XRDP - How to setup 2FA using Red Hat IdM OTP

[tomriem9]

Hi everyone,
Just wondering if anyone was able to setup XRDP on RHEL with OTP from Red Hat IdM (FreeIPA). I'd be much appreciated if you could share how that can be achieved. I've limited understanding of PAM stack and SSSD, and believe some tweaks need to be done there to make it work.

• My use case: enable remote desktop to RHEL 9 workstation from Windows using MSTSC (RDP). Users are authenticated by IdM -username, password and OTP (genereted/assigned from IdM server).
• Current setup: RHEL 9 workstation already enrolled to IdM, has XRDP, TigerVNC-server, GNOME installed.
  As XRDP login screen has one field for the password, user can only concatenate OTP code to the password and XRDP pass both credentials to pam_sss. It appears that the default default /etc/pam.d/xrdp-sesman, sssd.conf and IPA server settings didn't handle this well and authentication would fail.

I've tested the following successfully:

• IdM users without OTP enabled, or local users enabled can login via XRDP perfectly and have GNOME desktop.
• IdM users with OTP enable can ssh to the workstation. SSH will prompt for First (password) and Second (OTP) Factors credentials.
• OTP with google authentication worked fine. (followed this https://www.suse.com/support/kb/doc/?id=000020659)

Thank you so much for reading my first post. Hope someone can share your successful experience with this issue.

[tomriem9]

Hope @abbra see this question and able to give his insight. Thanks alot.

[abbra]

I think it should work with the default setup if you'd configure SSSD to make sure it treats PAM service for XRDP server (xrdp-sesman?) to assume single password+otp. You need to configure that using prompting configuration (see sssd.conf(5) section for prompting).

Something like (untested):

[prompting/2fa/xrdp-sesman]
single_prompt = True
first_prompt = Please enter password + OTP token value

[tomriem9]

Hi Alexander,
Thanks for your suggestion. I've added the suggested prompt but it didn't work. In fact, we don't want SSSD to prompt user to enter password+ OTP, but take it from XRDP's login inputs.
Not sure if it's possible to instruct pam_sss and sssd to accept and split the combined string "password + OTP " that user enters from XRDP windows (attached), and send the password and OTP to IdM the way it expected.

When using Google authenticator option (https://github.com/neutrinolabs/xrdp/wiki/Using-Authy-or-Google-Authenticator-for-2FA-with-XRDP), pam_google_authenticator.so would split the string, take and validate the OTP part, then forward the password to next stack (pam_sss). In that case, IdM is authenticate user's password only, as the user doesn't have OTP set in IdM.
Eg:
auth required pam_google_authenticator.so forward_pass
auth required pam_sss

I've read pam_sss(8) and these are the only available options: quiet, forward_pass, use_first_pass, use_authtok,
retry.

[abbra]

I don't think this is supportable case for what is expected, sorry. If you have OTP set in IPA, then what I described will work because that's specifically designed for this use case.

Integration with other PAM modules (like pam_google_authentication.so) aren't supported.