-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No success with tokeninfo #106
Comments
I fixed this is master now (I think). Issue was that the UserTokenSigningKey wasn't used as it makes the token bigger and we have very limited space. So for your version can can remove UserTokenSigningKey and I think it will work. Or switch to the latest image (no release yet) and then signing will be done (with the caveat above). Also the new version supports not signing and just encryption when UserTokenSigningKey is omitted. |
Thanks @bolkedebruin for the quick fix! I had to add the possibility of providing an empty UserTokenSigningKey, now the token based login works nicely. |
Just in case someone else wonders about the limits like me and bashes their head against this... As far as I can see, the reason why the limit is 255 bytes, is that the X.224 length field is a single byte. This is a view into the TCP packet for the initial RDP connection with the .rdp file:
xrdp will note something like:
In case the username field is too long, the single byte length field is simply being rolled over, the It's not that the JWT token has to be less than 511 (or 255) bytes, all of it together hast to fit in the length field. The cookie contains a Signing the Token using
So Hopefully not embarrassing myself on the internet.... 🙄 |
Thanks @BuJo - you did not embarrass yourself. I think you've summarized it pretty well. |
Thanks @BuJo for the explanation - it's good to understand what happens. So basically to make use of a token based SSO, we have to skip the signing part. It's probably not the best from a security standpoint, at least it works on my machine. I had to edit the code to do so, in the current state an empty From my understanding we have to disable |
Not a cryptographer nor security personell, but here is my take: As there is only a single entity for which the token is encrypted to, there is as far as I can see no need for a signature, as there is only one who can encrypt and decrypt it. Only in distributed models, where the multiple entities can encrypt the same thing (for example in public-key cryptography) there is a need for signatures to build trust. It think it's safe to not use the signature. The out of band connection between rdpgw and pam-jwt seems to me the linchpin. The flow of the JWT token: flowchart LR
rdpgw --https--> user
user --> rdp-client
rdp-client --> xrdp
xrdp --> xrdp-sesman
xrdp-sesman --> pam-jwt
pam-jwt --https--> rdpgw
As long as the library checks that the returned JWT actually uses the encryption key, encryption key did not leak, TLS v1.3 is used for perfect forward secrecy, the https terminates in rdpgw somewhat directly, the https certificates have not been leaked, or rdpgw/pam-jwt sharing the same Host.. should be safe. |
I manged to pass a user token from rdpgw through xrdp with enable_token_login=true and pam-jwt back to rdpgw.
The generated rdp file contains the username with concatenated token:
xrdp-sesman
successfully calls the PAM module:According to
rdpgw
's log I get the identical token back to validate - sadly no success:Now I'm lost, the encoder and decoder for the user token goes beyond my Go skills 😬 I'm not sure if I screwed something up or if the code to encode and decode the limited JWT do not match.
For completeness my
rdpgw.conf
:The text was updated successfully, but these errors were encountered: