Local PAM auth example

[archef2000]

Hello i can't find an example on a full setup of the local/pam authetication in the documentation for both docker/bare metal install could you maybe add one so i can see where i wen't wrong?

[L1800Turbo]

Agree, this would be great!

Maybe I present my specific case..
I tried for some hours, got rid of all tls errors, but I can't get any further.

rdgw-auth

root@filesrv:~/rdpgw# bin/rdpgw-auth 
2023/11/07 21:52:37 Starting auth server on /tmp/rdpgw-auth.sock

The service itself:

root@filesrv:~/rdpgw# bin/rdpgw 
2023/11/07 21:52:48 Filesystem is used as session storage
2023/11/07 21:52:48 Setting maximum session storage to 8192 bytes
2023/11/07 21:52:48 Starting remote desktop gateway server
2023/11/07 21:52:48 enabling basic authentication

I did tries with mstsc and xfreerdp.

xfreerdp /v:win.vms.int /u:user /g:filesrv /gu:user /gp:passwort
[22:53:48:559] [72023:72024] [INFO][com.freerdp.core.gateway.rdg] - RD Gateway does not support HTTP transport.
[22:53:48:691] [72023:72024] [WARN][com.winpr.sspi] - InitializeSecurityContextA status SEC_E_INVALID_TOKEN [0x80090308]
[22:53:48:713] [72023:72024] [WARN][com.winpr.sspi] - InitializeSecurityContextA status SEC_E_INVALID_TOKEN [0x80090308]
[22:53:48:740] [72023:72024] [ERROR][com.freerdp.core.gateway.rpc] - error! Status Code: 404
[22:53:48:740] [72023:72024] [ERROR][com.freerdp.core.gateway.http] - HTTP/1.1 404 Not Found
[22:53:48:740] [72023:72024] [ERROR][com.freerdp.core.gateway.http] - Content-Type: text/plain; charset=utf-8
[22:53:48:740] [72023:72024] [ERROR][com.freerdp.core.gateway.http] - X-Content-Type-Options: nosniff
[22:53:48:741] [72023:72024] [ERROR][com.freerdp.core.gateway.http] - Date: Tue, 07 Nov 2023 21:53:48 GMT
[22:53:48:741] [72023:72024] [ERROR][com.freerdp.core.gateway.http] - Content-Length: 19
[22:53:48:741] [72023:72024] [ERROR][com.freerdp.core.gateway.tsg] - tsg_check failure
[22:53:48:741] [72023:72024] [ERROR][com.freerdp.core.nego] - Protocol Security Negotiation Failure
[22:53:48:741] [72023:72024] [ERROR][com.freerdp.core] - rdp_client_connect:freerdp_set_last_error_ex ERRCONNECT_SECURITY_NEGO_CONNECT_FAILED [0x0002000C]
[22:53:48:741] [72023:72024] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure

I set TokenAuth: false , but it looks as if there is something with a wrong token. Connecting to the server by browser I get a 404 too.

Before I took care of the certificates, I had at least TLS errors in the rdpgw log, but now I don't get anything anymore.
What would be a good step to investigate here?

Thanks!

[archef2000]

So you need a valid cert and tokenauth disabled and yes you then see a 404 page it you visit the page the only still enabled page is /tokeninfo but the rest is only needed for oidc

[L1800Turbo]

Thank you!
Then I understood at least from other tickets that this is the right behavior.
But shouldn't there be something on the server log when a client tries to connect?
Or do I need to set any additional protocol settings?
From the freerdp log 'Protocol Security Negotiation Failure' I assume there still might be some encryption settings necessary.

[archef2000]

Is there a proxy infront or just direct?

[L1800Turbo]

It's a direct connection inside the local network.

[archef2000]

With a valid cert?

[L1800Turbo]

I created a ca root that i added to the trust store in the client. Then i created and signed a certificate for the host.
The browser doesn't complain and before that mstsc told be there's no connection possible because the host couldn't be trusted.
So my assumption was that it should be working.

[archef2000]

Have you tried to use oidc to just check if everything else works?

[L1800Turbo]

So, I finally got a setup running with openid by keycloak in a container. Wasn't that easy, I ended up using the docker example and comparing configs. Turns out I should keep the config file small.

Switching back to local didn't bring any messages, so I tried with kerberos. At some point I wanted to AD authentication anyway, so that I tried this, without success so far I have to admit.

Sorry for switching over...
I tried with both mstsc and xfreerdp again on kerberos..

Using xfreerdp I get this similar message:

xfreerdp /v:win.vms.int /g:filesrv.jue.brk /tls-seclevel:0 /u:user /gu:administrator@JUE.BRK
GatewayPassword: 
[21:37:00:942] [149467:149468] [INFO][com.freerdp.core.gateway.rdg] - RD Gateway does not support HTTP transport.
[21:37:00:081] [149467:149468] [WARN][com.winpr.sspi] - InitializeSecurityContextA status SEC_E_INVALID_TOKEN [0x80090308]
[21:37:00:103] [149467:149468] [WARN][com.winpr.sspi] - InitializeSecurityContextA status SEC_E_INVALID_TOKEN [0x80090308]
[21:37:00:129] [149467:149468] [ERROR][com.freerdp.core.gateway.rpc] - error! Status Code: 404
[21:37:00:129] [149467:149468] [ERROR][com.freerdp.core.gateway.http] - HTTP/1.1 404 Not Found
[21:37:00:129] [149467:149468] [ERROR][com.freerdp.core.gateway.http] - Content-Type: text/plain; charset=utf-8
[21:37:00:129] [149467:149468] [ERROR][com.freerdp.core.gateway.http] - X-Content-Type-Options: nosniff
[21:37:00:129] [149467:149468] [ERROR][com.freerdp.core.gateway.http] - Date: Fri, 10 Nov 2023 20:37:00 GMT
[21:37:00:129] [149467:149468] [ERROR][com.freerdp.core.gateway.http] - Content-Length: 19
[21:37:00:130] [149467:149468] [ERROR][com.freerdp.core.gateway.tsg] - tsg_check failure
[21:37:00:130] [149467:149468] [ERROR][com.freerdp.core.nego] - Protocol Security Negotiation Failure
[21:37:00:130] [149467:149468] [ERROR][com.freerdp.core] - rdp_client_connect:freerdp_set_last_error_ex ERRCONNECT_SECURITY_NEGO_CONNECT_FAILED [0x0002000C]
[21:37:00:130] [149467:149468] [ERROR][com.freerdp.core.connection] - Error: protocol security negotiation or connection failure

The mstsc always returned to the login prompt for the gateway. But in this case I got a message on the rdpgw log:

bin/rdpgw
2023/11/10 20:28:41 No valid `security.paatokenencryptionkey` specified (empty or not 32 characters). Setting to random
2023/11/10 20:28:41 Cookies are used as session storage
2023/11/10 20:28:41 Starting remote desktop gateway server
2023/11/10 20:28:41 enabling kerberos authentication
2023/11/10 20:28:53 Identity SessionId: 2594967d-3b14-4e13-9c79-d56b62157bc5, UserName: : Authenticated: false
2023/11/10 20:28:58 error reading from kdc dc01:88 due to read tcp 10.18.1.214:60936->10.18.1.4:88: i/o timeout, trying next if available
2023/11/10 20:28:58 cannot forward to kdc due to no kdcs found for realm JUE.BRK
2023/11/10 20:28:58 Identity SessionId: 805708ee-a94a-4678-89ae-a36774e0ce04, UserName: : Authenticated: false
2023/11/10 20:28:58 10.18.1.208:59099 - SPNEGO error in unmarshaling SPNEGO token: not a valid SPNEGO token: asn1: structure error: explicitly tagged member didn't match

As of the keytabs file, I tried to authenticate:

klist  -kte /etc/keytabs/rdpgw.keytab 
Keytab name: FILE:/etc/keytabs/rdpgw.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   2 11/10/23 20:12:06 rdpgw@JUE.BRK (DEPRECATED:arcfour-hmac) 

kinit  -kt /etc/keytabs/rdpgw.keytab rdpgw@JUE.BRK

klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: rdpgw@JUE.BRK

Valid starting     Expires            Service principal
11/10/23 20:24:43  11/11/23 06:24:43  krbtgt/JUE.BRK@JUE.BRK
        renew until 11/11/23 20:24:43

That looks good to me, so far. I can't understand the message "no kdcs found" from the rdpgw log, yet.
The only idea could be that the encryption type arcfour-hmac could cause problems, but I couldn't find any suggestions in rdpgw.

To make sure I had any specific problems I repeated the process on a second machine with the same results.

[bigbenz8]

How to use local PAM auth , is there an example available now?

[archef2000]

Sadly there is no example and i also would like to get this to work with local auth but no response from @bolkedebruin.

[bolkedebruin]

There is now a docker compose file (docker-compose-local.yml) that exemplifies how this could be done.

[archef2000]

I think you forgot to upload the docker-compose-local.yml file

[bolkedebruin]

good catch, fixed.

[archef2000]

I have it setup with a lets encrypt cert with certbot with the fullchain & privkey files like in the docker-compose-local.yml. Only that the address is the domain with port 443. The reverse proxy is in tcp passthrough mode and I can reach the rdpgw container trough the subdomain. I don't know what I am doing wrong. I just get the signin promt over and over again for the gateway with this log message when i login with admin:admin:
Identity SessionId: bc184664-2c91-4f96-a333-a4af33fa822d, UserName: : Authenticated: false

[bolkedebruin]

The docker compose works out of the box. Start there. What are you connecting with?

Remove other components before adding complexity. Reverse proxy introduces complexity you do not want for an initial setup

[archef2000]

I also can't get it working if i set it up to listen on port 444 with a valid cert on the domain. Hove you tested it with the original RDP client on windows? And what settings did you use?

[bolkedebruin]

Did you try the original docker-compose-local with a Mac client? Or a NOT mstsc?

Yes it was tested with a windows client and a valid certificate. But start simple first

[archef2000]

It works on the Android App of the microsoft RDP client even with the tcp proxy in front.
Is there any 3rd party windows client? / A way to get get mstsc working?

[bolkedebruin]

Apologies, what I probably forgot is that mstsc does not allow basic (non NTLM) authentication. So your only options are Kerberos or OpenID connect here. You can use a third party client or it might work with the client from the MS Store.

[archef2000]

Kerberos is also username password right? Is there a ldap to kerberos "proxy"?

[bolkedebruin]

Keycloak does proxying for LDAP afaik with OpenID Connect, i'm not sure about Kerberos. Active Directory is basically LDAP+Kerberos which you can get with a real windows host or SAMBA. There might be others.

[archef2000]

There seams to be a guide from ubuntu: https://ubuntu.com/server/docs/service-kerberos-with-openldap-backend

Will try that.