is it possible to make an exception for Linux + GSSAPI? For example, when on the server side after gss_accept_sec_context, we know for sure that there is a client principal in src_name...
2023-02-02 9:45 GMT, David FORT via FreeRDP-devel <freerdp-devel@lists.sourceforge.net>: > Le 02/02/2023 à 07:18, Andrey Af via FreeRDP-devel a écrit : >> Hi All, >> Today I checked the version from master. I see a lot of work with >> kerberos support. >> I have a question - why does the client ask the password? I have a >> principal ticket, this should be enough for kerberos authentication. >> >> Client logs: >> [DEBUG][com.freerdp.core.nego] - [nego_set_negotiation_enabled]: >> Enabling security layer negotiation: TRUE >> [DEBUG][com.freerdp.core.nego] - >> [nego_set_restricted_admin_mode_required]: Enabling restricted admin >> mode: FALSE >> [DEBUG][com.freerdp.core.nego] - [nego_enable_rdp]: Enabling RDP security: >> TRUE >> [DEBUG][com.freerdp.core.nego] - [nego_enable_tls]: Enabling TLS security: >> TRUE >> [DEBUG][com.freerdp.core.nego] - [nego_enable_nla]: Enabling NLA security: >> TRUE >> [DEBUG][com.freerdp.core.nego] - [nego_enable_ext]: Enabling NLA >> extended security: FALSE >> [DEBUG][com.freerdp.core.connection] - >> [rdp_client_transition_to_state]: CONNECTION_STATE_INITIAL --> >> CONNECTION_STATE_NEGO >> [DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_NLA >> [DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: Attempting NLA >> security >> [DEBUG][com.freerdp.core] - [freerdp_set_last_error_ex]: >> freerdp_tcp_is_hostname_resolvable resetting error state >> [DEBUG][com.freerdp.core] - [freerdp_set_last_error_ex]: >> freerdp_tcp_default_connect resetting error state >> [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting >> to peer 192.168.55.110 >> [DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]: >> RequestedProtocols: 3 >> [DEBUG][com.freerdp.core.nego] - [nego_process_negotiation_response]: >> RDP_NEG_RSP::flags = { [0x03] >> |EXTENDED_CLIENT_DATA_SUPPORTED|DYNVC_GFX_PROTOCOL_SUPPORTED } >> [DEBUG][com.freerdp.core.nego] - [nego_recv]: selected_protocol: 2 >> [DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: state: >> NEGO_STATE_FINAL >> [DEBUG][com.freerdp.core.nego] - [nego_connect]: Negotiated NLA security >> [DEBUG][com.freerdp.core.nego] - [nego_security_connect]: >> nego_security_connect with PROTOCOL_HYBRID >> [DEBUG][com.freerdp.crypto] - [useKnownHosts]: known_hosts=1 >> [DEBUG][com.freerdp.core.nla] - [nla_set_state]: -- NLA_STATE_INITIAL >> --> NLA_STATE_INITIAL >> [DEBUG][com.winpr.sspi] - [InitSecurityInterfaceExA]: >> InitSecurityInterfaceExA >> [DEBUG][com.freerdp.core.auth] - [credssp_auth_init]: Using package: >> Negotiate (cbMaxToken: 12256 bytes) >> [DEBUG][com.winpr.utils] - [SamOpen]: Could not open SAM file! >> >> Password: ???? > > Hi, > > I understand (and share) the frustration with this required password. So > far we've not found a way to avoid that: FreeRDP is multi-platform and > typically on windows we always need the password, and with the design > that we have (at least for now), we can't say for sure that the password > will not be needed when doing NLA (also don't forget that with SPNego we > don't know which algorithm will be used). > >> Also, if I use a key "/auth-pkg-list:!ntlm,kerberos", the client crashes. >> >> Thread 2 "xfreerdp" received signal SIGSEGV, Segmentation fault. >> (gdb) bt >> #0 0x00007ffff5ca9fd6 in __strcmp_sse42 () from >> /usr/bin/../lib64/libc.so.6 >> #1 0x00007ffff5ff94e7 in negotiate_AcquireCredentialsHandleA >> (pszPrincipal=0x0, pszPackage=0x7fffe0c6b990 "Negotiate", >> fCredentialUse=2, pvLogonID=0x0, pAuthData=0x7fffe5405670, >> pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x7fffe0c70268, >> ptsExpiry=0x0) >> at freerdp-3.0.0/winpr/libwinpr/sspi/Negotiate/negotiate.c:1418 >> #2 0x00007ffff5fff3c9 in winpr_AcquireCredentialsHandleA >> (pszPrincipal=0x0, pszPackage=0x7fffe0c6b990 "Negotiate", >> fCredentialUse=2, pvLogonID=0x0, pAuthData=0x7fffe5405670, >> pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x7fffe0c70268, >> ptsExpiry=0x0) >> at freerdp-3.0.0/winpr/libwinpr/sspi/sspi_winpr.c:1327 >> > Can you report an issue for that, that's most probably a bug related to > recent unicode convertion changes. > > Best regards. > > -- > David FORT > website: https://www.hardening-consulting.com/ > > > > _______________________________________________ > FreeRDP-devel mailing list > FreeRDP-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/freerdp-devel > _______________________________________________ FreeRDP-devel mailing list FreeRDP-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/freerdp-devel