-
Notifications
You must be signed in to change notification settings - Fork 227
Credential hand-over to per-user server sessions #1413
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
53c7353
92f28ea
368d3e1
b51bd0a
3b05f6f
4d216af
4c20d9f
4fc52f5
a87ea4f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -11,7 +11,9 @@ use super::display::{DesktopSize, RdpServerDisplay}; | |
| #[cfg(feature = "egfx")] | ||
| use super::gfx::GfxServerFactory; | ||
| use super::handler::{KeyboardEvent, MouseEvent, RdpServerInputHandler}; | ||
| use super::server::{ConnectionHandler, CredentialValidator, RdpServer, RdpServerOptions, RdpServerSecurity}; | ||
| use super::server::{ | ||
| ConnectionBinder, ConnectionHandler, CredentialValidator, RdpServer, RdpServerOptions, RdpServerSecurity, | ||
| }; | ||
| use crate::{DisplayUpdate, RdpServerDisplayUpdates, SoundServerFactory}; | ||
|
|
||
| pub struct WantsAddr {} | ||
|
|
@@ -38,6 +40,7 @@ pub struct BuilderDone { | |
| sound_factory: Option<Box<dyn SoundServerFactory>>, | ||
| connection_handler: Option<Box<dyn ConnectionHandler>>, | ||
| credential_validator: Option<Arc<dyn CredentialValidator>>, | ||
| connection_binder: Option<Arc<dyn ConnectionBinder>>, | ||
| #[cfg(feature = "egfx")] | ||
| gfx_factory: Option<Box<dyn GfxServerFactory>>, | ||
| display_suppressed: Option<Arc<AtomicBool>>, | ||
|
|
@@ -137,6 +140,7 @@ impl RdpServerBuilder<WantsDisplay> { | |
| cliprdr_factory: None, | ||
| connection_handler: None, | ||
| credential_validator: None, | ||
| connection_binder: None, | ||
| codecs: server_codecs_capabilities(&[]).expect("can't panic for &[]"), | ||
| max_request_size: RdpServerOptions::DEFAULT_MAX_REQUEST_SIZE, | ||
| #[cfg(feature = "egfx")] | ||
|
|
@@ -159,6 +163,7 @@ impl RdpServerBuilder<WantsDisplay> { | |
| cliprdr_factory: None, | ||
| connection_handler: None, | ||
| credential_validator: None, | ||
| connection_binder: None, | ||
| codecs: server_codecs_capabilities(&[]).expect("can't panic for &[]"), | ||
| max_request_size: RdpServerOptions::DEFAULT_MAX_REQUEST_SIZE, | ||
| #[cfg(feature = "egfx")] | ||
|
|
@@ -263,21 +268,25 @@ impl RdpServerBuilder<BuilderDone> { | |
| self | ||
| } | ||
|
|
||
| /// Set a credential validator for TLS-mode connections. | ||
| /// Set a credential validator for accepted client credentials. | ||
| /// | ||
| /// When set, credentials received from the client during | ||
| /// `SecureSettingsExchange` (`ClientInfoPdu`) are passed to this | ||
| /// validator before the session is established. Rejection or a backend | ||
| /// When set, credentials surfaced by the acceptor are passed to this | ||
| /// validator before the session is established. This includes | ||
| /// `SecureSettingsExchange` (`ClientInfoPdu`) credentials and, when | ||
| /// available, CredSSP/Hybrid delegated credentials. Rejection or a backend | ||
| /// error closes the connection. Pass `None` (the default) to skip | ||
| /// validation entirely. | ||
| /// | ||
| /// Not used for CredSSP/Hybrid connections (those use pre-loaded | ||
| /// credentials for NTLM challenge-response). | ||
| pub fn with_credential_validator(mut self, validator: Option<Arc<dyn CredentialValidator>>) -> Self { | ||
| self.state.credential_validator = validator; | ||
| self | ||
| } | ||
|
|
||
| /// Set a binder that replaces display/input handlers after credentials are accepted. | ||
| pub fn with_connection_binder(mut self, binder: Option<Arc<dyn ConnectionBinder>>) -> Self { | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. thought: The
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agreed; I left this unchanged for this PR to stay consistent with the adjacent optional hooks and avoid mixing API ergonomics into the correctness fixes. |
||
| self.state.connection_binder = binder; | ||
|
Comment on lines
+284
to
+286
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Updated in rcarmo/IronRDP@4fc52f5bb565: the credential-validator docs now state that accepted credentials surfaced by the acceptor include ClientInfo credentials and, when available, CredSSP/Hybrid delegated credentials. |
||
| self | ||
| } | ||
|
|
||
| /// Inject a shared NetworkAutoDetect RTT handle (milliseconds, `u32::MAX` | ||
| /// until the first measurement). The server writes the latest measured RTT | ||
| /// to the same instance the backend reads. When not called, the server | ||
|
|
@@ -309,6 +318,7 @@ impl RdpServerBuilder<BuilderDone> { | |
| self.state.autodetect_rtt, | ||
| ); | ||
| server.set_credential_validator(self.state.credential_validator); | ||
| server.set_connection_binder(self.state.connection_binder); | ||
| server | ||
| } | ||
| } | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thought: This copies the delegated secret into
Credentials.password: String, which has no zeroize on drop semantic. The server-side cache then holds a clone for the whole TCP-connection lifetime. This is consistent with how TLS ClientInfo credentials are already handled, so it's not a regression, but this PR meaningfully increases how many plaintext passwords sit inStrings and how long they live. If secret hygiene is a goal for the sesman path, this is the moment to consider a zeroizing wrapper. Out of scope for this PR, but it would be a good follow up.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, and I would keep that as a follow-up rather than broadening this PR: this does not introduce a new representation for ClientInfo passwords, but the delegated-credential cache makes the existing secret-hygiene tradeoff more visible.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rui pointed out that I had treated this too much as a generic future zeroizing-wrapper topic, and he was right. I made the focused PR fix in rcarmo/IronRDP@a87ea4f1ae66: the server no longer caches/clones authenticated credentials for the TCP connection lifetime. Validation and binding now use the credentials borrowed from the current AcceptorResult, and reactivation without resent credentials does not retain the prior password.