xrdp with ldap accounts #2248

martin82dd · 2022-05-04T08:08:55Z

martin82dd
May 4, 2022

Hello,

We were wondering if you could help us use xRDP with Ldap accounts.The first login with PAM and remote account worked successfully, but the Second login with PAM (not working -Request never received on the authentication server. Same session number in PAM Logs which looks not correct.

Regards,

matt335672 · 2022-05-04T08:25:45Z

matt335672
May 4, 2022
Collaborator

Hi @martin82dd

What do you mean by 'session number'? Please provide a few logs so we can see what's going on.

Also, what do /etc/pam.d/xrdp-sesman and any called files look like?

Thanks

2 replies

martin82dd May 4, 2022
Author

First login with PAM and ldap account worked successfully :

[20220406-15:33:45] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.3.168 port 53276
[20220406-15:33:45] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.1.17 port 3389)
[20220406-15:33:45] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20220406-15:33:45] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20220406-15:33:45] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20220406-15:33:45] [DEBUG] TLSv1.3 enabled
[20220406-15:33:45] [DEBUG] TLSv1.2 enabled
[20220406-15:33:45] [DEBUG] Security layer: requested 11, selected 1
[20220406-15:33:45] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.1.17 port 3389)
[20220406-15:33:49] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.3.168 port 53277
[20220406-15:33:49] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.1.17 port 3389)
[20220406-15:33:49] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20220406-15:33:49] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20220406-15:33:49] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20220406-15:33:49] [DEBUG] TLSv1.3 enabled
[20220406-15:33:49] [DEBUG] TLSv1.2 enabled
[20220406-15:33:49] [DEBUG] Security layer: requested 11, selected 1
[20220406-15:33:49] [INFO ] connected client computer name: VAGRANTVM
[20220406-15:33:49] [INFO ] adding channel item name rdpdr chan_id 1004 flags 0x80800000
[20220406-15:33:49] [INFO ] adding channel item name rdpsnd chan_id 1005 flags 0xc0000000
[20220406-15:33:49] [INFO ] adding channel item name cliprdr chan_id 1006 flags 0xc0a00000
[20220406-15:33:49] [INFO ] adding channel item name drdynvc chan_id 1007 flags 0xc0800000
[20220406-15:33:49] [INFO ] TLS connection established from ::ffff:192.168.3.168 port 53277: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
[20220406-15:33:49] [DEBUG] xrdp_00002ce1_wm_login_mode_event_00000001
[20220406-15:33:49] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
[20220406-15:33:49] [WARN ] local keymap file for 0x00000409 found and doesn't match built in keymap, using local keymap file
[20220406-15:34:06] [DEBUG] xrdp_wm_log_msg: connecting to sesman ip 127.0.0.1 port 3350

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:06] [INFO ] A connection received from ::ffff:127.0.0.1 port 51580

==> /var/log/xrdp.log <==
[20220406-15:34:06] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20220406-15:34:06] [DEBUG] xrdp_wm_log_msg: sending login info to session manager, please wait...
[20220406-15:34:06] [DEBUG] return value from xrdp_mm_connect 0

==> /var/log/auth.log <==
Apr 6 15:34:06 ubuntu2004 openotp[11475]: PAM Module for OpenOTP version 1.0.12-4 starting
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Server URLs: http://192.168.1.8:8080/openotp/
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Server Policy: Ordered
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Domain name: [None]
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Client id: Linux
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Challenge suffix: :
Apr 6 15:34:06 ubuntu2004 openotp[11475]: User settings: [None]
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Cert file: [None]
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Cert password: [None]
Apr 6 15:34:06 ubuntu2004 openotp[11475]: CA file: /etc/openotp/ca.crt
Apr 6 15:34:06 ubuntu2004 openotp[11475]: SOAP timeout: [Default]
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Create homedirs: Yes
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Password mode: [Default]
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Password separator: [None]
Apr 6 15:34:06 ubuntu2004 openotp[11475]: OTP length: [Default]
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Got user name xrdp2
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Got anyPassword ************ for user xrdp2
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Sending OpenOTP SimpleLogin request for user xrdp2
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Authentication succeeded for user xrdp2
Apr 6 15:34:06 ubuntu2004 openotp[11475]: Found home directory '/home/xrdp2' for 'xrdp2'
Apr 6 15:34:06 ubuntu2004 xrdp-sesman[11475]: (11475)(139750400112192)[INFO ] ++ created session (access granted): username xrdp2, ip ::ffff:192.168.3.168:53277 - socket: 12

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:06] [INFO ] ++ created session (access granted): username xrdp2, ip ::ffff:192.168.3.168:53277 - socket: 12
[20220406-15:34:06] [INFO ] starting Xorg session...

==> /var/log/auth.log <==
Apr 6 15:34:06 ubuntu2004 xrdp-sesman[11475]: (11475)(139750400112192)[INFO ] starting Xorg session...
Apr 6 15:34:06 ubuntu2004 xrdp-sesman[11475]: (11475)(139750400112192)[DEBUG] Closed socket 9 (AF_INET6 :: port 5911)

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:06] [DEBUG] Closed socket 9 (AF_INET6 :: port 5911)

==> /var/log/auth.log <==
Apr 6 15:34:06 ubuntu2004 xrdp-sesman[11475]: (11475)(139750400112192)[DEBUG] Closed socket 9 (AF_INET6 :: port 6011)

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:06] [DEBUG] Closed socket 9 (AF_INET6 :: port 6011)

==> /var/log/auth.log <==
Apr 6 15:34:06 ubuntu2004 xrdp-sesman[11475]: (11475)(139750400112192)[DEBUG] Closed socket 9 (AF_INET6 :: port 6211)

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:06] [DEBUG] Closed socket 9 (AF_INET6 :: port 6211)

==> /var/log/auth.log <==
Apr 6 15:34:06 ubuntu2004 xrdp-sesman[11494]: (11494)(139750400112192)[INFO ] calling auth_start_session from pid 11494
Apr 6 15:34:06 ubuntu2004 xrdp-sesman[11475]: (11475)(139750400112192)[DEBUG] Closed socket 8 (AF_INET6 ::ffff:127.0.0.1 port 3350)

==> /var/log/xrdp.log <==
[20220406-15:34:06] [INFO ] xrdp_wm_log_msg: login successful for display 11

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:06] [INFO ] calling auth_start_session from pid 11494
[20220406-15:34:06] [DEBUG] Closed socket 8 (AF_INET6 ::ffff:127.0.0.1 port 3350)

==> /var/log/xrdp.log <==
[20220406-15:34:06] [DEBUG] xrdp_wm_log_msg: started connecting

==> /var/log/auth.log <==
Apr 6 15:34:06 ubuntu2004 xrdp-sesman[11494]: pam_unix(xrdp-sesman:session): session opened for user xrdp2 by (uid=0)
Apr 6 15:34:06 ubuntu2004 systemd-logind[614]: New session 23 of user xrdp2.
Apr 6 15:34:07 ubuntu2004 xrdp-sesman[11494]: (11494)(139750400112192)[DEBUG] Closed socket 7 (AF_INET6 ::ffff:127.0.0.1 port 3350)

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:07] [DEBUG] Closed socket 7 (AF_INET6 ::ffff:127.0.0.1 port 3350)

==> /var/log/auth.log <==
Apr 6 15:34:07 ubuntu2004 xrdp-sesman[11494]: (11494)(139750400112192)[DEBUG] Closed socket 8 (AF_INET6 ::ffff:127.0.0.1 port 3350)

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:07] [DEBUG] Closed socket 8 (AF_INET6 ::ffff:127.0.0.1 port 3350)

==> /var/log/auth.log <==
Apr 6 15:34:07 ubuntu2004 xrdp-sesman[11577]: (11577)(139750400112192)[INFO ] /usr/lib/xorg/Xorg :11 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:07] [INFO ] /usr/lib/xorg/Xorg :11 -auth .Xauthority -config xrdp/xorg.conf -noreset -nolisten tcp -logfile .xorgxrdp.%s.log

==> /var/log/xrdp.log <==
[20220406-15:34:07] [INFO ] lib_mod_log_peer: xrdp_pid=11489 connected to X11rdp_pid=11577 X11rdp_uid=1234 X11rdp_gid=100 client_ip=::ffff:192.168.3.168 client_port=53277
[20220406-15:34:07] [DEBUG] xrdp_wm_log_msg: connected ok

==> /var/log/auth.log <==
Apr 6 15:34:07 ubuntu2004 xrdp-sesman[11494]: (11494)(139750400112192)[CORE ] waiting for window manager (pid 11576) to exit

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:07] [CORE ] waiting for window manager (pid 11576) to exit

==> /var/log/xrdp.log <==
[20220406-15:34:07] [DEBUG] xrdp_mm_connect_chansrv: chansrv connect successful
[20220406-15:34:07] [DEBUG] Closed socket 18 (AF_INET6 ::ffff:127.0.0.1 port 51580)

==> /var/log/auth.log <==
Apr 6 15:34:09 ubuntu2004 polkitd(authority=local): Registered Authentication Agent for unix-session:23 (system bus name :1.576 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

Second login with PAM (not working -> Request never received on authentication server. Same session number in PAM Logs which looks not correct (auth.log) ) session number for the first successful auth : 11475
session number for the second failed auth : 11475 (it's like xrdp considers first and second auth one connection!)

LOG:

==> /var/log/xrdp.log <==
[20220406-15:34:36] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.3.168 port 53288
[20220406-15:34:36] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.1.17 port 3389)
[20220406-15:34:36] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20220406-15:34:36] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20220406-15:34:36] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20220406-15:34:36] [DEBUG] TLSv1.3 enabled
[20220406-15:34:36] [DEBUG] TLSv1.2 enabled
[20220406-15:34:36] [DEBUG] Security layer: requested 11, selected 1
[20220406-15:34:36] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.1.17 port 3389)
[20220406-15:34:38] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:192.168.3.168 port 53289
[20220406-15:34:38] [DEBUG] Closed socket 12 (AF_INET6 ::ffff:192.168.1.17 port 3389)
[20220406-15:34:38] [DEBUG] Closed socket 11 (AF_INET6 :: port 3389)
[20220406-15:34:38] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20220406-15:34:38] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20220406-15:34:38] [DEBUG] TLSv1.3 enabled
[20220406-15:34:38] [DEBUG] TLSv1.2 enabled
[20220406-15:34:38] [DEBUG] Security layer: requested 11, selected 1
[20220406-15:34:38] [INFO ] connected client computer name: VAGRANTVM
[20220406-15:34:38] [INFO ] adding channel item name rdpdr chan_id 1004 flags 0x80800000
[20220406-15:34:38] [INFO ] adding channel item name rdpsnd chan_id 1005 flags 0xc0000000
[20220406-15:34:38] [INFO ] adding channel item name cliprdr chan_id 1006 flags 0xc0a00000
[20220406-15:34:38] [INFO ] adding channel item name drdynvc chan_id 1007 flags 0xc0800000
[20220406-15:34:38] [INFO ] TLS connection established from ::ffff:192.168.3.168 port 53289: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384
[20220406-15:34:38] [DEBUG] xrdp_00002f66_wm_login_mode_event_00000001
[20220406-15:34:38] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
[20220406-15:34:38] [WARN ] local keymap file for 0x00000409 found and doesn't match built in keymap, using local keymap file
[20220406-15:34:48] [DEBUG] xrdp_wm_log_msg: connecting to sesman ip 127.0.0.1 port 3350

==> /var/log/auth.log <==
Apr 6 15:34:48 ubuntu2004 xrdp-sesman[11475]: (11475)(139750400112192)[INFO ] A connection received from ::ffff:127.0.0.1 port 51586

==> /var/log/xrdp-sesman.log <==
[20220406-15:34:48] [INFO ] A connection received from ::ffff:127.0.0.1 port 51586

==> /var/log/xrdp.log <==
[20220406-15:34:48] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20220406-15:34:48] [DEBUG] xrdp_wm_log_msg: sending login info to session manager, please wait...

==> /var/log/auth.log <==
Apr 6 15:34:48 ubuntu2004 openotp[11475]: PAM Module for OpenOTP version 1.0.12-4 starting

==> /var/log/xrdp.log <==
[20220406-15:34:48] [DEBUG] return value from xrdp_mm_connect 0

==> /var/log/auth.log <==
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Server URLs: http://192.168.1.8:8080/openotp/
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Server Policy: Ordered
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Domain name: [None]
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Client id: Linux
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Challenge suffix: :
Apr 6 15:34:48 ubuntu2004 openotp[11475]: User settings: [None]
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Cert file: [None]
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Cert password: [None]
Apr 6 15:34:48 ubuntu2004 openotp[11475]: CA file: /etc/openotp/ca.crt
Apr 6 15:34:48 ubuntu2004 openotp[11475]: SOAP timeout: [Default]
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Create homedirs: Yes
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Password mode: [Default]
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Password separator: [None]
Apr 6 15:34:48 ubuntu2004 openotp[11475]: OTP length: [Default]
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Got user name xrdp2
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Got anyPassword ************ for user xrdp2
Apr 6 15:34:48 ubuntu2004 openotp[11475]: Sending OpenOTP...

Regards,

martin82dd May 4, 2022
Author

I must restart xrdp : systemctl restart xrdp to have a successful auth again, but always the second one failed.

matt335672 · 2022-05-04T09:58:33Z

matt335672
May 4, 2022
Collaborator

The 11475 is the PID of xrdp-sesman. With the current architecture, that's expected behaviour. It's not unreasonable for a single program to authentication multiple users - PAM is designed to handle that.

I'm not familiar with OpenOTP, but it looks like the PAM stack is calling the module, and the module isn't returning. So either the request isn't being sent, or the server isn't picking it up. Wireshark should let you determine which of these is the case. Are you seeing outgoing activity on the SOAP port?

As the same PID is involved, it's possible the client is re-using the TCP connection for the second authentication. Do you have any firewalls or proxies in place between the client and the server which could be dropping the TCP connection without sending a RST?

Other than that I can't suggest much. This looks like a commercial product. Do you have a support contract in place for it?

0 replies

rcdevs · 2022-05-18T09:56:48Z

rcdevs
May 18, 2022

Hello,

We are the provider of OpenOTP authentication server.

Just to recap the issue encountered here :

We installed and configured XRDP and XRDP-sesman services on Ubuntu and CentOS servers,
We configured the XRDP authentication through PAM, involving PAM-OpenOTP plugin. PAM-OpenOTP plugin is working all the time and as expected with SSH service for e.g. The only problem we have is with XRDP authentications.
For more info about our PAM-OpenOTP plugin, have a look here :
https://docs.rcdevs.com/howtos/openotp_pam/pam_openotp/

According to our investigations, there is something strange with XRDP and PAM-OpenOTP integration. PAM-OpenOTP is a module for PAM authentication on Linux system which perform calls to OpenOTP authentication server for users authentications. It can be integrated with any services able to use PAM for authentication.

We are able to have the XRDP authentication working with OpenOTP through PAM at some point:

The first authentication after xrdp and xrdp-sesman services starting works.
The second or next authentications never work, no matter if we use the same account used during the first authentication or if we use another user account. After the first authentication, NO WAY to perform any other authentication.

Found below, the full stack of log for XRDP machine for the first authentication with OpenOTP through PAM :

------------------- 1st authentication -------------------

==> messages <==
May 17 18:00:29 localhost xrdp[5607]: [INFO ] Socket 12: AF_INET6 connection received from ::ffff:172.16.3.25 port 53279
May 17 18:00:29 localhost xrdp[5634]: [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
May 17 18:00:29 localhost xrdp[5634]: [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
May 17 18:00:29 localhost xrdp[5634]: [WARN ] TLSv1.3 enabled by config, but not supported by system OpenSSL
May 17 18:00:29 localhost xrdp[5634]: [INFO ] Security protocol: configured [SSL|RDP], requested [SSL|HYBRID|HYBRID_EX|RDP], selected [SSL]

==> xrdp.log <==
[20220517-18:00:29] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:172.16.3.25 port 53279
[20220517-18:00:29] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20220517-18:00:29] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20220517-18:00:29] [WARN ] TLSv1.3 enabled by config, but not supported by system OpenSSL
[20220517-18:00:29] [INFO ] Security protocol: configured [SSL|RDP], requested [SSL|HYBRID|HYBRID_EX|RDP], selected [SSL]

==> messages <==
May 17 18:00:35 localhost xrdp[5634]: [INFO ] Connected client computer name: MacBook-Pro-de-
May 17 18:00:35 localhost xrdp[5634]: [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc006 is unknown (ignored)
May 17 18:00:35 localhost xrdp[5634]: [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc00a is unknown (ignored)
May 17 18:00:35 localhost xrdp[5634]: [INFO ] xrdp_load_keyboard_layout: Keyboard information sent by the RDP client, keyboard_type:[0x04], keyboard_subtype:[0x00], keylayout:[0x00000000]
May 17 18:00:35 localhost xrdp[5634]: [INFO ] xrdp_load_keyboard_layout: model [] variant [] layout [us] options []
May 17 18:00:35 localhost xrdp[5634]: [INFO ] TLS connection established from ::ffff:172.16.3.25 port 53279: TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA
May 17 18:00:35 localhost xrdp[5634]: [INFO ] xrdp_caps_process_pointer: client supports new(color) cursor
May 17 18:00:35 localhost xrdp[5634]: [INFO ] xrdp_process_offscreen_bmpcache: support level 0 cache size 0 MB cache entries 0
May 17 18:00:35 localhost xrdp[5634]: [INFO ] xrdp_caps_process_codecs: nscodec, codec id 1, properties len 3
May 17 18:00:35 localhost xrdp[5634]: [WARN ] Cannot find keymap file /etc/xrdp/km-00000000.ini
May 17 18:00:35 localhost xrdp[5634]: [WARN ] Cannot find keymap file /etc/xrdp/km-00000000.ini
May 17 18:00:35 localhost xrdp[5634]: [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
May 17 18:00:35 localhost xrdp[5634]: [WARN ] local keymap file for 0x00000000 found and doesn't match built in keymap, using local keymap file
May 17 18:00:35 localhost xrdp[5634]: [INFO ] connecting to sesman on 127.0.0.1:3350
May 17 18:00:35 localhost xrdp-sesman[5606]: [INFO ] Socket 14: AF_INET6 connection received from ::1 port 40776
May 17 18:00:35 localhost xrdp[5634]: [INFO ] xrdp_wm_log_msg: sesman connect ok
May 17 18:00:35 localhost xrdp[5634]: [INFO ] sesman connect ok
May 17 18:00:35 localhost xrdp[5634]: [INFO ] sending login info to session manager. Please wait...
May 17 18:00:35 localhost openotp[5606]: Got user name xrdp
May 17 18:00:35 localhost openotp[5606]: Got anyPassword ************ for user xrdp
May 17 18:00:35 localhost openotp[5606]: Sending OpenOTP SimpleLogin request for user xrdp
May 17 18:00:36 localhost openotp[5606]: Authentication succeeded for user xrdp
May 17 18:00:36 localhost openotp[5606]: Found home directory '/home/xrdp' for 'xrdp'
May 17 18:00:36 localhost xrdp-sesman[5606]: [INFO ] Terminal Server Users group is disabled, allowing authentication
May 17 18:00:36 localhost xrdp-sesman[5606]: [INFO ] ++ created session (access granted): username xrdp, ip ::ffff:172.16.3.25:53279 - socket: 12
May 17 18:00:36 localhost xrdp-sesman[5606]: [INFO ] starting Xvnc session...
May 17 18:00:36 localhost xrdp-sesman[5606]: [INFO ] Found X server running at /tmp/.X11-unix/X10
May 17 18:00:36 localhost xrdp-sesman[5606]: [INFO ] Starting session: session_pid 5635, display :11.0, width 2560, height 1080, bpp 32, client ip ::ffff:172.16.3.25:53279 - socket: 12, user name xrdp
May 17 18:00:36 localhost xrdp-sesman[5635]: [INFO ] [session start] (display 11): calling auth_start_session from pid 5635
May 17 18:00:36 localhost xrdp-sesman[5606]: [ERROR] sesman_data_in: scp_process_msg failed
May 17 18:00:36 localhost xrdp[5634]: [INFO ] xrdp_wm_log_msg: login successful for user xrdp on display 11
May 17 18:00:36 localhost xrdp[5634]: [INFO ] login successful for user xrdp on display 11
May 17 18:00:36 localhost xrdp-sesman[5606]: [ERROR] sesman_main_loop: trans_check_wait_objs failed, removing trans
May 17 18:00:36 localhost xrdp[5634]: [INFO ] loaded module 'libvnc.so' ok, interface size 4064, version 4
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC started connecting
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC connecting to 127.0.0.1 5911

==> xrdp.log <==
[20220517-18:00:35] [INFO ] Connected client computer name: MacBook-Pro-de-
[20220517-18:00:35] [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc006 is unknown (ignored)
[20220517-18:00:35] [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc00a is unknown (ignored)
[20220517-18:00:35] [INFO ] xrdp_load_keyboard_layout: Keyboard information sent by the RDP client, keyboard_type:[0x04], keyboard_subtype:[0x00], keylayout:[0x00000000]
[20220517-18:00:35] [INFO ] xrdp_load_keyboard_layout: model [] variant [] layout [us] options []
[20220517-18:00:35] [INFO ] TLS connection established from ::ffff:172.16.3.25 port 53279: TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA
[20220517-18:00:35] [INFO ] xrdp_caps_process_pointer: client supports new(color) cursor
[20220517-18:00:35] [INFO ] xrdp_process_offscreen_bmpcache: support level 0 cache size 0 MB cache entries 0
[20220517-18:00:35] [INFO ] xrdp_caps_process_codecs: nscodec, codec id 1, properties len 3
[20220517-18:00:35] [WARN ] Cannot find keymap file /etc/xrdp/km-00000000.ini
[20220517-18:00:35] [WARN ] Cannot find keymap file /etc/xrdp/km-00000000.ini
[20220517-18:00:35] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
[20220517-18:00:35] [WARN ] local keymap file for 0x00000000 found and doesn't match built in keymap, using local keymap file
[20220517-18:00:35] [INFO ] connecting to sesman on 127.0.0.1:3350
[20220517-18:00:35] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20220517-18:00:35] [INFO ] sesman connect ok
[20220517-18:00:35] [INFO ] sending login info to session manager. Please wait...
[20220517-18:00:36] [INFO ] xrdp_wm_log_msg: login successful for user xrdp on display 11
[20220517-18:00:36] [INFO ] login successful for user xrdp on display 11
[20220517-18:00:36] [INFO ] loaded module 'libvnc.so' ok, interface size 4064, version 4
[20220517-18:00:36] [INFO ] VNC started connecting
[20220517-18:00:36] [INFO ] VNC connecting to 127.0.0.1 5911

==> xrdp-sesman.log <==
[20220517-18:00:35] [INFO ] Socket 14: AF_INET6 connection received from ::1 port 40776
[20220517-18:00:36] [INFO ] Terminal Server Users group is disabled, allowing authentication
[20220517-18:00:36] [INFO ] ++ created session (access granted): username xrdp, ip ::ffff:172.16.3.25:53279 - socket: 12
[20220517-18:00:36] [INFO ] starting Xvnc session...
[20220517-18:00:36] [INFO ] Found X server running at /tmp/.X11-unix/X10
[20220517-18:00:36] [INFO ] Starting session: session_pid 5635, display :11.0, width 2560, height 1080, bpp 32, client ip ::ffff:172.16.3.25:53279 - socket: 12, user name xrdp
[20220517-18:00:36] [ERROR] sesman_data_in: scp_process_msg failed
[20220517-18:00:36] [ERROR] sesman_main_loop: trans_check_wait_objs failed, removing trans
[20220517-18:00:36] [INFO ] [session start] (display 11): calling auth_start_session from pid 5635

==> messages <==
May 17 18:00:36 localhost systemd: Started Session 12 of user xrdp.
May 17 18:00:36 localhost systemd-logind: New session 12 of user xrdp.
May 17 18:00:36 localhost xrdp-sesman[5637]: [INFO ] Starting X server on display 11: Xvnc :11 -auth .Xauthority -geometry 2560x1080 -depth 32 -rfbauth /home/xrdp/.vnc/[email protected]:11 -bs -nolisten tcp -localhost -dpi 96
May 17 18:00:36 localhost xrdp-sesman: Xvnc TigerVNC 1.8.0 - built Nov 16 2020 16:47:50
May 17 18:00:36 localhost xrdp-sesman: Copyright (C) 1999-2017 TigerVNC Team and many others (see README.txt)
May 17 18:00:36 localhost xrdp-sesman: See http://www.tigervnc.org for information on TigerVNC.
May 17 18:00:36 localhost xrdp-sesman: Underlying X server release 12004000, The X.Org Foundation
May 17 18:00:36 localhost xrdp-sesman: Tue May 17 18:00:36 2022
May 17 18:00:36 localhost xrdp-sesman: vncext: VNC extension running!
May 17 18:00:36 localhost xrdp-sesman: vncext: Listening for VNC connections on local interface(s), port 5911
May 17 18:00:36 localhost xrdp-sesman: vncext: created VNC server for screen 0
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC tcp connected
May 17 18:00:36 localhost xrdp-sesman[5635]: [INFO ] Found X server running at /tmp/.X11-unix/X11
May 17 18:00:36 localhost xrdp-sesman[5636]: [INFO ] Found X server running at /tmp/.X11-unix/X11
May 17 18:00:36 localhost xrdp-sesman[5635]: [INFO ] Session started successfully for user xrdp on display 11
May 17 18:00:36 localhost xrdp-sesman[5646]: [INFO ] Starting the xrdp channel server for display 11
May 17 18:00:36 localhost xrdp-sesman[5635]: [INFO ] Session in progress on display 11, waiting until the window manager (pid 5636) exits to end the session
May 17 18:00:36 localhost xrdp-sesman: Connections: accepted: 127.0.0.1::43800
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC security level is 2 (1 = none, 2 = standard)
May 17 18:00:36 localhost xrdp-sesman: SConnection: Client needs protocol version 3.3
May 17 18:00:36 localhost xrdp-sesman: VNCSConnST: Server default pixel format depth 32 (32bpp) little-endian rgb
May 17 18:00:36 localhost xrdp-sesman: max 255,255,255 shift 16,8,0
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC password ok
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC sending share flag
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC receiving server init
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC receiving pixel format
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC receiving name length
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC receiving name
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC sending pixel format
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC sending cursor
May 17 18:00:36 localhost xrdp-sesman: VNCSConnST: Client pixel format depth 24 (32bpp) little-endian rgb888
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC connection complete, connected ok
May 17 18:00:36 localhost xrdp[5634]: [INFO ] VNC: Clipboard (if available) is provided by chansrv facility
May 17 18:00:36 localhost xrdp[5634]: [INFO ] connected ok
May 17 18:00:36 localhost xrdp-sesman[5636]: [INFO ] Found X server running at /tmp/.X11-unix/X11
May 17 18:00:36 localhost xrdp-sesman[5636]: [INFO ] Starting the default window manager on display 11: /usr/libexec/xrdp/startwm-bash.sh
May 17 18:00:36 localhost xrdp[5634]: [INFO ] Layout from OldLayout (geom=2560x1080 #screens=1) : 1804289383:(2560x1080+0+0)
May 17 18:00:36 localhost xrdp-chansrv[5646]: [INFO ] Socket 14: AF_UNIX connection received
May 17 18:00:36 localhost xrdp-chansrv[5646]: [INFO ] sound_process_training: round trip time 100

==> secure <==
May 17 18:00:36 localhost xrdp-sesman[5635]: pam_unix(xrdp-sesman:session): session opened for user xrdp by (uid=0)

==> xrdp.log <==
[20220517-18:00:36] [INFO ] VNC tcp connected
[20220517-18:00:36] [INFO ] VNC security level is 2 (1 = none, 2 = standard)
[20220517-18:00:36] [INFO ] VNC password ok
[20220517-18:00:36] [INFO ] VNC sending share flag
[20220517-18:00:36] [INFO ] VNC receiving server init
[20220517-18:00:36] [INFO ] VNC receiving pixel format
[20220517-18:00:36] [INFO ] VNC receiving name length
[20220517-18:00:36] [INFO ] VNC receiving name
[20220517-18:00:36] [INFO ] VNC sending pixel format
[20220517-18:00:36] [INFO ] VNC sending cursor
[20220517-18:00:36] [INFO ] VNC connection complete, connected ok
[20220517-18:00:36] [INFO ] VNC: Clipboard (if available) is provided by chansrv facility
[20220517-18:00:36] [INFO ] connected ok
[20220517-18:00:36] [INFO ] Layout from OldLayout (geom=2560x1080 #screens=1) : 1804289383:(2560x1080+0+0)

==> xrdp-sesman.log <==
[20220517-18:00:36] [INFO ] Starting X server on display 11: Xvnc :11 -auth .Xauthority -geometry 2560x1080 -depth 32 -rfbauth /home/xrdp/.vnc/[email protected]:11 -bs -nolisten tcp -localhost -dpi 96
[20220517-18:00:36] [INFO ] Found X server running at /tmp/.X11-unix/X11
[20220517-18:00:36] [INFO ] Session started successfully for user xrdp on display 11
[20220517-18:00:36] [INFO ] Session in progress on display 11, waiting until the window manager (pid 5636) exits to end the session
[20220517-18:00:36] [INFO ] Found X server running at /tmp/.X11-unix/X11
[20220517-18:00:36] [INFO ] Starting the xrdp channel server for display 11
[20220517-18:00:36] [INFO ] Found X server running at /tmp/.X11-unix/X11
[20220517-18:00:36] [INFO ] Starting the default window manager on display 11: /usr/libexec/xrdp/startwm-bash.sh

==> messages <==
May 17 18:00:37 localhost org.a11y.Bus: Activating service name='org.a11y.atspi.Registry'
May 17 18:00:37 localhost org.a11y.Bus: Successfully activated service 'org.a11y.atspi.Registry'
May 17 18:00:37 localhost org.a11y.atspi.Registry: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry
May 17 18:00:37 localhost org.gtk.vfs.Daemon: fusermount: failed to access mountpoint /run/user/508/gvfs: Permission denied
May 17 18:00:38 localhost gnome-session: generating cookie with syscall
May 17 18:00:38 localhost gnome-session: generating cookie with syscall
May 17 18:00:38 localhost gnome-session: generating cookie with syscall
May 17 18:00:38 localhost gnome-session: generating cookie with syscall
May 17 18:00:38 localhost gnome-keyring-daemon[3453]: The PKCS#11 component was already initialized
May 17 18:00:38 localhost journal: The PKCS#11 component was already initialized
May 17 18:00:38 localhost gnome-keyring-pkcs11.desktop: SSH_AUTH_SOCK=/run/user/508/keyring/ssh
May 17 18:00:38 localhost gnome-keyring-daemon[3453]: The Secret Service was already initialized
May 17 18:00:38 localhost journal: The Secret Service was already initialized
May 17 18:00:38 localhost gnome-keyring-secrets.desktop: SSH_AUTH_SOCK=/run/user/508/keyring/ssh
May 17 18:00:38 localhost gnome-keyring-daemon[3453]: The SSH agent was already initialized
May 17 18:00:38 localhost journal: The SSH agent was already initialized
May 17 18:00:38 localhost gnome-keyring-ssh.desktop: SSH_AUTH_SOCK=/run/user/508/keyring/ssh
May 17 18:00:39 localhost xrdp-sesman: Tue May 17 18:00:39 2022
May 17 18:00:39 localhost xrdp-sesman: ComparingUpdateTracker: 0 pixels in / 0 pixels out
May 17 18:00:39 localhost xrdp-sesman: ComparingUpdateTracker: (1:-nan ratio)
May 17 18:00:41 localhost dbus[682]: [system] Activating via systemd: service name='org.freedesktop.GeoClue2' unit='geoclue.service'
May 17 18:00:41 localhost systemd: Starting Location Lookup Service...
May 17 18:00:42 localhost dbus[682]: [system] Successfully activated service 'org.freedesktop.GeoClue2'
May 17 18:00:42 localhost systemd: Started Location Lookup Service.
May 17 18:00:42 localhost NetworkManager[713]: [1652810442.5372] agent-manager: req[0x56520443aec0, :1.227/org.gnome.Shell.NetworkAgent/508]: agent registered
May 17 18:00:42 localhost journal: goa-daemon version 3.28.2 starting

==> secure <==
May 17 18:00:42 localhost polkitd[708]: Registered Authentication Agent for unix-session:12 (system bus name :1.227 [/usr/bin/gnome-shell], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

==> messages <==
May 17 18:00:43 localhost journal: GoaKerberosIdentityManager: Using polling for change notification for credential cache type 'KEYRING'
May 17 18:00:44 localhost org.gtk.vfs.AfcVolumeMonitor: Volume monitor alive
May 17 18:00:47 localhost dbus[682]: [system] Activating via systemd: service name='org.freedesktop.hostname1' unit='dbus-org.freedesktop.hostname1.service'
May 17 18:00:47 localhost journal: Loading NVML: libnvidia-ml.so: cannot open shared object file: No such file or directory
May 17 18:00:47 localhost dbus[682]: [system] Activating via systemd: service name='org.freedesktop.locale1' unit='dbus-org.freedesktop.locale1.service'
May 17 18:00:48 localhost systemd: Starting Locale Service...
May 17 18:00:48 localhost systemd: Starting Hostname Service...
May 17 18:00:48 localhost dbus[682]: [system] Successfully activated service 'org.freedesktop.hostname1'
May 17 18:00:48 localhost systemd: Started Hostname Service.
May 17 18:00:48 localhost dbus[682]: [system] Successfully activated service 'org.freedesktop.locale1'
May 17 18:00:48 localhost systemd: Started Locale Service.
May 17 18:00:48 localhost spice-vdagent[6081]: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0
May 17 18:00:48 localhost gnome-session-binary[5636]: WARNING: App 'spice-vdagent.desktop' exited with code 1
May 17 18:00:48 localhost gnome-session: gnome-session-binary[5636]: WARNING: App 'spice-vdagent.desktop' exited with code 1
May 17 18:00:48 localhost journal: Exiting
May 17 18:00:50 localhost gnome-session-binary: Entering running state
May 17 18:00:51 localhost sealertauto.desktop: SELinux Troubleshooter: Applet requires SELinux be enabled to run.
May 17 18:00:51 localhost tracker-store.desktop: (uint32 1,)

OpenOTP Backend log (just for your information) :

2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] New openotpSimpleLogin SOAP request
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] > Username: xrdp
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] > Password: xxxxxxxxxxxx
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] > Client ID: Linux
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] > Options: -U2F
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Enforcing client policy: Linux (matched client ID)
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Registered openotpSimpleLogin request
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Resolved LDAP user: CN=xrdp,OU=SUPAdmins,DC=support,DC=rcdevs,DC=com
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Resolved LDAP groups: wifi_users
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Started transaction lock for user
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Found 48 user settings: LoginMode=LDAP,OTPType=TOKEN,PushLogin=Yes,PushVoice=No,BlockNotify=MAIL,ExpireNotify=MAIL,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OTPPrefix=No,OfflineExpire=360,GeoFence=Yes,MobileTimeout=30,EnableLogin=Yes,SelfRegister=Yes,PasswordReset=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,DeviceType=FIDO2,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,ReplyData=[1 Items],MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Requested login factors: LDAP
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] LDAP password Ok
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Updated user data
[2022-05-18 11:11:09] [172.16.3.69:59204] [OpenOTP:INM7PM43] Sent login success response

At this point, we are successfuly authenticated with xrdp user on the XRDP server through OpenOTP and RDP session is opened.
So far so good.

------------------- 2nd authentication -------------------

Now we try to perform the secondary/next authentications. From that point we can not be authenticated successfully any user.

==> messages <==
May 17 18:16:43 localhost xrdp[5607]: [INFO ] Socket 12: AF_INET6 connection received from ::ffff:172.16.3.25 port 53444
May 17 18:16:43 localhost xrdp[6675]: [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
May 17 18:16:43 localhost xrdp[6675]: [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
May 17 18:16:43 localhost xrdp[6675]: [WARN ] TLSv1.3 enabled by config, but not supported by system OpenSSL
May 17 18:16:43 localhost xrdp[6675]: [INFO ] Security protocol: configured [SSL|RDP], requested [SSL|HYBRID|HYBRID_EX|RDP], selected [SSL]

==> xrdp.log <==
[20220517-18:16:43] [INFO ] Socket 12: AF_INET6 connection received from ::ffff:172.16.3.25 port 53444
[20220517-18:16:43] [INFO ] Using default X.509 certificate: /etc/xrdp/cert.pem
[20220517-18:16:43] [INFO ] Using default X.509 key file: /etc/xrdp/key.pem
[20220517-18:16:43] [WARN ] TLSv1.3 enabled by config, but not supported by system OpenSSL
[20220517-18:16:43] [INFO ] Security protocol: configured [SSL|RDP], requested [SSL|HYBRID|HYBRID_EX|RDP], selected [SSL]

==> messages <==
May 17 18:16:54 localhost xrdp[6675]: [INFO ] Connected client computer name: MacBook-Pro-de-
May 17 18:16:54 localhost xrdp[6675]: [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc006 is unknown (ignored)
May 17 18:16:54 localhost xrdp[6675]: [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc00a is unknown (ignored)
May 17 18:16:54 localhost xrdp[6675]: [INFO ] xrdp_load_keyboard_layout: Keyboard information sent by the RDP client, keyboard_type:[0x04], keyboard_subtype:[0x00], keylayout:[0x00000000]
May 17 18:16:54 localhost xrdp[6675]: [INFO ] xrdp_load_keyboard_layout: model [] variant [] layout [us] options []
May 17 18:16:54 localhost xrdp[6675]: [INFO ] TLS connection established from ::ffff:172.16.3.25 port 53444: TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA
May 17 18:16:54 localhost xrdp[6675]: [INFO ] xrdp_caps_process_pointer: client supports new(color) cursor
May 17 18:16:54 localhost xrdp[6675]: [INFO ] xrdp_process_offscreen_bmpcache: support level 0 cache size 0 MB cache entries 0
May 17 18:16:54 localhost xrdp[6675]: [INFO ] xrdp_caps_process_codecs: nscodec, codec id 1, properties len 3
May 17 18:16:54 localhost xrdp[6675]: [WARN ] Cannot find keymap file /etc/xrdp/km-00000000.ini
May 17 18:16:54 localhost xrdp[6675]: [WARN ] Cannot find keymap file /etc/xrdp/km-00000000.ini
May 17 18:16:54 localhost xrdp[6675]: [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
May 17 18:16:54 localhost xrdp[6675]: [WARN ] local keymap file for 0x00000000 found and doesn't match built in keymap, using local keymap file
May 17 18:16:54 localhost xrdp[6675]: [INFO ] connecting to sesman on 127.0.0.1:3350
May 17 18:16:54 localhost xrdp-sesman[5606]: [INFO ] Socket 14: AF_INET6 connection received from ::1 port 41994
May 17 18:16:54 localhost xrdp[6675]: [INFO ] xrdp_wm_log_msg: sesman connect ok
May 17 18:16:54 localhost xrdp[6675]: [INFO ] sesman connect ok
May 17 18:16:54 localhost xrdp[6675]: [INFO ] sending login info to session manager. Please wait...
May 17 18:16:54 localhost openotp[5606]: PAM Module for OpenOTP version 1.0.12-4 starting
May 17 18:16:54 localhost openotp[5606]: Server URLs: http://192.168.4.20:8080/openotp/
May 17 18:16:54 localhost openotp[5606]: Server Policy: Ordered
May 17 18:16:54 localhost openotp[5606]: Domain name: [None]
May 17 18:16:54 localhost openotp[5606]: Client id: Linux
May 17 18:16:54 localhost openotp[5606]: Challenge suffix: :
May 17 18:16:54 localhost openotp[5606]: User settings: [None]
May 17 18:16:54 localhost openotp[5606]: Cert file: [None]
May 17 18:16:54 localhost openotp[5606]: Cert password: [None]
May 17 18:16:54 localhost openotp[5606]: CA file: /etc/openotp/ca.crt
May 17 18:16:54 localhost openotp[5606]: SOAP timeout: [Default]
May 17 18:16:54 localhost openotp[5606]: Create homedirs: Yes
May 17 18:16:54 localhost openotp[5606]: Password mode: [Default]
May 17 18:16:54 localhost openotp[5606]: Password separator: [None]
May 17 18:16:54 localhost openotp[5606]: OTP length: [Default]
May 17 18:16:54 localhost openotp[5606]: Got user name xrdp
May 17 18:16:54 localhost openotp[5606]: Got anyPassword ************ for user xrdp
May 17 18:16:54 localhost openotp[5606]: Sending OpenOTP SimpleLogin request for user xrdp
May 17 18:16:54 localhost openotp[5606]: OpenOTP SimpleLogin request failed for user xrdp

==> xrdp.log <==
[20220517-18:16:54] [INFO ] Connected client computer name: MacBook-Pro-de-
[20220517-18:16:54] [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc006 is unknown (ignored)
[20220517-18:16:54] [WARN ] Received [MS-RDPBCGR] TS_UD_HEADER type 0xc00a is unknown (ignored)
[20220517-18:16:54] [INFO ] xrdp_load_keyboard_layout: Keyboard information sent by the RDP client, keyboard_type:[0x04], keyboard_subtype:[0x00], keylayout:[0x00000000]
[20220517-18:16:54] [INFO ] xrdp_load_keyboard_layout: model [] variant [] layout [us] options []
[20220517-18:16:54] [INFO ] TLS connection established from ::ffff:172.16.3.25 port 53444: TLSv1.2 with cipher ECDHE-RSA-DES-CBC3-SHA
[20220517-18:16:54] [INFO ] xrdp_caps_process_pointer: client supports new(color) cursor
[20220517-18:16:54] [INFO ] xrdp_process_offscreen_bmpcache: support level 0 cache size 0 MB cache entries 0
[20220517-18:16:54] [INFO ] xrdp_caps_process_codecs: nscodec, codec id 1, properties len 3
[20220517-18:16:54] [WARN ] Cannot find keymap file /etc/xrdp/km-00000000.ini
[20220517-18:16:54] [WARN ] Cannot find keymap file /etc/xrdp/km-00000000.ini
[20220517-18:16:54] [INFO ] Loading keymap file /etc/xrdp/km-00000409.ini
[20220517-18:16:54] [WARN ] local keymap file for 0x00000000 found and doesn't match built in keymap, using local keymap file
[20220517-18:16:54] [INFO ] connecting to sesman on 127.0.0.1:3350
[20220517-18:16:54] [INFO ] xrdp_wm_log_msg: sesman connect ok
[20220517-18:16:54] [INFO ] sesman connect ok
[20220517-18:16:54] [INFO ] sending login info to session manager. Please wait...

==> xrdp-sesman.log <==
[20220517-18:16:54] [INFO ] Socket 14: AF_INET6 connection received from ::1 port 41994

==> messages <==
May 17 18:16:57 localhost xrdp-sesman[5606]: [ERROR] pam_authenticate failed: Authentication failure
May 17 18:16:57 localhost xrdp-sesman[5606]: [INFO ] AUTHFAIL: user=xrdp ip=::ffff:172.16.3.25 time=1652811417
May 17 18:16:57 localhost xrdp-sesman[5606]: [ERROR] sesman_data_in: scp_process_msg failed
May 17 18:16:57 localhost xrdp[6675]: [INFO ] xrdp_wm_log_msg: login failed for user xrdp
May 17 18:16:57 localhost xrdp-sesman[5606]: [ERROR] sesman_main_loop: trans_check_wait_objs failed, removing trans
May 17 18:16:57 localhost xrdp[6675]: [INFO ] login failed for user xrdp

==> xrdp.log <==
[20220517-18:16:57] [INFO ] xrdp_wm_log_msg: login failed for user xrdp
[20220517-18:16:57] [INFO ] login failed for user xrdp

==> xrdp-sesman.log <==
[20220517-18:16:57] [ERROR] pam_authenticate failed: Authentication failure
[20220517-18:16:57] [INFO ] AUTHFAIL: user=xrdp ip=::ffff:172.16.3.25 time=1652811417
[20220517-18:16:57] [ERROR] sesman_data_in: scp_process_msg failed
[20220517-18:16:57] [ERROR] sesman_main_loop: trans_check_wait_objs failed, removing trans

OpenOTP Backend log :

NO LOGS, no request arrived, tcpdump show us that no communication has been sent from XRDP machine to OpenOTP server even if in /var/log/message we see the following :

May 17 18:16:54 localhost openotp[5606]: Sending OpenOTP SimpleLogin request for user xrdp
May 17 18:16:54 localhost openotp[5606]: OpenOTP SimpleLogin request failed for user xrdp

I can even see that the credentials are filled to my library in /var/log/messages :

May 17 18:16:54 localhost xrdp[6675]: [INFO ] xrdp_wm_log_msg: sesman connect ok
May 17 18:16:54 localhost xrdp[6675]: [INFO ] sesman connect ok
May 17 18:16:54 localhost xrdp[6675]: [INFO ] sending login info to session manager. Please wait...
May 17 18:16:54 localhost openotp[5606]: PAM Module for OpenOTP version 1.0.12-4 starting
May 17 18:16:54 localhost openotp[5606]: Server URLs: http://192.168.4.20:8080/openotp/
May 17 18:16:54 localhost openotp[5606]: Server Policy: Ordered
May 17 18:16:54 localhost openotp[5606]: Domain name: [None]
May 17 18:16:54 localhost openotp[5606]: Client id: Linux
May 17 18:16:54 localhost openotp[5606]: Challenge suffix: :
May 17 18:16:54 localhost openotp[5606]: User settings: [None]
May 17 18:16:54 localhost openotp[5606]: Cert file: [None]
May 17 18:16:54 localhost openotp[5606]: Cert password: [None]
May 17 18:16:54 localhost openotp[5606]: CA file: /etc/openotp/ca.crt
May 17 18:16:54 localhost openotp[5606]: SOAP timeout: [Default]
May 17 18:16:54 localhost openotp[5606]: Create homedirs: Yes
May 17 18:16:54 localhost openotp[5606]: Password mode: [Default]
May 17 18:16:54 localhost openotp[5606]: Password separator: [None]
May 17 18:16:54 localhost openotp[5606]: OTP length: [Default]
May 17 18:16:54 localhost openotp[5606]: Got user name xrdp
May 17 18:16:54 localhost openotp[5606]: Got anyPassword ************ for user xrdp
May 17 18:16:54 localhost openotp[5606]: Sending OpenOTP SimpleLogin request for user xrdp
May 17 18:16:54 localhost openotp[5606]: OpenOTP SimpleLogin request failed for user xrdp

But it is like the request is never submitted and a failure is returned by my lib without response from the backend.
That request has never be sent or received on the authentication server.

Now, If we restart the XRDP and XRDP-SESMAN services, the authentication will works again one time. You can imagine that it is not viable for authentication integration ^^

My question is, is there any difference on your side during the first and next authentication ?
Do you have any idea on why the first authentication works and not the next ones ?

Found also below, the xrdp-sesman PAM configuration file which is applied for authentication :

#%PAM-1.0

auth required pam_env.so
auth sufficient pam_openotp.so debug
auth sufficient pam_unix.so broken_shadow
auth required pam_deny.so
account required pam_permit.so
session required pam_permit.so

account required pam_nologin.so
password include password-auth

session required pam_selinux.so close
session required pam_loginuid.so

session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth

That configuration works for SSH, it also works for the first authentication with XRDP server.

Regards

2 replies

matt335672 May 18, 2022
Collaborator

Hi @rcdevs - good to hear from you.

The authentication used by xrdp-sesman works like this:-

xrdp-sesman calls the PAM (pam_start(), etc) stack to authenticate.
If this is successful a sub-process is started. The sub-process calls the PAM stack forked from xrdp-sesman to start the session.
The sub-process winds up the PAM stack when the session ends.
The next authentication request to xrdp-sesman will result in another call to pam_start(), etc.

It's not optimal - you've probably spotted the memory leak already, and there are other issues (#1684). We're working on moving the authentication phase into the sub-process (see #1961). This is not as straightforward as it might seem however, as we need to handle reconnections as well as new sessions, which isn't a problem ssh has.

With that background, here are the answers to your questions:-

Is there any difference on your side during the first and next authentication ?

Not that I'm aware of.

Do you have any idea on why the first authentication works and not the next ones ?

It's possible that there's some coupling between the previous PAM stack (still loaded in the main process) and the new one started with the call to pam_start(). That's just an idea though.

Is that helpful?

rcdevs May 18, 2022

Hi,

Thank very much for your quick response.
Yes it's helping. I will check this with my dev team and provide a feedback later here.

Regards

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

xrdp with ldap accounts #2248

{{title}}

Replies: 3 comments 4 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

xrdp with ldap accounts #2248

martin82dd May 4, 2022

Replies: 3 comments · 4 replies

matt335672 May 4, 2022 Collaborator

martin82dd May 4, 2022 Author

martin82dd May 4, 2022 Author

matt335672 May 4, 2022 Collaborator

rcdevs May 18, 2022

matt335672 May 18, 2022 Collaborator

rcdevs May 18, 2022

martin82dd
May 4, 2022

Replies: 3 comments 4 replies

matt335672
May 4, 2022
Collaborator

martin82dd May 4, 2022
Author

martin82dd May 4, 2022
Author

matt335672
May 4, 2022
Collaborator

rcdevs
May 18, 2022

matt335672 May 18, 2022
Collaborator