Is there a way to quit the hole xrdp session within pam?

[itxworks]

Hello,

I use this part in /etc/pam.d/xrdp-sesman to pass the user password into the following script -> xrdp_pam.sh:

auth optional pam_exec.so expose_authtok log=/var/log/xrdp-pam_auth.log /usr/local/bin/xrdp_pam.sh

The xrdp_pam.sh triggers a python script -> /usr/local/bin/pam_login.py $PAM_USER $password

The final python script mounts shares and puts some user specific links on his desktop - basically it removes all icons and creates them on each login - this works fine at all, but if the user is already connected and a second connection is established it wipes all icons from the current connected user desktop.

To avoid this the python script now checks for an existing connection and stops before:

def find_user_xrdp_process(target_user):
    try:
        # Run the ps command to list processes related to xrdp and exclude certain processes
        ps_output = subprocess.check_output(['ps', '-ef']).decode('utf-8')
        xrdp_processes = [line for line in ps_output.split('\n') if
                          'xrdp' in line and 'grep' not in line and 'root' not in line and 'xrdp-chansrv' not in line]

        for xrdp_info in xrdp_processes:
            username_match = re.search(r'^(\S+)', xrdp_info)
            if username_match:
                username = username_match.group(1)
                if username == target_user:
                    return True

    except subprocess.CalledProcessError as e:
        # Handle any errors that may occur when running the command
        print(f"Error: {e}")

    return False

---

if find_user_xrdp_process(target_user):
    print(f"{target_user} has an xrdp process.")

    logger.info(f"{target_user} has an xrdp process.")
    logger.info(f"Stopping Script: pam_login.py for User: {target_user} now.")

    # # Display a desktop notification
    # subprocess.run(['notify-send', 'Xrdp User Found', f"{target_user} has an xrdp process."])

    #close_session(target_user)

    sys.exit(0)  
else:
    print(f"{target_user} does not have an xrdp process.")
    logger.info(f"{target_user} does not have an xrdp process.")

---

All fine and the User get's the Connection Log this one confuses him:
"connecting to sesman ip 127.0.0.1 port 3350
sesman connect ok
sending login info to session manager, please wait...
login failed for user XXXX"

Is there any way to pass a message into the connection log ???

Thank you.

[matt335672]

At the moment there isn't I'm afraid. We'll need it later as we're planning on implementing a complete PAM dialogue within sesman but that won't go in until after the next major release of xrdp.

[itxworks]

Hello, about this - any progress on implementing PAM dialogue with latest release v.0.10.0 - if its not ready how can I provide a short info text what could happen if login fails on the login screen like #547

Thank you.

[matt335672]

The PAM dialogue isn't in yet, but the architecture now allows for it to be implemented within the new sesexec process.

The biggest missing part is indeed the dialogue box mentioned in #547 which needs to be implemented within xrdp.

[itxworks]

Thank you.

How does xrdp handle the connection within ldap? I tried to use Policy=Separate to allow multiple logins - and pam_ldap the basic idea was to generate dynamic homes like $HOME/session_1/$USER for each additional session. But it seem that xrdp does not request homeDirectory from LDAP on those additional sessions? Right?

I am using an Ldap Proxy based on ldaptor proxy example to manipulate the Response:

    def handleProxiedResponse(self, response, request, controls):
        if isinstance(response, pureldap.LDAPSearchResultEntry):
            username = None

            for i, attr in enumerate(response.attributes):
                attr_name = attr[0].decode('utf-8')

                if attr_name == 'uid':
                    attr_values = attr[1]
                    for value in attr_values:
                        username = value.decode('utf-8')
                        log.msg(f"Found user: {username}")

                if attr_name == 'homeDirectory' and username:
                    if username.startswith('lib') or username.startswith('pag'):
                        log.msg(f"Modifying home directory for user: {username} if session exist")

                        # Fetch the latest session count for the username
                        conn = sqlite3.connect(DATABASE_PATH)
                        cursor = conn.cursor()
                        cursor.execute("""
                            SELECT COUNT(*) AS session_count
                            FROM pam_log
                            WHERE pam_type = 'open_session' AND username = ?
                        """, (username,))
                        result = cursor.fetchone()
                        conn.close()

                        if result:
                            session_count = result[0]
                            log.msg(f"Session count for user {username}: {session_count}")
                            if session_count > 0:
                                session_count = session_count + 1
                                var_name = f"{username}_session_{session_count}"
                                new_home_directories = [
                                    value.replace(b'/home/', b'/home/' + var_name.encode('utf-8') + b'/') for value in attr[1]
                                ]
                                log.msg(f"New home directories: {new_home_directories}")
                                response.attributes[i] = (attr[0], new_home_directories)
                        else:
                            log.msg(f"No session count found for user: {username}")

        return defer.succeed(response)

on cli it works fine:

root@nfndeb12ldap:/usr/local/bin/ldap-proxy# getent passwd -> lib86000:*:2003:2001:lib86000:/home/lib86000:/bin/bash

next step xrdp connect

2024-06-12 09:25:26,288 - INFO - PAM_USER: lib86000 - PAM_RHOST: 192.168.30.2 - PAM_TYPE: open_session
2024-06-12 09:25:26,288 - INFO - PAM_TYPE: open_session

getent passwd -> lib86000:*:2003:2001:lib86000:/home/lib86000_session_2/lib86000:/bin/bash

But the second connect does not the the new $HOME.

Would appreciate any Idea.

Thank you.

[matt335672]

@itxworks - try with xrdp v0.10.x if you aren't already. This uses PAM in a much cleaner way. For v0.9.x, the authentication is all done in one process, and there may be some caching going on.

[itxworks]

I do on deb 12.

xrdp 0.10.0
  A Remote Desktop Protocol Server.
  Copyright (C) 2004-2024 Jay Sorg, Neutrino Labs, and all contributors.
  See https://github.com/neutrinolabs/xrdp for more information.

  Configure options:
      --enable-fuse
      --enable-jpeg
      --enable-rfxcodec
      --enable-mp3lame
      --enable-vsock
      --libexecdir=/usr/libexec

  Compiled with OpenSSL 3.0.11 19 Sep 2023

[matt335672]

Thanks.

xrdp isn't doing anything clever here at all. We use getpwnam() and getpwuid(), possibly multiple times to get information about the user, and that's it. Some of these calls will happen before PAM is invoked (i.e. to check the username maps to a UID). For v0.10.x, the PAM stack is used in an absolutely standard way.

We don't do any caching within xrdp, as user information is subject to change (which is exactly what you're trying to do!)

You may have a client-side cache installed if you're using LDAP, otherwise performance could be poor. Are you using nscd or sssd or something like that?

[itxworks]

Thank you too!

I am nscd ... for testing I disabled cache but it makes no difference ... it looks like Policy=Separate handles multiple connects with the same user like an reconnect and does not request the 'homeDirectory' attribute in my case from the proxy :-(