Skip to content

smartcard logon

Jump to bottom
Bernhard Miklautz edited this page Nov 19, 2018 · 1 revision

Logging with Smartcard Logon

/smartcard-logon

This new option sets the AUTOLOGIN flag to initiate the Smartcard Logon authentication, using only the RDP protocol security. This option doesn't implement (yet) logging with Smartcard Logon using other security protocol (NLA, TLS).

It works using the redirected smartcard readers, using the /smartcard option.

/smartcard-logon[:rdp]

We allow the rdp parameter to be given, in prevision of future extensions where nla or tls would be given for other Smartcard Logon usage modes (such as Kerberos SSO, etc).

/smartcard

The /smartcard option is extended to take an optional argument to filter the smartcard readers that are redirected.

Why

In some use cases, there are several smartcard readers connected to the workstation, some containing tokens and certificates that would be invalid or inconsistent for processing by the remote MS-Windows host (to the point of preventing the connection). Those smartcard readers shall be excluded from the list forwarded to the RDP server.

How

/smartcard[:substring]

If given no argument /smartcard will redirect all the local smartcard readers. If given a substring, then only the smartcard readers whose name contain that substring (case sensitively) will be forwarded.

Several /smartcard options can be given, and then the union of all the selected smartcard readers will be forwarded.

For example with the following readers:

$ sudo opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    No    PIN pad   XIRING Leo v2 (1234123412) 00 00
1    No    PIN pad   XIRING Leo v2 (4321432133) 01 00
2    Yes             Neowave Weneo [Weneo SIM Reader] (7A7B7C7D) 02 00
Command Redirected smartcard readers
xfreerdp /smartcard ALL (no substring selects all)
xfreerdp /smartcard:foo /smartcard ALL (no substring selects all)
xfreerdp /smartcard:00 ALL (all names contain "00")
xfreerdp /smartcard:Leo XIRING Leo v2 (1234123412) 00 00 AND XIRING Leo v2 (4321432133) 01 00
xfreerdp /smartcard:12 XIRING Leo v2 (1234123412) 00 00
xfreerdp /smartcard:Neo Neowave Weneo [Weneo SIM Reader] (7A7B7C7D) 02 00

Implementation Note

The /smartcard options create and update a single RDPDR_SMARTCARD device structure. This structure contains a deviceFilter which is a wLinkedList of the specified substrings. If no substring is given, then the empty string is put in the linked list, since the empty string is a substring of all strings. When there's an empty string in the linked list, no other substring are put together, since that would be useless.

The smartcard_ListReaders[AW]_Call functions (in smartcard_operation.c) retrieve the list of smartcard readers, and apply the filter before forwarding them to the RDP server.

https://github.com/FreeRDP/FreeRDP.wiki.git

Clone this wiki locally