[client] Add RDP token passthrough for passwordless Windows Remote Desktop

Implement sideband authorization and credential provider architecture for passwordless RDP access to Windows peers via NetBird. Go components: - Sideband RDP auth server (TCP on WG interface, port 3390/22023) - Pending session store with TTL expiry and replay protection - Named pipe IPC server (\\.\pipe\netbird-rdp-auth) for credential provider - Sideband client for connecting peer to request authorization - CLI command `netbird rdp [user@]host` with JWT auth flow - Engine integration with DNAT port redirection Rust credential provider DLL (client/rdp/credprov/): - COM DLL implementing ICredentialProvider + ICredentialProviderCredential - Loaded by Windows LogonUI.exe at the RDP login screen - Queries NetBird agent via named pipe for pending sessions - Performs S4U logon (LsaLogonUser) for passwordless Windows token creation - Self-registration via regsvr32 (DllRegisterServer/DllUnregisterServer) https://claude.ai/code/session_01C38bCDyYzLgxYLVwJkcUng
2026-04-18 08:16:39 +00:00 · 2026-04-11 17:15:42 +00:00
parent 5259e5df51
commit c5186f1483
21 changed files with 2883 additions and 0 deletions
--- a/client/rdp/server/protocol.go
+++ b/client/rdp/server/protocol.go
@@ -0,0 +1,48 @@
+package server
+
+// AuthRequest is the sideband authorization request sent by the connecting peer
+// to the target peer's RDP auth server over the WireGuard tunnel.
+type AuthRequest struct {
+	JWTToken      string `json:"jwt_token"`
+	RequestedUser string `json:"requested_user"`
+	ClientPeerIP  string `json:"client_peer_ip"`
+	Nonce         string `json:"nonce"`
+}
+
+// AuthResponse is the sideband authorization response sent by the target peer
+// back to the connecting peer.
+type AuthResponse struct {
+	Status    string `json:"status"`              // "authorized" or "denied"
+	SessionID string `json:"session_id,omitempty"`
+	ExpiresAt int64  `json:"expires_at,omitempty"` // unix timestamp
+	OSUser    string `json:"os_user,omitempty"`
+	Reason    string `json:"reason,omitempty"`
+}
+
+// PipeRequest is the IPC request from the Credential Provider DLL to the NetBird agent
+// via the named pipe.
+type PipeRequest struct {
+	Action    string `json:"action"`               // "query_pending" or "consume"
+	RemoteIP  string `json:"remote_ip"`             // connecting peer's WG IP
+	SessionID string `json:"session_id,omitempty"` // for consume action
+}
+
+// PipeResponse is the IPC response from the NetBird agent to the Credential Provider DLL.
+type PipeResponse struct {
+	Found     bool   `json:"found"`
+	SessionID string `json:"session_id,omitempty"`
+	OSUser    string `json:"os_user,omitempty"`
+	Domain    string `json:"domain,omitempty"`
+}
+
+const (
+	// StatusAuthorized indicates the RDP session was authorized.
+	StatusAuthorized = "authorized"
+	// StatusDenied indicates the RDP session was denied.
+	StatusDenied = "denied"
+
+	// PipeActionQuery queries for a pending session by remote IP.
+	PipeActionQuery = "query_pending"
+	// PipeActionConsume marks a pending session as consumed.
+	PipeActionConsume = "consume"
+)