www.cendio.com
Bug 4565 - Add support for transparent CredSSP smartcard authentication.
: Add support for transparent CredSSP smartcard authentication.
Status: CLOSED FIXED
: ThinLinc
Smart card
: 4.0.0
: PC Unknown
: P2 Normal
: 4.1.0
Assigned To:
:
:
: 4564
:
  Show dependency treegraph
 
Reported: 2013-03-25 15:20 by
Modified: 2013-06-27 11:10 (History)
Acceptance Criteria:


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2013-03-25 15:20:51
rdesktop credssp needs information about which smartcard reader and which card
that is used for authentication, we need to provide this information from
tlclient (selection of smartcard for authentication) down the chain to the
actual rdesktop spawn. The approach is divided into three steps:

1. Extend the client params passed from tlhinlinc client connection to the
server to withold information about the smartcard used for authentication,
possible additional values are: certificate serial, smartcard reader name and
ATR?

2. Pass this SSO information into the thinlinc session

3. Update tl-run-rdesktop to fetch smartcard SSO information and make a lookup
using ATR -> CSP name to be provided onto the commnadline see bug #4564.


This way the administrators don't need to know what their CSP names are.
------- Comment #1 From cendio 2013-03-25 15:22:33 -------
In step 3, we could probably use the nrpe service to make the ATR->CSP lookup.
------- Comment #2 From cendio 2013-04-02 12:47:14 -------
Commit r26882 adds functionality to pass current smartcard readername 
for selected logon certificate as sensitive client param to the server.
------- Comment #3 From cendio 2013-04-02 12:58:30 -------
Commit r26884 takes care of the new param passed by client and makes it
available through ThinLinc SSO mechanism
------- Comment #4 From cendio 2013-04-02 14:20:24 -------
Commit 26885 updates tl-run-rdesktop to pass smartcard readername as argument
for CredSSP SC PIN SSO.
------- Comment #5 From cendio 2013-04-02 14:36:54 -------
Commit 26892 merges rdesktop with latest vendordrop that includes the
CredSSP smartcard SSO functionality.
------- Comment #6 From cendio 2013-04-11 08:43:16 -------
Documentation lacks information/section about single sign on against
Windows Terminal Server. This need to be written carefully to make
it possible to document the new smartcard pin sso features...
------- Comment #7 From cendio 2013-04-11 15:04:05 -------
Commit 27047 adds documenatation section for smart card SSO.
------- Comment #8 From cendio 2013-06-19 10:30:06 -------
From bug 4498 comment #17

>I'm also not getting the reader name in the SSO information:
>
>[tluser@dhcp-254-223 ~]$ xprop -root | grep TL_
>TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE
>TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted>
------- Comment #9 From cendio 2013-06-20 15:05:46 -------
(In reply to comment #8)
> From bug 4498 comment #17
> 
> >I'm also not getting the reader name in the SSO information:
> >
> >[tluser@dhcp-254-223 ~]$ xprop -root | grep TL_
> >TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE
> >TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted>

Fixed in commits, r27542, r27541, r27540
------- Comment #10 From cendio 2013-06-25 16:59:40 -------
Something is very off with the smart card reader name as presented to rdesktop:


/opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r
clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom
/var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r
sound:local oss -r printer:nearest -r printer:thinlocal -i -o
sc-reader-name="Gemalto PC Twin Reader 00 00                            
?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se


It looks like two errors:

 1. The name isn't terminated properly.
 2. Extra quotes.
------- Comment #11 From cendio 2013-06-25 18:05:49 -------
(In reply to comment #10)
> Something is very off with the smart card reader name as presented to rdesktop:
> 
> 
> /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r
> clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom
> /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r
> sound:local oss -r printer:nearest -r printer:thinlocal -i -o
> sc-reader-name="Gemalto PC Twin Reader 00 00                            
> ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se
> 
> 
> It looks like two errors:
> 
>  1. The name isn't terminated properly.
>  2. Extra quotes.

r27563 fixes the extra quotes. 

r27564 fixes the (as I understand it) white space stripping. Henrik needs to
verify that this is what is intended. 

I have no idea of where the questions marks comes from.
------- Comment #12 From cendio 2013-06-25 18:22:22 -------
(In reply to comment #11)
> (In reply to comment #10)
> > Something is very off with the smart card reader name as presented to rdesktop:
> > 
> > 
> > /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r
> > clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom
> > /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r
> > sound:local oss -r printer:nearest -r printer:thinlocal -i -o
> > sc-reader-name="Gemalto PC Twin Reader 00 00                            
> > ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se
y that this is what is intended. 
--- 
> I have no idea of where the questions marks comes from.

Modifed tl-sso-password to retrieve reader name instead, visible here as well:

$ tl-sso-password | cat
Gemplus GemPC Twin 00 00                                
\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd

Then tried with the updated tlclient wrt space stripping:

$ tl-sso-password | cat
Gemplus GemPC Twin 00 00

So, it seems this was the problem after all.
------- Comment #13 From cendio 2013-06-27 08:43:58 -------
(In reply to comment #11)
> (In reply to comment #10)
> > Something is very off with the smart card reader name as presented to rdesktop:
> > 
> > 
> > /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r
> > clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom
> > /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r
> > sound:local oss -r printer:nearest -r printer:thinlocal -i -o
> > sc-reader-name="Gemalto PC Twin Reader 00 00                            
> > ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se
> > 
> > 
> > It looks like two errors:
> > 
> >  1. The name isn't terminated properly.
> >  2. Extra quotes.
> 
> r27563 fixes the extra quotes. 
> 
> r27564 fixes the (as I understand it) white space stripping. Henrik needs to
> verify that this is what is intended. 
> 
> I have no idea of where the questions marks comes from.

Tested using SLED11 Sp2 / Win 2008R2 + ThinLinc RC2 and with the new client
build.

Verified CSSP + SSO functionality and it worked as expected.