rdesktop credssp needs information about which smartcard reader and which card that is used for authentication, we need to provide this information from tlclient (selection of smartcard for authentication) down the chain to the actual rdesktop spawn. The approach is divided into three steps: 1. Extend the client params passed from tlhinlinc client connection to the server to withold information about the smartcard used for authentication, possible additional values are: certificate serial, smartcard reader name and ATR? 2. Pass this SSO information into the thinlinc session 3. Update tl-run-rdesktop to fetch smartcard SSO information and make a lookup using ATR -> CSP name to be provided onto the commnadline see bug #4564. This way the administrators don't need to know what their CSP names are.
In step 3, we could probably use the nrpe service to make the ATR->CSP lookup.
Commit r26882 adds functionality to pass current smartcard readername for selected logon certificate as sensitive client param to the server.
Commit r26884 takes care of the new param passed by client and makes it available through ThinLinc SSO mechanism
Commit 26885 updates tl-run-rdesktop to pass smartcard readername as argument for CredSSP SC PIN SSO.
Commit 26892 merges rdesktop with latest vendordrop that includes the CredSSP smartcard SSO functionality.
Documentation lacks information/section about single sign on against Windows Terminal Server. This need to be written carefully to make it possible to document the new smartcard pin sso features...
Commit 27047 adds documenatation section for smart card SSO.
From bug 4498 comment #17 >I'm also not getting the reader name in the SSO information: > >[tluser@dhcp-254-223 ~]$ xprop -root | grep TL_ >TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE >TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted>
(In reply to comment #8) > From bug 4498 comment #17 > > >I'm also not getting the reader name in the SSO information: > > > >[tluser@dhcp-254-223 ~]$ xprop -root | grep TL_ > >TL_SENSITIVE_PARAMS(ATOM) = TL_SSO_TOKEN_PASSPHRASE > >TL_SSO_TOKEN_PASSPHRASE(STRING) = <redacted> Fixed in commits, r27542, r27541, r27540
Something is very off with the smart card reader name as presented to rdesktop: /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r sound:local oss -r printer:nearest -r printer:thinlocal -i -o sc-reader-name="Gemalto PC Twin Reader 00 00 ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se It looks like two errors: 1. The name isn't terminated properly. 2. Extra quotes.
(In reply to comment #10) > Something is very off with the smart card reader name as presented to rdesktop: > > > /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r > clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom > /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r > sound:local oss -r printer:nearest -r printer:thinlocal -i -o > sc-reader-name="Gemalto PC Twin Reader 00 00 > ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se > > > It looks like two errors: > > 1. The name isn't terminated properly. > 2. Extra quotes. r27563 fixes the extra quotes. r27564 fixes the (as I understand it) white space stripping. Henrik needs to verify that this is what is intended. I have no idea of where the questions marks comes from.
(In reply to comment #11) > (In reply to comment #10) > > Something is very off with the smart card reader name as presented to rdesktop: > > > > > > /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r > > clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom > > /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r > > sound:local oss -r printer:nearest -r printer:thinlocal -i -o > > sc-reader-name="Gemalto PC Twin Reader 00 00 > > ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se y that this is what is intended. --- > I have no idea of where the questions marks comes from. Modifed tl-sso-password to retrieve reader name instead, visible here as well: $ tl-sso-password | cat Gemplus GemPC Twin 00 00 \ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd\ufffd Then tried with the updated tlclient wrt space stripping: $ tl-sso-password | cat Gemplus GemPC Twin 00 00 So, it seems this was the problem after all.
(In reply to comment #11) > (In reply to comment #10) > > Something is very off with the smart card reader name as presented to rdesktop: > > > > > > /opt/thinlinc/bin/rdesktop -o sc-csp-name=Net iD - CSP -d LKPG -r > > clientname=ThinLinc -u SE777777777777-10HJ -r disk:cdrom > > /var/opt/thinlinc/sessions/SE777777777777-10HJ/2/drives/cdrom -r scard -r > > sound:local oss -r printer:nearest -r printer:thinlocal -i -o > > sc-reader-name="Gemalto PC Twin Reader 00 00 > > ?????????" -p - WIN-C8LUDCTPCDI.test.cendio.se > > > > > > It looks like two errors: > > > > 1. The name isn't terminated properly. > > 2. Extra quotes. > > r27563 fixes the extra quotes. > > r27564 fixes the (as I understand it) white space stripping. Henrik needs to > verify that this is what is intended. > > I have no idea of where the questions marks comes from. Tested using SLED11 Sp2 / Win 2008R2 + ThinLinc RC2 and with the new client build. Verified CSSP + SSO functionality and it worked as expected.
