Skip to content

Commit

Permalink
Merge pull request from GHSA-7w22-h4w7-8j5j
Browse files Browse the repository at this point in the history
Enforce no login screen if require_credentials is set
  • Loading branch information
metalefty authored Jul 11, 2024
2 parents d6fce2f + 61b509f commit a7d583a
Show file tree
Hide file tree
Showing 4 changed files with 36 additions and 11 deletions.
9 changes: 6 additions & 3 deletions docs/man/xrdp.ini.5.in
Original file line number Diff line number Diff line change
Expand Up @@ -133,9 +133,12 @@ by \fBseparator\fP.

.TP
\fBrequire_credentials\fP=\fI[true|false]\fP
If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP requires clients to include username and
password initial connection phase. In other words, xrdp doesn't allow clients to show login
screen if set to true. If not specified, defaults to \fBfalse\fP.
If set to \fB1\fP, \fBtrue\fP or \fByes\fP, \fBxrdp\fP requires clients
to include username and password initial connection phase. In other
words, xrdp doesn't allow clients to show login screen if set to true.
It follows that an incorrect password will cause the login to immediately
fail without displaying the login screen. If not specified, defaults
to \fBfalse\fP.

.TP
\fBsecurity_layer\fP=\fI[tls|rdp|negotiate]\fP
Expand Down
27 changes: 20 additions & 7 deletions libxrdp/xrdp_sec.c
Original file line number Diff line number Diff line change
Expand Up @@ -1012,6 +1012,25 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
return 1;
}

// If we require credentials, don't continue if they're not provided
if (self->rdp_layer->client_info.require_credentials)
{
if ((flags & RDP_LOGON_AUTO) == 0)
{
LOG(LOG_LEVEL_ERROR, "Server is configured to require that the "
"client enable auto logon with credentials, but the client did "
"not request auto logon.");
return 1;
}
if (len_user == 0 || len_password == 0)
{
LOG(LOG_LEVEL_ERROR, "Server is configured to require that the "
"client enable auto logon with credentials, but the client did "
"not supply both a username and password.");
return 1;
}
}

if (flags & RDP_LOGON_AUTO)
{
if (ts_info_utf16_in(s, len_password, self->rdp_layer->client_info.password, sizeof(self->rdp_layer->client_info.password)) != 0)
Expand All @@ -1033,18 +1052,12 @@ xrdp_sec_process_logon_info(struct xrdp_sec *self, struct stream *s)
}
else
{
// Skip the password
if (!s_check_rem_and_log(s, len_password + 2, "Parsing [MS-RDPBCGR] TS_INFO_PACKET Password"))
{
return 1;
}
in_uint8s(s, len_password + 2);
if (self->rdp_layer->client_info.require_credentials)
{
LOG(LOG_LEVEL_ERROR, "Server is configured to require that the "
"client enable auto logon with credentials, but the client did "
"not request auto logon.");
return 1; /* credentials on cmd line is mandatory */
}
}
if (self->rdp_layer->client_info.domain_user_separator[0] != '\0'
&& self->rdp_layer->client_info.domain[0] != '\0')
Expand Down
3 changes: 2 additions & 1 deletion xrdp/xrdp.ini.in
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,8 @@ max_bpp=32
new_cursors=true
; fastpath - can be 'input', 'output', 'both', 'none'
use_fastpath=both
; when true, userid/password *must* be passed on cmd line
; when true, userid/password *must* be passed on cmd line. If the password
; is incorrect, the login will fail
#require_credentials=true
; when true, the userid will be used to try to authenticate
#enable_token_login=true
Expand Down
8 changes: 8 additions & 0 deletions xrdp/xrdp_mm.c
Original file line number Diff line number Diff line change
Expand Up @@ -2687,6 +2687,14 @@ xrdp_mm_process_login_response(struct xrdp_mm *self)
self->wm->pamerrortxt);
}

if (self->wm->client_info->require_credentials)
{
/* Credentials had to be specified, but were invalid */
g_set_wait_obj(self->wm->pro_layer->self_term_event);
LOG(LOG_LEVEL_ERROR, "require_credentials is set, "
"but the user could not be logged in");
}

if (server_closed)
{
if (login_result == E_SCP_LOGIN_NOT_AUTHENTICATED)
Expand Down

0 comments on commit a7d583a

Please sign in to comment.