Timo Denissen of the Professional Service Team of Univention described in February with the blog article “Desktops with Guacamole remote control” how computers can be remote controlled via the browser. In this How To I would like to show how this principle can be extended with the help of privacyIDEA and xRDP to a terminal server environment which can be used completely in the browser, integrated into the domain of the UCS and secured by 2-factor authentication.
I assume in the HowTo that a functional UCS Master already exists. I run this virtualized using Proxmox. I use a second VM for the terminal server environment.
The following steps are described in detail in this HowTo:
- Prepare LinuxMint with xRDP
- Installing and configuring privacyIDEA and RADIUS on the UCS Master
- Integrate xRDP with privacyIDEA
- Install and configure Guacamole with RADIUS Plugin
Prepare LinuxMint with xRDP
I use a LinuxMint 19.1 XFCE installation to build the terminal server on. LinuxMint runs as a virtual machine on a Proxmox cluster and does not have its own graphics card with 3D support. If this would be available and passed through to the VM, Cinnamon can also be used as a desktop. The basic installation is carried out normally with the installation wizard and the user local-admin is created.
After the restart I log on to the virtual console and configure the static IP address 10.0.0.2 and set the UCS Master (IP address 10.0.0.1) as DNS server.
I update the package sources and for administration I install openssh-server (basically on all VM’s) and store my SSH public key in the admin user accounts in ~/.ssh/authorized_keys.
In the next step I integrate LinuxMint according to the Univention instructions in the documentation for Ubuntu clients, which also works unchanged for LinuxMint. According to documentation the Ubuntu Domain Join Client is compatible with LinuxMint by now.
On the desktop I can already log in as a domain user for testing purposes.
Next I install the xRDP server:
sudo apt-get install xrdp xorgxrdp xrdp-pulse audio installer
To let xRDP use the XFCE desktop, I replace the last two lines of the file /etc/xrdp/startwm.sh
test -x /etc/X11/Xsession && exec /etc/X11/Xsession
exec /bin/sh /etc/X11/Xsession
by
usr/bin/startxfce4
Now the login works with an RDP client like Remmina from my own Linux desktop or with the Windows Remote Desktop Client.
I will not go any further into configuration of the desktop here.
The first step has now been taken. We can access our LinuxMint desktop via RDP.
Install and set up privacyIDEA
I install privacyIDEA via the Univention App Center on my UCS Master. For this I need the apps “RADIUS”, “privacyIDEA” and “privacyIDEA RADIUS”. privacyIDEA RADIUS integrates into the RADIUS server of the UCS, which is based on FreeRADIUS.
To allow the LinuxMint computer to establish a connection to the UCS Radius server, I make it know as a client to freeradius. For this I make the following entry in the file /etc/freeradius/3.0/clients.conf as user root on the UCS server
client linuxmint.example.com {
ipaddr = 10.0.0.2
secret = changeme
}
Afterwards I restart the freeradius server.
service freeradius restart
After installing privacyIDEA I login to privacyIDEA Administration via the UCS Portal. There I log in with the account “Administrator@admin” and the administrator password of the UCS domain. After the info dialog I create a new policy under “Configuration” -> “Policies” to configure the user login with OTP.
attribute name |
attribute value |
policy name |
login_userpass_otp |
scope |
authentication |
action |
Miscellaneous |
otppin: userstore |
|
auth_cache: 2m |
|
user realm |
example.com |
user resolver |
users |
priority |
1 |
I still need a second policy to be able to pass on user details from the LDAP.
attribute name |
attribute value |
policy name |
return_user_details |
scope |
authorization |
action |
Miscellaneous |
add_user_in_response: check |
|
user realm |
example.com |
user resolver |
users |
priority |
1 |
Since I turned on auth_cache with the first policy, I need a cron job that cleans it up every day to keep the database clean. The purpose of auth_cache will be explained later.
I create the file /etc/cron.daily/pi-authcache-cleanup
on the UCS server with the following content:
#!/bin/sh
/opt/privacyidea/privacyidea-venv/bin/pi-manage authcache cleanup
Then I activate the privacyIDEA RADIUS module on the UCS server via the Univention Configuration Registry web interface or command line:
ucr set privacyidea/radius/enable=1
The privacyIDEA documentation describes how the RADIUS configuration can be tested from the command line. For this purpose the software package freeradius-utils must be installed on the LinuxMint computer. To enable testing of RADIUS without OTP a second policy can be created with scope “authentication” in which the option “passthru” is set to “userstore”. If the test is successful, the policy can be deactivated, a TOTP token can be rolled out for a user (e.g. with the apps privacyIDEA Authenticator or FreeOTP Authenticator for Android and iOS) and tested again. This time the OTP value is appended directly to the password.
The second step is completed! We can authenticate users of the UCS domain with domain password + OTP via RADIUS.
Integrate xRDP with privacyIDEA
Next I will connect the authentication of xRDP to privacyIDEA. Since the RADIUS server already knows the LinuxMint as a client, I use the PAM RADIUS module.
sudo apt-get install libpam-radius-auth
In the file /etc/pam_radius_auth.conf
I add the RADIUS server and the secret.
Now I add the following statement to the file /etc/pam.d/xrdp-sesman
auth required pam_radius_auth.so
so that it looks like this:
#%PAM-1.0
auth sufficient pam_radius_auth.so
@include common-auth
@include common-account
@include common-session
@include common-password
After a restart of LinuxMint I can now log in with an RDP client with username and password + OTP.
Alternatively, the privacyIDEA PAM module could also be used here.