[Question] smart card support

[choman]

Trying to follow along with a few issues #471 #963 (and others)

I am using centOS 7.4 with xrdp .0.9.4, is there any support for smart cards with this configuration?
And if so can someone please tell me how to turn it on for logins?

It seems support has been around since 0.8.0, hopefully with 0.9.4 I don't need to compile the "special"
libpcsclite.so.

Or do I need to wait for 0.9.6 (or 1.0) for support to be there?

Thanks in advance
Chad

[x09]

i need smart card redirection too.
try connect

xfreerdp /smartcard:'ACS ACR3901 ICC Reader 00 00' /v:xrdp-host /sec:rdp /u:user2
[17:41:59:879] [10970:10971] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpdr
[17:41:59:879] [10970:10971] [INFO][com.freerdp.client.common.cmdline] - loading channelEx rdpsnd
[17:41:59:889] [10970:10971] [WARN][com.freerdp.core.gcc] - Server uses non-advertised encryption method 0x00000000
[17:41:59:890] [10970:10971] [ERROR][com.winpr.timezone] - Unable to get current timezone rule
[17:41:59:892] [10970:10971] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[17:41:59:892] [10970:10971] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_RGB16
[17:41:59:904] [10970:10971] [INFO][com.winpr.clipboard] - initialized POSIX local file subsystem
[17:41:59:906] [10970:10976] [INFO][com.freerdp.channels.rdpdr.client] - Loading device service smartcard [ACS ACR3901 ICC Reader 00 00] (static)
[17:42:03:075] [10970:10977] [ERROR][com.freerdp.channels.rdpsnd.client] - unknown msgType 39
[17:42:03:076] [10970:10976] [INFO][com.freerdp.channels.rdpdr.client] - registered device #1: SCARD (type=32 id=1)
[17:42:03:195] [10970:10976] [INFO][com.freerdp.channels.rdpdr.client] - registered device #1: SCARD (type=32 id=1)

in xrdp session smart card not present..

[cro]

Data point, the official Microsoft RDP client for macOS now supports smart card redirection. This is the 10 series, not the older 8 series--you have to install it from the App Store explicitly. If you have the older version 8 you are not notified there is an update.

I haven't tried this against the devel branch of xrdp yet, maybe this weekend.

[bogenchief2710]

Is there any configuration required in the configuration files xrdp.ini and sesman.ini for smartcard pass through?

[cjbidwell]

Did anything ever come of this? Still need to get CAC/Smart Card on xrdp working.

[cro]

I tried the devel branch and it did not work for me. Later on I gave up using my Yubikey when its hardware failed in the middle of a customer demo, so I haven't revisited it.

[matt335672]

This is being worked on, but it's not there yet - have a look at #1825

[spstarr]

Ping on this, 2FA is becoming more and more required and should be for security. The xfreerdp/remmina clients have pcscd support currently.

What are the current remaining issues still to be sorted out?

[psyciknz]

Are smart cards (on yubikey) different to using your security key as part of authentication?

I can, while connected from windows to debian, touch my yubikey and a valid is displayed. But if I log in a site like github, or fastmail and the yubikey is used for the two step verification, it never registers. This is an action I regularly perform on my windows vm from a windows laptop via rdp./

[matt335672]

@psyciknz - yubikey 5 supports both PIV and WebAuthn. These are very different sub-protocols as far as the RDP protocol is concerned; PIV support is documented in [MS-RDPESC] and WebAuthn in [MS-RDPEWA].

At present we don't officially support either. We could get PIV working with a lot of work, but now that WebAuthn is becoming more popular, I'm questioning whether even this would be worth doing, as WebAuthn is going to be by far the more common use-case.

Our PIV implementation design uses a hook into the libpcsclite.so library. This library is used by most UN*X PIV implementations out there. There is, however, no such single library which we could use for this purpose for WebAuthn.

• Firefox uses https://github.com/mozilla/authenticator-rs to access security keys. There seems to be no way into this library currently apart from via the USB bus.
• Chromium appears to have built-in support for devices - see https://source.chromium.org/chromium/chromium/src/+/main:device/fido/.
• See also https://github.com/Yubico/libfido2 which is used by the Yubikey tools.

Bottom line is that there's no single library used for FIDO2/WebAuthn. So the library interposition method we're considering for PIV smartcards simply won't work with WebAuthn as provided over [MS-RDPEWA].