SCP Sequence Diagrams - neutrinolabs/xrdp GitHub Wiki
This page applies to xrdp v0.10.x
This page contains sequence diagrams for xrdp component interactions caused by SCP calls. SCP calls are made by the following components:-
| Component | Purpose |
|---|---|
| xrdp | Starting and connecting to sessions |
| xrdp-sesrun | Starting sessions |
| xrdp-sesadmin | Session administration |
| xrdp-chansrv | Create the user sockdir if it doesn't already exist |
An SCP connection is initiated by a process making a connection to the sesman listening socket configured in sesman.ini. The sesman listening socket is a Unix domain socket, available to the current machine only.
All calls made to SCP must start with an authentication exchange. This allows sesman to determine the privileges to be afforded to the connecting process. At present the following authentication methods are supported:-
- Authentication via Unix Domain Socket (UDS login). The owner of the peer socket connecting to sesman is considered to be the user requesting access.
- Authentication via username and password (sys login). A username and a password are provided to sesman.
sequenceDiagram
actor C as client
participant SM as sesman
C-)+SM : Login using UDS credentials
SM-)-C : Login result
opt Login failed
destroy C
SM-XC : Closes client connection
end
sequenceDiagram
actor C as client
participant SM as sesman
C-)+SM : Login using username/password
create participant SE as sesexec
SM->SE : fork and set up a communications link
SM-)+SE: Login using this client file descriptor
SM-)SM : Sesman closes client file descriptor copy.
deactivate SM
note over C,SE: sesexec and client can exchange further messages.This might be<br/>to implement a PAM dialogue, or to handle login retries up to `MaxLoginRetry`
SE-)-SM : Login result (contains client file descriptor)
activate SM
SE-)SE : sesexec closes client file descriptor copy
SM-)-C: Login result
opt Login failed
destroy C
SM-XC : sesman closes client connection
destroy SE
SM-XSE : sesman closes sesexec connection
end
Following authentication, the client can send one or more commands to sesman, to be executed on behalf of the authorized user.
sequenceDiagram
actor C as client
participant SM as sesman
participant SE as sesexec
C-)+SM : Logout
Alt if a sesexec process exists for this login
SM-)SE : Send logout request
destroy SE
SM-)SE : sesman closes sesexec connection
end
No response is sent to the client for a logout request. After logging out, a different login request may be made, perhaps for a different user.
sequenceDiagram
actor C as client
participant SM as sesman
participant SE as sesexec
C-)+SM : Close connection
Alt if a sesexec process exists for this login
destroy SE
SM-)SE : sesman closes sesexec connection
end
destroy C
SM-XC : sesman closes client connection
This is a command used when chansrv is running outside of sesman. This is most commonly encountered when chansrv is being run in a console session which is also running x11vnc.
sequenceDiagram
actor C as client
participant SM as sesman
C-)+SM : Create sockdir
SM-)-C : Sockdir creation response
sequenceDiagram
actor C as client
participant SM as sesman
C-)+SM : List sessions
loop for each session the user is authorized to see
SM-)C : Session data item
end
SM-)-C : list session end
At present, following processing of a create session request, the client connection terminates unconditionally.
If an existing session exists for the user, the following sequence occurs. There will be an existing active sesexec process for the session, and potentially another was created to authenticate the user.
sequenceDiagram
actor C as client
participant SM as sesman
participant SES as sesexec(session)
participant SEA as sesexec(auth)
C-)+SM: Create session
SM-)SES: Run reconnect script for existing session
alt if a sesexec process was started for authentication
SM-)SEA : Send logout request
destroy SEA
SM-XSEA : sesman closes sesexec connection
end
SM-)-C: Session details
destroy C
SM-XC: sesman closes client connection
If no existing session exists for the user, the following sequence occurs:-
sequenceDiagram
actor C as client
participant SM as sesman
C-)+SM: Create session
alt if a sesexec process does not already exist for the connection
create participant SE as sesexec
SM->SE : fork and set up a communications link
end
SM-)+SE: Create session. Pass client file descriptor
SM->SM: Close client file descriptor
deactivate SM
SE-)-C: Session details
destroy C
SE-XC: sesexec closes client connection