugging your PAM setup first with a container that runs SSH (with PAM turned on) or something alike. Logs from /var/log/ can be helpful as is your Dockerfile.

Answer 4 · 2023-01-31T18:11:27.000Z

I run this

useradd -c "abc" -m abc
echo "abc:abc" | chpasswd

cat <<EOT > rdpgw.yaml
Server:
 Authentication:
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: auto
 CertFile: /opt/rdpgw/server.pem
 KeyFile: /opt/rdpgw/key.pem
 GatewayAddress: host.tld
 Port: 9443
 Hosts:
  - xrdp:3389
 HostSelection: roundrobin
 SessionKey: amgRRTziC8iDB5L1LgsheFsREUyRVsjS
 SessionEncryptionKey: xQxWCFNNpyopnj6a8Fdn0fir21ps2IRD
 SessionStore: cookie
Caps:
 SmartCardAuth: false
 TokenAuth: false
 IdleTimeout: 10000
 EnablePrinter: true
 EnablePort: true
 EnablePnp: true
 EnableDrive: true
 EnableClipboard: true
Client:
  UsernameTemplate: "{{ username }}\x1f{{ token }}"
  NetworkAutoDetect: 0
  BandwidthAutoDetect: 1
  ConnectionType: 6
  SplitUserDomain: false
Security:
  PAATokenSigningKey: PH2aVB2Rdu1ed2obu30KRTJFAcR3c0VC
  PAATokenEncryptionKey: 5pwGjt2wf3yGs6M4D0TzyFwW48LSz7Y8
  UserTokenEncryptionKey: MKoXaLdeCJ4458QE51yLGDjfSARhvpPq
  EnableUserToken: false
  VerifyClientIp: true
EOT

exec ./rdpgw-auth &
exec ./rdpgw

inside archef2000/rdpgw but it is privileged and has sleep 999d as command and i then exec inside the container

Answer 5 · 2023-03-01T07:41:19.000Z

Could you may share a full example of a local setup

Answer 6 · 2023-04-28T10:06:13.000Z

ssh pam setup is working i also set it up on bare metal ubuntu with the same config file but not working

Answer 7 · 2023-05-02T06:11:53.000Z

Please share config (docker pam) and logs (rdp, auth, pam). This isn't much to go on, unfortunately.

Answer 8 · 2023-06-28T13:45:31.000Z

Sorry for taking a lot of time to answer.

I have a LE cert for a subdomain
i have mounted

      -~/rdpgw.yaml:/opt/rdpgw/rdpgw.yaml:ro
      - ~/privkey.pem:/opt/rdpgw/key.pem:ro
      - ~/fullchain.pem:/opt/rdpgw/server.pem:ro
      - /etc/pam.d/:/etc/pam.d/
      - /etc/shadows:/etc/shadows:ro
      - /etc/passwd:/etc/passwd:ro

otherwise i use archef2000/rdpgw:debian as docker image but have also tried it on bare metal
I use the default windows client to connect to lscr.io/linuxserver/rdesktop:ubuntu-xfce

My config:

Server:
 Authentication:
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: true
 CertFile: /opt/rdpgw/server.pem
 KeyFile: /opt/rdpgw/key.pem
 GatewayAddress: rdp.domain.tld
 Port: 9443
 Hosts:
  - xrdp:3389
 HostSelection: roundrobin
 SessionKey: secret
 SessionEncryptionKey: secret
 SessionStore: cookie
Caps:
 SmartCardAuth: false
 TokenAuth: false
 IdleTimeout: 10
 EnablePrinter: true
 EnablePort: true
 EnablePnp: true
 EnableDrive: true
 EnableClipboard: true
Client:
  UsernameTemplate: "{{ username }}\x1f{{ token }}"
  NetworkAutoDetect: 0
  BandwidthAutoDetect: 1
  ConnectionType: 6
  SplitUserDomain: false
Security:
  PAATokenSigningKey: secret
  PAATokenEncryptionKey: secret
  UserTokenEncryptionKey: secret
  EnableUserToken: false
  VerifyClientIp: false

As a result i only get a "Identity SessionId: de5ca174-b779-48b1-99f2-27c04786ee61, UserName: : Authenticated: false" when i tick "remember login credentials"

Could you maybe show a complete working complete example.

Answer 9 · 2023-08-17T20:44:36.000Z

May you publish an end to end example for a complete docker pam local auth rdpgw

Answer 10 · 2024-02-18T00:38:16.000Z

I'm also trying to get a PAM setup. I found that i needed an entry for the PAM service name used by rdpgw-auth (rdpgw by default) in /etc/pam.d/ to get authentication to work. After that I could make HTTP requests to /remoteDesktopGateway/ that passed the auth check and returned an empty document.

Answer 11 · 2024-02-18T11:27:07.000Z

Is RDP working with pam?
Could you share your PAM entry please. And if it is not much to ask also your config file and setup/run commands

Answer 12 · 2024-02-19T02:48:41.000Z

I used the same PAM configuration as for sshd. Other than passing the location of the rdpgw config file (-c rdpgw.yaml) there's no params for running rdpgw and rdpgw-auth. I did generate a cert pair to use for TLS (required for basic auth per comments in the YAML file). The relevant parts of rdpgw.yaml are:

 Authentication: 
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: auto
 CertFile: server.pem
 KeyFile: key.pem

All that said, I haven't yet gotten a client to connect. Native MS clients haven't worked and have minimal debugging visibility. Next step is to try with an OS client.

Answer 13 · 2024-02-19T05:49:42.000Z

Ok thanks, but the cert must be a valid one that is for a domain name.

Answer 14 · 2024-02-20T15:59:19.000Z

@bolkedebruin
run on arm64 bare metal ubuntu 22.04
pam: cloned from sshd to rdpgw-auth
lo logs relevant in /var/log: sudo grep -Rnw '/var/log' -e 'rdp'

rdpgw.yaml

Server:
 Authentication:
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: auto
 CertFile: ./fullchain.pem
 KeyFile: ./privkey.pem
 GatewayAddress: domain
 Port: 443
 Hosts:
  - 172.173.5.2:3389
 HostSelection: roundrobin
 SessionKey: amgRRTziC8iDB5L1LgsheFsREUyRVsjS
 SessionEncryptionKey: xQxWCFNNpyopnj6a8Fdn0fir21ps2IRD
 SessionStore: cookie
Caps:
 SmartCardAuth: false
 TokenAuth: false
 IdleTimeout: 10
 EnablePrinter: true
 EnablePort: true
 EnablePnp: true
 EnableDrive: true
 EnableClipboard: true
Client:
  UsernameTemplate: "{{ username }}"
  #UsernameTemplate: "{{ username }}\x1f{{ token }}"
  NetworkAutoDetect: 0
  BandwidthAutoDetect: 1
  ConnectionType: 6
  SplitUserDomain: false
Security:
  PAATokenSigningKey: PH2aVB2Rdu1ed2obu30KRTJFAcR3c0VC
  PAATokenEncryptionKey: 5pwGjt2wf3yGs6M4D0TzyFwW48LSz7Y8
  UserTokenEncryptionKey: MKoXaLdeCJ4458QE51yLGDjfSARhvpPq
  EnableUserToken: false
  VerifyClientIp: false

terminal1: sudo ./rdpgw-auth rdpgw.yaml

2024/02/20 16:29:40 Starting auth server on /tmp/rdpgw-auth.sock

terminal2: sudo ./rdpgw rdpgw.yaml

2024/02/20 16:29:51 Cookies are used as session storage
2024/02/20 16:29:51 Starting remote desktop gateway server
2024/02/20 16:29:51 enabling basic authentication

cert generated for domain with certbot

With official RDP client on Win11:
172.173.5.2:3389: works
172.173.5.2:3389 with domain as gateway: always promted for login to domain with login failed

no furter log mesasges and nothing with sudo nc -U :/tmp/rdpgw-auth.sock

Answer 15 · 2024-03-19T08:06:45.000Z

@bolkedebruin May you be able to share your setup with pam auth as you seam to get it working.

Answer 16 · 2024-03-19T08:20:29.000Z

Can I use a reverse proxy in front of it?

Answer 17 · 2024-03-19T08:51:00.000Z

An example pam authentication is now available in docker-compose-local.yml . Yes you can use a reverse proxy in front of it (like HAProxy), but it needs to understand the non standard HTTP operations that the client executes.

Answer 18 · 2024-04-11T11:02:58.000Z

@bolkedebruin run on arm64 bare metal ubuntu 22.04 pam: cloned from sshd to rdpgw-auth lo logs relevant in /var/log: sudo grep -Rnw '/var/log' -e 'rdp'

rdpgw.yaml

Server:
 Authentication:
  - local
 AuthSocket: /tmp/rdpgw-auth.sock
 Tls: auto
 CertFile: ./fullchain.pem
 KeyFile: ./privkey.pem
 GatewayAddress: domain
 Port: 443
 Hosts:
  - 172.173.5.2:3389
 HostSelection: roundrobin
 SessionKey: amgRRTziC8iDB5L1LgsheFsREUyRVsjS
 SessionEncryptionKey: xQxWCFNNpyopnj6a8Fdn0fir21ps2IRD
 SessionStore: cookie
Caps:
 SmartCardAuth: false
 TokenAuth: false
 IdleTimeout: 10
 EnablePrinter: true
 EnablePort: true
 EnablePnp: true
 EnableDrive: true
 EnableClipboard: true
Client:
  UsernameTemplate: "{{ username }}"
  #UsernameTemplate: "{{ username }}\x1f{{ token }}"
  NetworkAutoDetect: 0
  BandwidthAutoDetect: 1
  ConnectionType: 6
  SplitUserDomain: false
Security:
  PAATokenSigningKey: PH2aVB2Rdu1ed2obu30KRTJFAcR3c0VC
  PAATokenEncryptionKey: 5pwGjt2wf3yGs6M4D0TzyFwW48LSz7Y8
  UserTokenEncryptionKey: MKoXaLdeCJ4458QE51yLGDjfSARhvpPq
  EnableUserToken: false
  VerifyClientIp: false

terminal1: sudo ./rdpgw-auth rdpgw.yaml

2024/02/20 16:29:40 Starting auth server on /tmp/rdpgw-auth.sock

terminal2: sudo ./rdpgw rdpgw.yaml

2024/02/20 16:29:51 Cookies are used as session storage
2024/02/20 16:29:51 Starting remote desktop gateway server
2024/02/20 16:29:51 enabling basic authentication

cert generated for domain with certbot

With official RDP client on Win11: 172.173.5.2:3389: works 172.173.5.2:3389 with domain as gateway: always promted for login to domain with login failed

no furter log mesasges and nothing with sudo nc -U :/tmp/rdpgw-auth.sock

Did you solve the problem?

Answer 19 · 2024-04-22T07:49:09.000Z

#75 (comment)

Apologies, what I probably forgot is that mstsc does not allow basic (non NTLM) authentication. So your only options are Kerberos or OpenID connect here. You can use a third party client or it might work with the client from the MS Store.