Bug 4565 - Add support for transparent CredSSP smartcard authentication.
Summary: Add support for transparent CredSSP smartcard authentication.
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: 4.0.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.1.0
Assignee: Henrik Andersson
URL:
Keywords: ossman_tester
Depends on: 4564
Blocks:
  Show dependency treegraph
 
Reported: 2013-03-25 15:20 CET by Henrik Andersson
Modified: 2013-06-27 11:10 CEST (History)
0 users

See Also:
Acceptance Criteria:


Attachments

Description Henrik Andersson cendio 2013-03-25 15:20:51 CET
rdesktop credssp needs information about which smartcard reader and which card that is used for authentication, we need to provide this information from tlclient (selection of smartcard for authentication) down the chain to the actual rdesktop spawn. The approach is divided into three steps:

1. Extend the client params passed from tlhinlinc client connection to the server to withold information about the smartcard used for authentication, possible additional values are: certificate serial, smartcard reader name and ATR?

2. Pass this SSO information into the thinlinc session

3. Update tl-run-rdesktop to fetch smartcard SSO information and make a lookup using ATR -> CSP name to be provided onto the commnadline see bug #4564.


This way the administrators don't need to know what their CSP names are.
Comment 1 Henrik Andersson cendio 2013-03-25 15:22:33 CET
In step 3, we could probably use the nrpe service to make the ATR->CSP lookup.
Comment 2 Henrik Andersson cendio 2013-04-02 12:47:14 CEST
Commit r26882 adds functionality to pass current smartcard readername 
for selected logon certificate as sensitive client param to the server.
Comment 3 Henrik Andersson cendio 2013-04-02 12:58:30 CEST
Commit r26884 takes care of the new param passed by client and makes it available through ThinLinc SSO mechanism
Comment 4 Henrik Andersson cendio 2013-04-02 14:20:24 CEST
Commit 26885 updates tl-run-rdesktop to pass smartcard readername as argument
for CredSSP SC PIN SSO.
Comment 5 Henrik Andersson cendio 2013-04-02 14:36:54 CEST
Commit 26892 merges rdesktop with latest vendordrop that includes the
CredSSP smartcard SSO functionality.
Comment 6 Henrik Andersson cendio 2013-04-11 08:43:16 CEST
Documentation lacks information/section about single sign on against
Windows Terminal Server. This need to be written carefully to make
it possible to document the new smartcard pin sso features...
Comment 7 Henrik Andersson cendio 2013-04-11 15:04:05 CEST
Commit 27047 adds documenatation section for smart card SSO.
Comment 8 Henrik Andersson cendio 2013-06-19 10:30:06 CEST
From bug 4498 comment #17

>I'm also not getting the reader name in the SSO information:
>
>[tluser@dhcp-254-223 ~]$ xprop -root | grep TL_
>TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE
>TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted>
Comment 9 Henrik Andersson cendio 2013-06-20 15:05:46 CEST
(In reply to comment #8)
> From bug 4498 comment #17
> 
> >I'm also not getting the reader name in the SSO information:
> >
> >[tluser@dhcp-254-223 ~]$ xprop -root | grep TL_
> >TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE
> >TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted>

Fixed in commits, r27542, r27541, r27540
Comment 10 Pierre Ossman cendio 2013-06-25 16:59:40 CEST
Something is very off with the smart card reader name as presented to rdesktop:


/opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r sound:local oss -r printer:nearest -r printer:thinlocal -i -o sc-reader-name="Gemalto PC Twin Reader 00 00                             ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se


It looks like two errors:

 1. The name isn't terminated properly.
 2. Extra quotes.
Comment 11 Peter Åstrand cendio 2013-06-25 18:05:49 CEST
(In reply to comment #10)
> Something is very off with the smart card reader name as presented to rdesktop:
> 
> 
> /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r
> clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom
> /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r
> sound:local oss -r printer:nearest -r printer:thinlocal -i -o
> sc-reader-name="Gemalto PC Twin Reader 00 00                            
> ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se
> 
> 
> It looks like two errors:
> 
>  1. The name isn't terminated properly.
>  2. Extra quotes.

r27563 fixes the extra quotes. 

r27564 fixes the (as I understand it) white space stripping. Henrik needs to verify that this is what is intended. 

I have no idea of where the questions marks comes from.
Comment 12 Peter Åstrand cendio 2013-06-25 18:22:22 CEST
(In reply to comment #11)
> (In reply to comment #10)
> > Something is very off with the smart card reader name as presented to rdesktop:
> > 
> > 
> > /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r
> > clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom
> > /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r
> > sound:local oss -r printer:nearest -r printer:thinlocal -i -o
> > sc-reader-name="Gemalto PC Twin Reader 00 00                            
> > ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se
y that this is what is intended. 
--- 
> I have no idea of where the questions marks comes from.

Modifed tl-sso-password to retrieve reader name instead, visible here as well:

$ tl-sso-password | cat
Gemplus GemPC Twin 00 00                                 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd

Then tried with the updated tlclient wrt space stripping:

$ tl-sso-password | cat
Gemplus GemPC Twin 00 00

So, it seems this was the problem after all.
Comment 13 Henrik Andersson cendio 2013-06-27 08:43:58 CEST
(In reply to comment #11)
> (In reply to comment #10)
> > Something is very off with the smart card reader name as presented to rdesktop:
> > 
> > 
> > /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r
> > clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom
> > /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r
> > sound:local oss -r printer:nearest -r printer:thinlocal -i -o
> > sc-reader-name="Gemalto PC Twin Reader 00 00                            
> > ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se
> > 
> > 
> > It looks like two errors:
> > 
> >  1. The name isn't terminated properly.
> >  2. Extra quotes.
> 
> r27563 fixes the extra quotes. 
> 
> r27564 fixes the (as I understand it) white space stripping. Henrik needs to
> verify that this is what is intended. 
> 
> I have no idea of where the questions marks comes from.

Tested using SLED11 Sp2 / Win 2008R2 + ThinLinc RC2 and with the new client build.

Verified CSSP + SSO functionality and it worked as expected.

Note You need to log in before you can comment on or make changes to this bug.