sendnrw/rdpgw
2
0
Fork 0
mirror of https://github.com/bolkedebruin/rdpgw.git synced 2026-03-27 14:36:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
rdpgw/docs/pam-authentication.md
Bolke de Bruin 75a7ca62a9 Add header authentication
2025-09-18 22:36:04 +02:00

243 lines
5.1 KiB
Markdown
Raw Permalink Blame History

# PAM/Local Authentication
![PAM](images/flow-pam.svg)
RDPGW supports PAM (Pluggable Authentication Modules) for authentication against local accounts, LDAP, Active Directory, and other PAM-supported systems.
## Important Notes
**⚠️ Client Limitation**: The default Windows client `mstsc` does not support basic authentication. Use alternative clients or switch to OpenID Connect, Kerberos, or NTLM authentication.
**⚠️ Container Considerations**: Using PAM for passwd authentication within containers is not recommended. Use OpenID Connect or Kerberos instead. For LDAP/AD authentication, PAM works well in containers.
## Architecture
PAM authentication uses a privilege separation model with the `rdpgw-auth` helper program:
- `rdpgw` - Main gateway (runs as unprivileged user)
- `rdpgw-auth` - Authentication helper (runs as root or setuid)
- Communication via Unix socket
## Configuration
### 1. PAM Service Configuration
Create `/etc/pam.d/rdpgw` for the authentication service:
**Local passwd authentication:**
```plaintext
auth required pam_unix.so
account required pam_unix.so
```
**LDAP authentication:**
```plaintext
auth required pam_ldap.so
account required pam_ldap.so
```
**Active Directory (via Winbind):**
```plaintext
auth sufficient pam_winbind.so
account sufficient pam_winbind.so
```
### 2. Gateway Configuration
```yaml
Server:
Authentication:
- local
AuthSocket: /tmp/rdpgw-auth.sock
BasicAuthTimeout: 5 # seconds
Caps:
TokenAuth: false
```
### 3. Start Authentication Helper
Run the `rdpgw-auth` helper program:
```bash
# Basic usage
./rdpgw-auth -n rdpgw -s /tmp/rdpgw-auth.sock
# With custom PAM service name
./rdpgw-auth -n custom-service -s /tmp/rdpgw-auth.sock
# Run as systemd service
systemctl start rdpgw-auth
```
## Authentication Flow
1. Client connects to gateway with username/password
2. Gateway forwards credentials to `rdpgw-auth` via socket
3. `rdpgw-auth` validates credentials using PAM
4. Gateway generates session tokens on successful authentication
5. Client connects directly using authenticated session
## PAM Module Examples
### LDAP Integration
Install and configure LDAP PAM module:
```bash
# Install LDAP PAM module
sudo apt-get install libpam-ldap
# Configure /etc/pam_ldap.conf
host ldap.example.com
base dc=example,dc=com
binddn cn=readonly,dc=example,dc=com
bindpw secret
```
### Active Directory Integration
Configure Winbind PAM module:
```bash
# Install Winbind
sudo apt-get install winbind libpam-winbind
# Configure /etc/samba/smb.conf
[global]
security = ads
realm = EXAMPLE.COM
workgroup = EXAMPLE
```
### Two-Factor Authentication
Integrate with TOTP/HOTP using pam_oath:
```plaintext
auth required pam_oath.so usersfile=/etc/users.oath
auth required pam_unix.so
account required pam_unix.so
```
## Container Deployment
### Option 1: External Helper
Run `rdpgw-auth` on the host and mount socket:
```yaml
# docker-compose.yml
services:
rdpgw:
image: rdpgw
volumes:
- /tmp/rdpgw-auth.sock:/tmp/rdpgw-auth.sock
```
### Option 2: Privileged Container
Mount PAM configuration and user databases:
```yaml
services:
rdpgw:
image: rdpgw
privileged: true
volumes:
- /etc/passwd:/etc/passwd:ro
- /etc/shadow:/etc/shadow:ro
- /etc/pam.d:/etc/pam.d:ro
```
## Systemd Service
Create `/etc/systemd/system/rdpgw-auth.service`:
```ini
[Unit]
Description=RDPGW Authentication Helper
After=network.target
[Service]
Type=simple
User=root
ExecStart=/usr/local/bin/rdpgw-auth -n rdpgw -s /tmp/rdpgw-auth.sock
Restart=always
RestartSec=5
[Install]
WantedBy=multi-user.target
```
Enable and start the service:
```bash
sudo systemctl enable rdpgw-auth
sudo systemctl start rdpgw-auth
```
## Compatible Clients
Since `mstsc` doesn't support basic authentication, use these alternatives:
### Windows
- **Remote Desktop Connection Manager** (RDCMan)
- **mRemoteNG**
- **Royal TS/TSX**
### Linux
- **Remmina**
- **FreeRDP** (with basic auth support)
- **KRDC**
### macOS
- **Microsoft Remote Desktop** (from App Store)
- **Royal TSX**
## Security Considerations
- Run `rdpgw-auth` with minimal privileges
- Secure the Unix socket with appropriate permissions
- Use strong PAM configurations (account lockout, password complexity)
- Enable logging for authentication events
- Consider rate limiting for brute force protection
- Use encrypted connections (TLS) for the gateway
## Troubleshooting
### Common Issues
1. **Socket Permission Denied**: Check socket permissions and ownership
2. **PAM Authentication Failed**: Verify PAM configuration and user credentials
3. **Helper Not Running**: Ensure `rdpgw-auth` is running and accessible
### Debug Commands
```bash
# Test PAM configuration
pamtester rdpgw username authenticate
# Check socket
ls -la /tmp/rdpgw-auth.sock
# Verify helper process
ps aux | grep rdpgw-auth
# Test authentication manually
echo "username:password" | nc -U /tmp/rdpgw-auth.sock
```
### Log Analysis
Enable PAM logging in `/etc/rsyslog.conf`:
```plaintext
auth,authpriv.* /var/log/auth.log
```
Monitor authentication attempts:
```bash
tail -f /var/log/auth.log | grep rdpgw
```
Reference in New Issue View Git Blame Copy Permalink