is it possible to make an exception for Linux + GSSAPI?
For example, when on the server side after gss_accept_sec_context, we
know for sure that there is a client principal in src_name...
2023-02-02 9:45 GMT, David FORT via FreeRDP-devel
<freerdp-devel@lists.sourceforge.net>:
> Le 02/02/2023 à 07:18, Andrey Af via FreeRDP-devel a écrit :
>> Hi All,
>> Today I checked the version from master. I see a lot of work with
>> kerberos support.
>> I have a question - why does the client ask the password? I have a
>> principal ticket, this should be enough for kerberos authentication.
>>
>> Client logs:
>> [DEBUG][com.freerdp.core.nego] - [nego_set_negotiation_enabled]:
>> Enabling security layer negotiation: TRUE
>> [DEBUG][com.freerdp.core.nego] -
>> [nego_set_restricted_admin_mode_required]: Enabling restricted admin
>> mode: FALSE
>> [DEBUG][com.freerdp.core.nego] - [nego_enable_rdp]: Enabling RDP security:
>> TRUE
>> [DEBUG][com.freerdp.core.nego] - [nego_enable_tls]: Enabling TLS security:
>> TRUE
>> [DEBUG][com.freerdp.core.nego] - [nego_enable_nla]: Enabling NLA security:
>> TRUE
>> [DEBUG][com.freerdp.core.nego] - [nego_enable_ext]: Enabling NLA
>> extended security: FALSE
>> [DEBUG][com.freerdp.core.connection] -
>> [rdp_client_transition_to_state]: CONNECTION_STATE_INITIAL -->
>> CONNECTION_STATE_NEGO
>> [DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_NLA
>> [DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: Attempting NLA
>> security
>> [DEBUG][com.freerdp.core] - [freerdp_set_last_error_ex]:
>> freerdp_tcp_is_hostname_resolvable resetting error state
>> [DEBUG][com.freerdp.core] - [freerdp_set_last_error_ex]:
>> freerdp_tcp_default_connect resetting error state
>> [DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting
>> to peer 192.168.55.110
>> [DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]:
>> RequestedProtocols: 3
>> [DEBUG][com.freerdp.core.nego] - [nego_process_negotiation_response]:
>> RDP_NEG_RSP::flags = { [0x03]
>> |EXTENDED_CLIENT_DATA_SUPPORTED|DYNVC_GFX_PROTOCOL_SUPPORTED }
>> [DEBUG][com.freerdp.core.nego] - [nego_recv]: selected_protocol: 2
>> [DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: state:
>> NEGO_STATE_FINAL
>> [DEBUG][com.freerdp.core.nego] - [nego_connect]: Negotiated NLA security
>> [DEBUG][com.freerdp.core.nego] - [nego_security_connect]:
>> nego_security_connect with PROTOCOL_HYBRID
>> [DEBUG][com.freerdp.crypto] - [useKnownHosts]: known_hosts=1
>> [DEBUG][com.freerdp.core.nla] - [nla_set_state]: -- NLA_STATE_INITIAL
>> --> NLA_STATE_INITIAL
>> [DEBUG][com.winpr.sspi] - [InitSecurityInterfaceExA]:
>> InitSecurityInterfaceExA
>> [DEBUG][com.freerdp.core.auth] - [credssp_auth_init]: Using package:
>> Negotiate (cbMaxToken: 12256 bytes)
>> [DEBUG][com.winpr.utils] - [SamOpen]: Could not open SAM file!
>>
>> Password: ????
>
> Hi,
>
> I understand (and share) the frustration with this required password. So
> far we've not found a way to avoid that: FreeRDP is multi-platform and
> typically on windows we always need the password, and with the design
> that we have (at least for now), we can't say for sure that the password
> will not be needed when doing NLA (also don't forget that with SPNego we
> don't know which algorithm will be used).
>
>> Also, if I use a key "/auth-pkg-list:!ntlm,kerberos", the client crashes.
>>
>> Thread 2 "xfreerdp" received signal SIGSEGV, Segmentation fault.
>> (gdb) bt
>> #0 0x00007ffff5ca9fd6 in __strcmp_sse42 () from
>> /usr/bin/../lib64/libc.so.6
>> #1 0x00007ffff5ff94e7 in negotiate_AcquireCredentialsHandleA
>> (pszPrincipal=0x0, pszPackage=0x7fffe0c6b990 "Negotiate",
>> fCredentialUse=2, pvLogonID=0x0, pAuthData=0x7fffe5405670,
>> pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x7fffe0c70268,
>> ptsExpiry=0x0)
>> at freerdp-3.0.0/winpr/libwinpr/sspi/Negotiate/negotiate.c:1418
>> #2 0x00007ffff5fff3c9 in winpr_AcquireCredentialsHandleA
>> (pszPrincipal=0x0, pszPackage=0x7fffe0c6b990 "Negotiate",
>> fCredentialUse=2, pvLogonID=0x0, pAuthData=0x7fffe5405670,
>> pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x7fffe0c70268,
>> ptsExpiry=0x0)
>> at freerdp-3.0.0/winpr/libwinpr/sspi/sspi_winpr.c:1327
>>
> Can you report an issue for that, that's most probably a bug related to
> recent unicode convertion changes.
>
> Best regards.
>
> --
> David FORT
> website: https://www.hardening-consulting.com/
>
>
>
> _______________________________________________
> FreeRDP-devel mailing list
> FreeRDP-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freerdp-devel
>
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
