sendnrw/netbird
2
0
Fork 0
mirror of https://github.com/netbirdio/netbird.git synced 2026-04-16 07:16:38 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
c5186f14836719f4672db6d21cd39aa8980a6c5c
netbird/client/rdp/server/protocol.go
Claude c5186f1483 [client] Add RDP token passthrough for passwordless Windows Remote Desktop 
Implement sideband authorization and credential provider architecture for
passwordless RDP access to Windows peers via NetBird.

Go components:
- Sideband RDP auth server (TCP on WG interface, port 3390/22023)
- Pending session store with TTL expiry and replay protection
- Named pipe IPC server (\\.\pipe\netbird-rdp-auth) for credential provider
- Sideband client for connecting peer to request authorization
- CLI command `netbird rdp [user@]host` with JWT auth flow
- Engine integration with DNAT port redirection

Rust credential provider DLL (client/rdp/credprov/):
- COM DLL implementing ICredentialProvider + ICredentialProviderCredential
- Loaded by Windows LogonUI.exe at the RDP login screen
- Queries NetBird agent via named pipe for pending sessions
- Performs S4U logon (LsaLogonUser) for passwordless Windows token creation
- Self-registration via regsvr32 (DllRegisterServer/DllUnregisterServer)

https://claude.ai/code/session_01C38bCDyYzLgxYLVwJkcUng
2026-04-11 17:15:42 +00:00

49 lines
1.8 KiB
Go
Raw Blame History

package server
// AuthRequest is the sideband authorization request sent by the connecting peer
// to the target peer's RDP auth server over the WireGuard tunnel.
type AuthRequest struct {
JWTToken string `json:"jwt_token"`
RequestedUser string `json:"requested_user"`
ClientPeerIP string `json:"client_peer_ip"`
Nonce string `json:"nonce"`
}
// AuthResponse is the sideband authorization response sent by the target peer
// back to the connecting peer.
type AuthResponse struct {
Status string `json:"status"` // "authorized" or "denied"
SessionID string `json:"session_id,omitempty"`
ExpiresAt int64 `json:"expires_at,omitempty"` // unix timestamp
OSUser string `json:"os_user,omitempty"`
Reason string `json:"reason,omitempty"`
}
// PipeRequest is the IPC request from the Credential Provider DLL to the NetBird agent
// via the named pipe.
type PipeRequest struct {
Action string `json:"action"` // "query_pending" or "consume"
RemoteIP string `json:"remote_ip"` // connecting peer's WG IP
SessionID string `json:"session_id,omitempty"` // for consume action
}
// PipeResponse is the IPC response from the NetBird agent to the Credential Provider DLL.
type PipeResponse struct {
Found bool `json:"found"`
SessionID string `json:"session_id,omitempty"`
OSUser string `json:"os_user,omitempty"`
Domain string `json:"domain,omitempty"`
}
const (
// StatusAuthorized indicates the RDP session was authorized.
StatusAuthorized = "authorized"
// StatusDenied indicates the RDP session was denied.
StatusDenied = "denied"
// PipeActionQuery queries for a pending session by remote IP.
PipeActionQuery = "query_pending"
// PipeActionConsume marks a pending session as consumed.
PipeActionConsume = "consume"
)
Reference in New Issue View Git Blame Copy Permalink