Add xrdp-ssh-agent.c which forwards ssh-agent protocol over an RDP
dynamic virtual channel, just as the normal ssh-agent forwards it over
an SSH channel.
Usage:
Run an RDP client with the corresponding plugin enabled; for example
"xfreerdp /ssh-agent ...".
In the remote desktop session run xrdp-ssh-agent and evaluate the output
in the shell as for ssh-agent to set the required environment variables
(specifically $SSH_AUTH_SOCK):
eval "$(xrdp-ssh-agent -s)"
This is the same as for the normal ssh-agent. You would typically do
this in your Xsession or /etc/xrdp/startwm.sh.
Limitations:
1. Error checking and handling could be improved.
2. This stays running when the xrdp session closes. This should be
fixed using a command line argument as for the real ssh-agent.
3. This is only tested on Linux and will only work on systems where
clients talk to the ssh-agent via Unix domain sockets. It won't
currently work on Windows but it could be ported.
* Initialise inode table in `xfuse_create_share()` if necessary
* Add guard to `xfuse_init_xrdp_fs()` to prevent double initialisation of the inode table
such as prefill username and password:
username=ask{base64}YmFzZTY0
username={base64}YmFzZTY0
password=ask{base64}YmFzZTs2NCFwYXNzd29yZCM=
password={base64}YmFzZTs2NCFwYXNzd29yZCM=
';', '#', '!' means comment in .ini files. If prefill username or
password contains such symbols, these can be provided base64 encoded.
If you run xrdp with a Unix Domain Socket (UDS) for the port specified in
/etc/xrdp/xrdp.ini then only root can connect to it.
Test case:
1. Edit /etc/xrdp/xrdp.ini to set "port=/var/run/xrdp-local.socket".
2. Restart xrdp.
3. Run the following, as a non-root user.
socat TCP-LISTEN:12345 UNIX-CONNECT:/var/run/xrdp-local.socket &
rdesktop localhost:12345
Expected behaviour: rdesktop starts up and displays the logon dialog.
Observed behaviour: rdesktop exits with "ERROR: Connection closed" and
socat exits with "Permission denied". (But it suceeds if root runs
socat.)
UDS files are created by trans_listen_address() and given permissions
0660, so only root can connect to it. In this case, for the RDP client
connection, it it fine for any user to connect so it should be given
permissions 0666.
Note that this is only relevant when the port in /etc/xrdp/xrdp.ini has
been set to create a UDS instead of a TCP socket. When a TCP port is
created any user (including remote users, unless the loopback interface
is used) can connect so this is not less secure.
Ben Cohen
Koichiro IWAO
Felix Zhang
Oscar Salvador
cocoon
speidy
Jay Sorg
matt335672
Ian Geiser