Auto-login (skip the login prompt) - xrdp 0.9.11, centOS 7

[nzcoward]

Apologies if there is a better place to ask this - I haven't found a community for xrdp, so I've come here!

Is there a way to skip the xrdp login prompt when connecting via mstsc?

We use domain accounts, and we are able to authenticate users, but ideally we would like to auto-authenticate those accounts. The biggest reason for this is due to e.g. when a user walks away from their computer, and they must log into Windows, log into xrdp, and, likely, enter their password to unlock the active session. If we can knock one of those off, that would be ideal (and no, removing Windows from the equation is not an option, I am afraid :))

In xrdp.ini, I have set autorun=Xorg (it's the only session type we use), but that doesn't seem to work. I'm a little unsure how RDP and xserver talk. I thought perhaps that xrdp would be run with the username and password when the authentication was completed on the server.

Is there perhaps something that I need to set in the pam config? There's quite a bit of information around navigating the config, but not a lot of info on how I might be able to configure it.

Because there isn't an issue - the logs aren't overly helpful. But I can provide some if you think they'll be helpful.

UPDATE

I see that the file libxrdp/xrdp_sec.c has a method: xrdp_sec_process_logon_info that takes a struct that is used to define flags (from further up the chain: xrdp_process.c). Within that method, the flags are &ed with RDP_LOGON_AUTO, which seems to achieve what I am after (no login window displayed).

Where are the flags configured? Are they command line or configuration file based? Is there any documentation for these?

Cheers!

[nzcoward]

I see that this is linked to the RDP client - if we save credentials on the mstsc end, then it seems to pass this flag through to the server.

Setting 'prompt for credentials:i:0' in the .rdp file appears to do the trick!

[nzcoward]

I'm actually going to reopen this, because I am unsure why this is happening.

It only seems to work if the credentials are saved in the windows credential manager (which mstsc can read from). The issue with this is that we're using domain accounts, and any application running in the context of the user could harvest those passwords.

So there's something that saving credentials this way sets the autologin flag in xrdp. Currently I am looking into what might be different from the client-side. NLA should ensure that the user is authenticated on the client, so I don't really understand why mstsc's handshaking would be different.

UPDATE

Also, it appears as though if the credentials are saved for a windows machine (or I guess any machine that supports NLA?) then they are saved in the credential manager in a way that the password can not be harvested - so perhaps there's a check, as it saves the credentials, for what the remote machine supports.

[nzcoward]

Heh, and closing again. Thanks for the conversation me :)

It's definitely a result of NLA on the client-side. Pretty sure now that xrdp is behaving the way it should.

Why credentials for xrdp are saved as generic, and for windows as more secure I am unsure, but I think that's one for MS, rather than here.