Using custom virtual channel before authentication

[mortytyty]

Hello,
Is there a way to transfer data through a custom virtual channel before user authentication? I'm working with FreeRDP as the client and xrdp as the server.
I'm open to unconventional or workaround solutions if necessary.

Thank you for any advice or suggestions.

[matt335672]

The current architecture requires a user to provide credentials and be authenticated and authorized (normally by PAM) before we start user channel processing.

If it's data not related to any user, it could be possible, but it would need changes on our side.

Can you be more specific about the data and what it's for?

[mortytyty]

Thank you for your response.

The data I need to transfer is required for user authentication on the server using a smart card connected to the client.

Here’s some additional context:

• On the client side, I have a custom interface for smart card communication.
• On the server side, I have an authentication module that processes this data.

Currently, the main challenge is establishing a communication channel for this exchange before authentication completes. Since FreeRDP and xrdp support virtual channels, using this mechanism seemed like a natural solution.

I appreciate your time and any insights you might have on this approach.

[matt335672]

At the moment this is looking challenging. The current order of things when a session is started is:-

1. Authenticate the user
2. Start a session
3. Connect to the session.

Channel processing isn't started until step 3).

If we're using a static channel (as opposed to a dynamic channel), we can possibly add a pre-session channel handler that could come up before the user is authenticated. There are potentially other uses for this, like adding pasting for passwords to the login screen which is still a missing feature.

How does the authentication module work? is it tied into the PAM stack?

[mortytyty]

Apologies for the delayed response.

Yes, my authentication module integrates with PAM. I plan to use it instead of the default module in /etc/pam.d/xrdp-sesman. Inside the module, in the authentication function, I want to initialize a channel handler to exchange authentication data between the client and server.

Regarding your suggestion about adding a pre-session channel handler:

• Should I modify my existing static channel handler for this purpose?
• Or does this require changes in xrdp's core functionality?

I'd appreciate more details about the implementation approach.

Thanks for your help!

[matt335672]

It'll require changes to the xrdp core functionality, as at the moment channel processing isn't available during initialisation.

A significant implementation issue is that the PAM conversation happens in the sesexec process, and the channel will (probably) be handled in the xrdp process. These two processes will need to communicate in a way which isn't currently implemented. One way to do this is to modify the SCP protocol between xrdp and sesexec to handle custom messages. That's quite a bit of work, and you'll most likely end up with a custom build you'd need to maintain out-of-tree. Another way might be to use a private socket between these two processes, but then you've got an additional problem of connecting the two ends of the socket securely before any authentication has occurred. At the moment I can't see a simple way to do that.