** Description changed:
[ Impact ]
* Attempting to use smartcard-logon with `/sec:nla` causes
authentication to fail.
* For Active Directory domains with mandatory smartcard logon and NLA
enforced, users are unable to use freerdp to connect.
[ Test Plan ]
1. Set up a Windows user with smartcard login on an Active Directory
Domain[0]
2. Verify smartcard login works without RDP
3. Enable RDP and smartcard login over RDP on Windows host
Open gpedit.msc
Under
Computer Configuration
- > Administrative Templates
- > Windows Components
- > Remote Desktop Services
- > Remote Desktop Session Host
- > Connections
+ > Administrative Templates
+ > Windows Components
+ > Remote Desktop Services
+ > Remote Desktop Session Host
+ > Connections
Enable "Allow users to connect remotely using Remote Desktop Services"
4. Enforce NLA on the Windows host
Again in gpedit.msc
Under
Computer Configuration
- > Administrative Templates
- > Windows Components
- > Remote Desktop Services
- > Remote Desktop Session Host
- > Security
+ > Administrative Templates
+ > Windows Components
+ > Remote Desktop Services
+ > Remote Desktop Session Host
+ > Security
Enable "Require user authentication for remote connections by using
Network Level Authentication.""
5. Export CA certificate from Windows host and save it to your linux
machine
Open certlm.msc
Under
Trusted Root Certification Authorities
- > Certificates
+ > Certificates
Right click the CA cert for AD (mine is lab-WIN-1F5GLL3AM1S-CA) and select
All Tasks > Export
Export the certificate in Base-64 encoded X.509 (.CER) format and then copy
it over to your linux machine.
----
My configuration is using a Windows 2K22 virtual machine with
----
NAME: WIN-1F5GLL3AM1S
DOMAIN: lab.local
USERNAME: Administrator
IP: 10.253.62.235
CA-PATH: /etc/ssl/certs/lab-domain-ca.pem
----
6. Add windows server to /etc/hosts (if DNS not available)
---
/etc/hosts
---
...
10.253.62.235 win-1f5gll3am1s.lab.local win-1f5gll3am1s
---
+ 7. Add krb5 configuration for the Windows host
- 7. Add krb5 configuration for the Windows host
+ You'll need to ensure krb5-pkinit is installed, and may also want to install
krb5-config. On questing or older, make sure that /etc/krb5.conf starts with:
includedir /etc/krb5.conf.d/
+ (it's there by default on resolute)
---
/etc/krb5.conf.d/lab_local
---
[realms]
- LAB.LOCAL = {
- kdc = win-1f5gll3am1s.lab.local
- admin_server = win-1f5gll3am1s.lab.local
- pkinit_anchors = FILE:/etc/ssl/certs/lab-domain-ca.pem
- pkinit_pool = FILE:/etc/ssl/certs/lab-domain-ca.pem
- pkinit_identities =
PKCS11:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
- pkinit_kdc_hostname = win-1f5gll3am1s.lab.local
- }
+ LAB.LOCAL = {
+ kdc = win-1f5gll3am1s.lab.local
+ admin_server = win-1f5gll3am1s.lab.local
+ pkinit_anchors = FILE:/etc/ssl/certs/lab-domain-ca.pem
+ pkinit_pool = FILE:/etc/ssl/certs/lab-domain-ca.pem
+ pkinit_identities =
PKCS11:/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
+ pkinit_kdc_hostname = win-1f5gll3am1s.lab.local
+ }
---
8. Connect to the Windows host using freerdp with smartcard login and
NLA enforced:
-
---
wlfreerdp /v:WIN-1F5GLL3AM1S.lab.local \
- /u:Administrator \
- /d:lab.local \
- /smartcard-logon
+ /u:Administrator \
+ /d:lab.local \
+ /smartcard-logon
---
---
Expected Output (Logon succeeds)
---
...
[17:47:54:269] [3203:00000ca7] [INFO][com.freerdp.channels.rdpdr.client] -
[device_announce]: registered [smartcard] device #1: SCARD (type=32 id= 1)
[17:47:54:272] [3203:00000ca7] [INFO][com.freerdp.channels.rdpdr.client] -
[device_announce]: registered [smartcard] device #1: SCARD (type=32 id= 1)
[17:47:54:272] [3203:00000ca7] [INFO][com.freerdp.channels.rdpdr.client] -
[device_announce]: registered [smartcard] device #1: SCARD (type=32 id= 1)
---
---
Actual Output (Logon fails)
---
...
[14:23:18:881] [24609:00006021] [ERROR][com.freerdp.smartcardlogon] -
[smartcard_getCert]: no suitable smartcard certificates were found
[14:23:18:881] [24609:00006021] [ERROR][com.freerdp.core.nla] -
[nla_adjust_settings_from_smartcard]: unable to get smartcard certificate for
logon
[14:23:18:881] [24609:00006021] [ERROR][com.freerdp.core.transport] -
[transport_connect_nla]: NLA begin failed
...
---
[ Where problems could occur ]
Should there be any regression in the RDP functionality of freerdp, it
is likely to break many Ubuntu RDP clients which depend on freerdp, such
as Remmina and KRDC. Looking at the reverse dependencies of freerdp,
they are all RDP clients, security tools to brute force remote logon, or
Weston. So impact is likely restricted to using RDP to log in to Windows
systems.
This change is restricted to the code under libwinpr/ncrypt and enables
functionality which would previously return ERROR_NOT_SUPPORTED. Tracing
the callgraph from `freerdp_connect` with cflow the only cases that
should see differing behavior are smartcard logon with NLA and remote
desktop gateway connection with smartcard logon enabled. Neither case
works prior to this change, as they both call into functions that return
ERROR_NOT_SUPPORTED. This greatly restricts the surface area for
regressions.
The most likely issue to occur, is that the newly enabled smartcard
functionality does not always work correctly. Mostly this would result
in users not being able to connect, which they already can't do.
Potentially, if the PKCS11 broke in a way that supplied an invalid PIN,
users could be locked out of their smart cards.
-
[ Other Info ]
There are two issues at play here:
* One is that debian packaging builds freerdp on Ubuntu with PKCS11 support
disabled.
- - This is a one line change in `debian/rules` to fix for the SRU
- - I've also filed a bug report with debian to try to update the packaging
(#1140689).
+ - This is a one line change in `debian/rules` to fix for the SRU
+ - I've also filed a bug report with debian to try to update the packaging
(#1140689).
* Secondly, there is an upstream fix for PIV smartcards[1] that is required
to properly match container names on PIV smartcards.
- - This was merged in upstream version 3.25.0 and is thus already included
in stonking, which ships 3.27.1 from debian.
+ - This was merged in upstream version 3.25.0 and is thus already included
in stonking, which ships 3.27.1 from debian.
The added upstream patch modifies only
`winpr/libwinpr/ncrypt/ncrypt_pkcs11.c`.
[0]:
https://support.yubico.com/s/article/Setting-up-Windows-Server-for-YubiKey-PIV-authentication
[1]:
https://github.com/freerdp/freerdp/commit/60526def6d34ee505ca7b079cd0586dc1794142e
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2158175
Title:
[SRU] smartcard-logon does not work with NLA
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freerdp3/+bug/2158175/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
