Hi All,
Today I checked the version from master. I see a lot of work with
kerberos support.
I have a question - why does the client ask the password? I have a
principal ticket, this should be enough for kerberos authentication.
Client logs:
[DEBUG][com.freerdp.core.nego] - [nego_set_negotiation_enabled]:
Enabling security layer negotiation: TRUE
[DEBUG][com.freerdp.core.nego] -
[nego_set_restricted_admin_mode_required]: Enabling restricted admin
mode: FALSE
[DEBUG][com.freerdp.core.nego] - [nego_enable_rdp]: Enabling RDP security: TRUE
[DEBUG][com.freerdp.core.nego] - [nego_enable_tls]: Enabling TLS security: TRUE
[DEBUG][com.freerdp.core.nego] - [nego_enable_nla]: Enabling NLA security: TRUE
[DEBUG][com.freerdp.core.nego] - [nego_enable_ext]: Enabling NLA
extended security: FALSE
[DEBUG][com.freerdp.core.connection] -
[rdp_client_transition_to_state]: CONNECTION_STATE_INITIAL -->
CONNECTION_STATE_NEGO
[DEBUG][com.freerdp.core.nego] - [nego_connect]: state: NEGO_STATE_NLA
[DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: Attempting NLA security
[DEBUG][com.freerdp.core] - [freerdp_set_last_error_ex]:
freerdp_tcp_is_hostname_resolvable resetting error state
[DEBUG][com.freerdp.core] - [freerdp_set_last_error_ex]:
freerdp_tcp_default_connect resetting error state
[DEBUG][com.freerdp.core] - [freerdp_tcp_default_connect]: connecting
to peer 192.168.55.110
[DEBUG][com.freerdp.core.nego] - [nego_send_negotiation_request]:
RequestedProtocols: 3
[DEBUG][com.freerdp.core.nego] - [nego_process_negotiation_response]:
RDP_NEG_RSP::flags = { [0x03]
|EXTENDED_CLIENT_DATA_SUPPORTED|DYNVC_GFX_PROTOCOL_SUPPORTED }
[DEBUG][com.freerdp.core.nego] - [nego_recv]: selected_protocol: 2
[DEBUG][com.freerdp.core.nego] - [nego_attempt_nla]: state: NEGO_STATE_FINAL
[DEBUG][com.freerdp.core.nego] - [nego_connect]: Negotiated NLA security
[DEBUG][com.freerdp.core.nego] - [nego_security_connect]:
nego_security_connect with PROTOCOL_HYBRID
[DEBUG][com.freerdp.crypto] - [useKnownHosts]: known_hosts=1
[DEBUG][com.freerdp.core.nla] - [nla_set_state]: -- NLA_STATE_INITIAL
--> NLA_STATE_INITIAL
[DEBUG][com.winpr.sspi] - [InitSecurityInterfaceExA]: InitSecurityInterfaceExA
[DEBUG][com.freerdp.core.auth] - [credssp_auth_init]: Using package:
Negotiate (cbMaxToken: 12256 bytes)
[DEBUG][com.winpr.utils] - [SamOpen]: Could not open SAM file!
Password: ????
[DEBUG][com.freerdp.core.auth] - [credssp_auth_setup_client]: Acquired
client credentials
[DEBUG][com.winpr.negotiate] - [negotiate_InitializeSecurityContextW]:
Available mechanism: Kerberos user to user (1.2.840.113554.1.2.2.3)
[DEBUG][com.winpr.negotiate] - [negotiate_InitializeSecurityContextW]:
Available mechanism: Kerberos (1.2.840.113554.1.2.2)
[DEBUG][com.winpr.negotiate] - [negotiate_InitializeSecurityContextW]:
Available mechanism: NTLM (1.3.6.1.4.1.311.2.2.10)
[DEBUG][com.winpr.negotiate] - [negotiate_write_neg_token]: Writing
negTokenInit...
[DEBUG][com.winpr.negotiate] - [negotiate_write_neg_token]:
mechTypes [0] (37 bytes)
[DEBUG][com.winpr.negotiate] - [negotiate_write_neg_token]:
mechToken [2] (71 bytes)
[DEBUG][com.freerdp.core.auth] - [credssp_auth_authenticate]:
Authentication in progress... (output token size: 128)
[DEBUG][com.freerdp.core.nla] - [nla_send]: ----->> sending...
[DEBUG][com.freerdp.core.nla] - [nla_send]: ----->> protocol version 6
[DEBUG][com.freerdp.core.nla] - [nla_write_octet_string]: ----->> negoToken
[DEBUG][com.freerdp.core.nla] - [nla_write_octet_string]: ----->>
client nonce
[DEBUG][com.freerdp.core.nla] - [nla_send]: [187 bytes]
[DEBUG][com.freerdp.core.nla] - [nla_set_state]: -- NLA_STATE_INITIAL
--> NLA_STATE_NEGO_TOKEN
[DEBUG][com.freerdp.core.connection] -
[rdp_client_transition_to_state]: CONNECTION_STATE_NEGO -->
CONNECTION_STATE_NLA
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<----- receiving...
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<-----
protocol version 6
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<----- nego token
[DEBUG][com.winpr.negotiate] - [negotiate_read_neg_token]: Reading
negTokenResp...
[DEBUG][com.winpr.negotiate] - [negotiate_read_neg_token]:
negState [0] (1)
[DEBUG][com.winpr.negotiate] - [negotiate_read_neg_token]:
supportedMech [1] (Kerberos user to user (1.2.840.113554.1.2.2.3))
[DEBUG][com.winpr.negotiate] - [negotiate_read_neg_token]:
mechToken [2] (391 bytes)
[DEBUG][com.winpr.negotiate] - [negotiate_InitializeSecurityContextW]:
Negotiated mechanism: Kerberos user to user (1.2.840.113554.1.2.2.3)
[DEBUG][com.winpr.negotiate] - [negotiate_write_neg_token]: Writing
negTokenResp...
[DEBUG][com.winpr.negotiate] - [negotiate_write_neg_token]:
mechToken [2] (590 bytes)
[DEBUG][com.freerdp.core.auth] - [credssp_auth_authenticate]:
Authentication in progress... (output token size: 606)
[DEBUG][com.freerdp.core.nla] - [nla_send]: ----->> sending...
[DEBUG][com.freerdp.core.nla] - [nla_send]: ----->> protocol version 6
[DEBUG][com.freerdp.core.nla] - [nla_write_octet_string]: ----->> negoToken
[DEBUG][com.freerdp.core.nla] - [nla_write_octet_string]: ----->>
client nonce
[DEBUG][com.freerdp.core.nla] - [nla_send]: [671 bytes]
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<----- receiving...
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<-----
protocol version 6
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<----- nego token
[DEBUG][com.winpr.negotiate] - [negotiate_read_neg_token]: Reading
negTokenResp...
[DEBUG][com.winpr.negotiate] - [negotiate_read_neg_token]:
negState [0] (0)
[DEBUG][com.winpr.negotiate] - [negotiate_read_neg_token]:
mechToken [2] (157 bytes)
[DEBUG][com.freerdp.core.auth] - [credssp_auth_authenticate]:
Authentication complete (output token size: 0 bytes)
[DEBUG][com.freerdp.core.auth] - [credssp_auth_authenticate]: Context
sizes: cbMaxSignature=28, cbSecurityTrailer=60
[DEBUG][com.freerdp.core.nla] - [nla_send]: ----->> sending...
[DEBUG][com.freerdp.core.nla] - [nla_send]: ----->> protocol version 6
[DEBUG][com.freerdp.core.nla] - [nla_write_octet_string]: ----->>
public key auth
[DEBUG][com.freerdp.core.nla] - [nla_write_octet_string]: ----->>
client nonce
[DEBUG][com.freerdp.core.nla] - [nla_send]: [140 bytes]
[DEBUG][com.freerdp.core.nla] - [nla_set_state]: --
NLA_STATE_NEGO_TOKEN --> NLA_STATE_PUB_KEY_AUTH
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<----- receiving...
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<-----
protocol version 6
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<----- nego token
[DEBUG][com.freerdp.core.nla] - [nla_decode_ts_request]: <<-----
public key auth
[DEBUG][com.freerdp.core.nla] - [nla_send]: ----->> sending...
[DEBUG][com.freerdp.core.nla] - [nla_send]: ----->> protocol version 6
[DEBUG][com.freerdp.core.nla] - [nla_write_octet_string]: ----->> auth info
[DEBUG][com.freerdp.core.nla] - [nla_write_octet_string]: ----->>
client nonce
[DEBUG][com.freerdp.core.nla] - [nla_send]: [181 bytes]
[DEBUG][com.freerdp.core.nla] - [nla_set_state]: --
NLA_STATE_PUB_KEY_AUTH --> NLA_STATE_AUTH_INFO
[DEBUG][com.freerdp.core.nla] - [nla_set_state]: --
NLA_STATE_AUTH_INFO --> NLA_STATE_FINAL
[DEBUG][com.freerdp.core.connection] -
[rdp_client_transition_to_state]: CONNECTION_STATE_NLA -->
CONNECTION_STATE_MCS_CREATE_REQUEST
Also, if I use a key "/auth-pkg-list:!ntlm,kerberos", the client crashes.
Thread 2 "xfreerdp" received signal SIGSEGV, Segmentation fault.
(gdb) bt
#0 0x00007ffff5ca9fd6 in __strcmp_sse42 () from /usr/bin/../lib64/libc.so.6
#1 0x00007ffff5ff94e7 in negotiate_AcquireCredentialsHandleA
(pszPrincipal=0x0, pszPackage=0x7fffe0c6b990 "Negotiate",
fCredentialUse=2, pvLogonID=0x0, pAuthData=0x7fffe5405670,
pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x7fffe0c70268,
ptsExpiry=0x0)
at freerdp-3.0.0/winpr/libwinpr/sspi/Negotiate/negotiate.c:1418
#2 0x00007ffff5fff3c9 in winpr_AcquireCredentialsHandleA
(pszPrincipal=0x0, pszPackage=0x7fffe0c6b990 "Negotiate",
fCredentialUse=2, pvLogonID=0x0, pAuthData=0x7fffe5405670,
pGetKeyFn=0x0, pvGetKeyArgument=0x0, phCredential=0x7fffe0c70268,
ptsExpiry=0x0)
at freerdp-3.0.0/winpr/libwinpr/sspi/sspi_winpr.c:1327
>
> Le 01/02/2023 à 09:44, Andrey Af via FreeRDP-devel a écrit :
> > Hi All!
> >
> > I build a freerdp 2.8.1 with the flag WITH_GSSAPI=ON. And for the
> > freerdp-shadow, I made a keytab with the TERMSRV/hostname@REALM
> > principal. I use the environment variable KRB5_KTNAME. I run
> > freerdp-shadow-cli and I don't see gss_xxx in the logs. I can conclude
> > that the use of kerberos is not implemented for freerdp-shadow?
> >
> Hi Andrey,
>
> server-side kerberos support is only on master (mostly because to accept
> mstsc you need the kerberos user2user extension), and you must provide
> the keytab to freerdp-shadow-cli with the `/keytab:<path>` (on master).
>
> Hint: as long as you see NTLM related messages, you're not taking the
> kerberos path.
>
> Best regards.
>
> --
> David FORT
> website: https://www.hardening-consulting.com/
>
>
>
> _______________________________________________
> FreeRDP-devel mailing list
> FreeRDP-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/freerdp-devel
_______________________________________________
FreeRDP-devel mailing list
FreeRDP-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/freerdp-devel
