xrdp compiled with PAM support and default Unix configuration won't work on Slackware

[gdsotirov]

I have managed to compile xrdp 0.9.13 for Slackware 14.2 with PAM support enabled. The configuration command is:

configure --build=${ARCH}-slackware-linux \
          --host=${ARCH}-slackware-linux \
          --prefix=/usr \
          --libdir=/usr/lib${LIBDIRSUFFIX} \
          --sysconfdir=/etc \
          --localstatedir=/var \
          --docdir=/usr/doc \
          --mandir=/usr/man \
          --disable-silent-rules \
          --disable-dependency-tracking
          --enable-shared=yes \
          --enable-static=no \
          --enable-ipv6 \
          --enable-jpeg \
          --enable-fuse \
          --enable-opus \
          --enable-mp3lame \
          --enable-pixman \
          --enable-painter \
          --enable-rfxcodec

However, I wasn't able to start any session, because login was always failing. Here's an excerpt from xrdp.log:

[20200423-11:27:37] [INFO ] TLS connection established from ::ffff:192.168.1.2 port 1124: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
[20200423-11:27:37] [DEBUG] xrdp_00001190_wm_login_mode_event_00000001
[20200423-11:27:37] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
[20200423-11:27:37] [WARN ] local keymap file for 0x00000409 found and doesn't match built in keymap, using local keymap file
[20200423-11:27:52] [DEBUG] xrdp_wm_log_msg: connecting to sesman ip 127.0.0.1 port 3350
[20200423-11:27:53] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20200423-11:27:53] [DEBUG] xrdp_wm_log_msg: sending login info to session manager, please wait...
[20200423-11:27:53] [DEBUG] return value from xrdp_mm_connect 0
[20200423-11:27:53] [INFO ] xrdp_wm_log_msg: login failed for display 0
[20200423-11:27:53] [DEBUG] xrdp_mm_module_cleanup

And in xrdp-sesman.log there was just:

[20200423-11:27:00] [INFO ] starting xrdp-sesman with pid 4490
[20200423-11:27:00] [INFO ] listening to port 3350 on 127.0.0.1
[20200423-11:27:52] [INFO ] A connection received from ::1 port 48774
[20200423-11:27:53] [DEBUG] Closed socket 7 (AF_INET6 ::1 port 3350)

I found the error message strange, because it shows "display 0" while by default xrdp is configured to start from display number 10. And this is the first problem, which I think is also reported in other issues (e.g. #1359 or #1546). I was able to relate the problem with PAM after compiling without PAM support (i.e. by adding --disable-pam to the command above), so I looked further into the issue.

Apparently, the default PAM configuration for other distributions have changed with commit 63472bb in January 2017. However, this configuration with includes leads nowhere on Slackware. I had no such problem with older xrdp versions (e.g. 0.5 and 0.6) on older Slackware, because the old configuration is independent. Should this really be the default Unix configuration? The old default configuration or something even simpler (e.g. see below) works just fine.

#%PAM-1.0
auth        required    pam_unix.so

account     required    pam_unix.so
account     required    pam_nologin.so

So to summarize the two problems I faced:

1. There was no message in the log for failing PAM authentication to indicate where the problem is.
2. Default PAM configuration for xrdp-sesman doesn't work for Slackware and perhaps other distributions.

[matt335672]

Hi @gdsotirov

You're right in that when I was looking in to #1546 recently the logging completely foxed me, and that added to the time it took to find a solution. So there's definitely room for improvement there.

As regards the PAM configuration itself, it's a tricky area. I agree there's room for improvement in the default config however, even if it's only improved commenting.

Just a quick note about your simple config above. You haven't got any PAM session entries. From what little I know about PAM (and it really is very little), I'd have thought the following:-

• you'd want at leastsession required pam_unix.so. The pam_unix module doesn't do a great deal for the session, but you've mentioned it already for auth and account, so why not bung it in?
• If Slackware supports auto-creation of home directories on login (frankly I don't know if this is the case or not) you might want to add whatever variant of pam_mkhomedir.so is supported on Slackware.

I'll happily admit it's not an area I'm personally very knowledgeable about, so feel free to come back to me on that.

[gdsotirov]

I'm not sure I understand you on "here's room for improvement in the default config however, even if it's only improved commenting" @matt335672. What you mean by this?

For session, yes, my actual configuration ended up being:

#%PAM-1.0
auth        required    pam_unix.so

account     required    pam_unix.so
account     required    pam_nologin.so

session     required    pam_unix.so

password    required    pam_unix.so

But my point was that even with the minimal auth and account, it works.

I'm not quite sure about "auto-creation of home directories on login" either as I never needed nor used it, but of course this could be additionally configured. My aim is only to provide a package for xrdp with PAM support and basic configuration that works, so I opened this task, because the default configuration included in xrdp does not work for me.

[matt335672]

Hi @gdsotirov

Please ignore my remark on improved commenting - you were right to challenge it. I was simply going to suggest that a comment was added to xrdp-sesman.unix on the grounds that it's a default and could be wrong. Since then I've dug a bit deeper, and I think we can improve on that approach significantly.

I've produced a branch slack-support in https://github.com/matt335672/xrdp which I think does what you want with PAM. I've renamed the rather useless
xrdp-sesman.unix to xrdp-sesman.system and created a new xrdp-sesman.unix along the lines of what you suggest above with a few other changes. I've then modified the mkpamrules script to work with Slackware 14.2 (with PAM), and also fail if it can't find a suitable PAM configuration - at the moment it simply installs a duff one if it can't proceed.

I've not tackled the duff logging yet, but I hope this is what you're looking for. Could you have a look at it, and if it's OK for you I'll submit the PR.

[gdsotirov]

Thank you very much @matt335672! :-)

Yes, it seems OK to me. I checked your branch and I think the changes would work properly on Slackware (PAM modules are in /usr/lib*/security and all required are present). I hope your changes would make it in the next release, so I could benefit from them while building new package.

[metalefty]

Closing by #1560.